lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:   Tue, 11 Apr 2017 18:25:44 +0300
From:   Dmitry Krivenok <krivenok.dmitry@...il.com>
To:     netdev@...r.kernel.org
Cc:     Jay Vosburgh <j.vosburgh@...il.com>,
        Veaceslav Falico <vfalico@...il.com>,
        Andy Gospodarek <andy@...yhouse.net>
Subject: macvlan on top of balance-alb bond

Hello,

I have a question concerning the setup where I have macvlan interface on top of

bond device configured in balance-alb mode with 2 slave ports.



The problem is that I cannot ping an IP of macvlan device on the server from the

client machine. I do see that (as expected) the client never sees MAC address of

macvlan device, but instead sees MAC address of one of the slave ports because

ARP replies are intercepted by bonding driver and MACs are replaced.

However, I don’t see ICMP requests from the client on macvlan device when I

run tcpdump. I do see them on bond device and the slave assigned to the client

though.



I also tried active/passive, LACP and TLB bonding modes and they all work fine

with my configuration. I only have a problem with ALB mode and macvlan.

When I moved IP from macvlan device to the bond device, everything started

working, so I guess it has something to do with virtual interfaces on top of the

bond.



I’d think that such configuration is not supported, but I found the following

patch that was merged few years ago:

https://www.spinics.net/lists/netdev/msg285148.html

>From the description, the patch was intended to add support of exactly my

configuration. I confirmed that my 4.8.6 kernel does have those changes.



I’m not familiar with the code of bonding driver and didn’t dig into the source

code to see why packets get dropped. I see that they are dropped (via
dropwatch).

I tried to get more details via enabling dyndebug and playing with ftrace, but

with no luck yet.



Before I dig into that, I wanted check with experts to know if that
configuration

is supported at all with the latest Linux kernel? Any help is very appreciated!



Thanks,

Dmitry

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ