Hi Michael, Hi David, Hi Alon, On 08/12/11 09:33, michael-dev wrote: > This patch adds an option to disable the creation of tagged priority > packets with VID=0. This is for the feature_vlan_tagging > openvpn-testing head.
Great to know that other people are using the patch-set too. Your patch is quite similar to a patch [0] we've been using for a year, but which never got pushed into the upstream branch because it was missing documentation. So I fully agree that it's necessary and I'm very sorry that you had to duplicate the work just because I got massively side-tracked. > I tested the vlan feature and it works fine for me (no dhcp tested). > Therefore I bridged my eth0 (LAN) and tap0 (OpenVPN) but as my switch > flags arp replys with priority, the client ended up with 802.1q > tagged (VID=0) priority packets. These were not expected on the client > (Ubuntu 10.04 lts) and I found a linux kernel discussion from summer > 2010 about supporting VID=0 priority packets, so I expect more linux > clients (windows untested) to not support this kind of packets. This > option prevents the creating of these packets by ignoring the > priority information. We're currently using the VLAN patches at three locations at our University and all of them have the strip-priority option activated, so I'd say that it should be the default mode. I'd even go so far as to say that this doesn't even need to be configurable. Vlan-tagged packets should never remain tagged (neither vlan nor priority tagged) when forwarded to an untagged network. Only when the packet is priority-tagged without vlan-tagging can we assume that the sender knew full well that some clients might not know what to do with them. The reworked patch [1] does precisely that, but it's currently only compile tested, because I ran out of time again. (The reworked patch is part of the VLAN patch-set [2] that was rebased to master.) To fully test the rebased patch-set in our setups I will also need to port another patch-set (regarding deferred client-connect scripts) ... which is part of the reason why I ran out of time again. As I've been getting some friendly pressure from the people using the VLAN patch-set (and the other patch-set) at our Uni, this hopefully provides enough motivation to get me working on this stuff again... :) On Thu, Dec 8, 2011 at 12:15 PM, David Sommerseth wrote: > Adding Fabian to Cc, he knows more about the VLAN code. Thanks for the nudge. > With this feedback, I'm willing merge in the feat_vlan_tagging branch > into master. I'm not sure if this should happen now in the v2.3 time > frame (which is getting more and more ready for alpha/beta releases), or > if we will take it in the next round with v2.4. But I will bring that up > for discussion soonish. What I was meaning to ask: Did you guys come up with some kind of test framework in the last year? I was looking at creating something like that for the VLAN patchset, but it was far too time intensive for my extremely limited OpenVPN time budget ... So would manual testing reports suffice? And Michael, would you be willing to review and test the full, rebased patch-set (as soon as I'm confident again that it actually works)? Am 08.12.2011 11:27, schrieb Alon Bar-Lev: > Missing usage, man. There are probably not *that* many users, agreed. It's probably more of a "large enterprise" feature, as only people with VLAN tagged networks would be interested. For example, our university is very fond of layer 2 networking and therefore uses VLAN tagging extensively. OpenVPN with VLAN tagging provides a perfect match, allowing a single VPN entry point for access to all the different layer2 networks. I imagine that other large organisations could make use of this feature too. So the number of deployments using the feature will probably never be high. But the number of users depending on it, might not be as insignificant. The two main deployments at our Uni (currently both in public beta) currently have about 100 unique users with several thousand potential users. Cheers Fabian 0: http://opensource.fsmi.uni-karlsruhe.de/gitweb/?p=openvpn.git;a=commit;h=a642faabff003e8f199341b8af407e91c66e568e 1: http://opensource.fsmi.uni-karlsruhe.de/gitweb/?p=openvpn.git;a=commit;h=f420df8521b5821fd7ddbbd742b515ecdac9c6c1 2: http://opensource.fsmi.uni-karlsruhe.de/gitweb/?p=openvpn.git;a=shortlog;h=refs/heads/feat_vlan
signature.asc
Description: OpenPGP digital signature
