Web lists-archives.com

Debian bridge with one VLAN iface - after upgrade from Deb 8 to 9 tc filters are bypassed for VLAN traffic?




Hello community,

This is problem related to Debian 9, bridge, VLAN interface and HTB tc filters for traffic shaping...

For years I`m using Debian with bridged ethernet interfaces as a L2 transparent traffic shaper. Shaper is based on HTB with tc hash filters. In the bridge there is also one VLAN interface where VLAN TAGeed traffic from customers is terminated. I`ve tried to google, change some bridge parameters, but no success.


Bridge setup:
brctl show bridge1
bridge name     bridge id               STP enabled     interfaces
bridge1         8000.0002a525xxyy       no              eth0
                                                                              eth1
                                                                              eth1.500


- eth1 (and of course eth1.500) is towards customers. Customers are sending some traffic TAGed with 500 and some traffic without VLAN TAG
- eth0 is uplink towards public internet

The problem and question:
This setup worked smoothly for years until I upgraded Debian 8 do Debian 9 (which I didn`t like to do but I had to, lets say). And now, in Debian 9 only customer traffic which is not TAGged can reach tc filters and than is properly send to appropriate tc class and shaped. BUT traffic with TAG 500 bypasses tc filters which means it goes just to tc default class (which is not good) - yes TAGget traffic is not terminated, just is not passing tc filters

I guess I have to turn on some 0/1"switch" somewhere in the Debian 9... But please, do you know which switch?

If you would like to have more specific infos, please let me know, I`ll send it ASAP.

Thank you in advance. At least for that you read it all :)
Pep.