lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date:   Tue, 11 Apr 2017 18:29:29 +0300
From:   Dmitry Krivenok <krivenok.dmitry@...il.com>
To:     netdev@...r.kernel.org
Cc:     Jay Vosburgh <j.vosburgh@...il.com>,
        Veaceslav Falico <vfalico@...il.com>,
        Andy Gospodarek <andy@...yhouse.net>
Subject: Re: macvlan on top of balance-alb bond

[FIXED FORMATTING]

Hello,
I have a question concerning the setup where I have macvlan interface on top of
bond device configured in balance-alb mode with 2 slave ports.

The problem is that I cannot ping an IP of macvlan device on the server from the
client machine. I do see that (as expected) the client never sees MAC address of
macvlan device, but instead sees MAC address of one of the slave ports because
ARP replies are intercepted by bonding driver and MACs are replaced.
However, I don’t see ICMP requests from the client on macvlan device when I
run tcpdump. I do see them on bond device and the slave assigned to the client
though.

I also tried active/passive, LACP and TLB bonding modes and they all work fine
with my configuration. I only have a problem with ALB mode and macvlan.
When I moved IP from macvlan device to the bond device, everything started
working, so I guess it has something to do with virtual interfaces on top of the
bond.

I’d think that such configuration is not supported, but I found the following
patch that was merged few years ago:
https://www.spinics.net/lists/netdev/msg285148.html
>From the description, the patch was intended to add support of exactly my
configuration. I confirmed that my 4.8.6 kernel does have those changes.

I’m not familiar with the code of bonding driver and didn’t dig into the source
code to see why packets get dropped. I see that they are dropped (via
dropwatch).
I tried to get more details via enabling dyndebug and playing with ftrace, but
with no luck yet.

Before I dig into that, I wanted check with experts to know if that
configuration
is supported at all with the latest Linux kernel? Any help is very appreciated!

Thanks,
Dmitry

On Tue, Apr 11, 2017 at 6:25 PM, Dmitry Krivenok
<krivenok.dmitry@...il.com> wrote:
> Hello,
>
> I have a question concerning the setup where I have macvlan interface on top of
>
> bond device configured in balance-alb mode with 2 slave ports.
>
>
>
> The problem is that I cannot ping an IP of macvlan device on the server from the
>
> client machine. I do see that (as expected) the client never sees MAC address of
>
> macvlan device, but instead sees MAC address of one of the slave ports because
>
> ARP replies are intercepted by bonding driver and MACs are replaced.
>
> However, I don’t see ICMP requests from the client on macvlan device when I
>
> run tcpdump. I do see them on bond device and the slave assigned to the client
>
> though.
>
>
>
> I also tried active/passive, LACP and TLB bonding modes and they all work fine
>
> with my configuration. I only have a problem with ALB mode and macvlan.
>
> When I moved IP from macvlan device to the bond device, everything started
>
> working, so I guess it has something to do with virtual interfaces on top of the
>
> bond.
>
>
>
> I’d think that such configuration is not supported, but I found the following
>
> patch that was merged few years ago:
>
> https://www.spinics.net/lists/netdev/msg285148.html
>
> From the description, the patch was intended to add support of exactly my
>
> configuration. I confirmed that my 4.8.6 kernel does have those changes.
>
>
>
> I’m not familiar with the code of bonding driver and didn’t dig into the source
>
> code to see why packets get dropped. I see that they are dropped (via
> dropwatch).
>
> I tried to get more details via enabling dyndebug and playing with ftrace, but
>
> with no luck yet.
>
>
>
> Before I dig into that, I wanted check with experts to know if that
> configuration
>
> is supported at all with the latest Linux kernel? Any help is very appreciated!
>
>
>
> Thanks,
>
> Dmitry



-- 
Sincerely yours, Dmitry V. Krivenok
e-mail: krivenok.dmitry@...il.com
skype: krivenok_dmitry
jabber: krivenok_dmitry@...ber.ru
icq: 242-526-443

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ