lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date:   Fri, 27 Jul 2018 23:29:34 +0000
From:   "D'Souza, Nelson" <ndsouza@...na.com>
To:     David Ahern <dsa@...ulusnetworks.com>,
        "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: Re: [**EXTERNAL**] Re: VRF with enslaved L3 enabled bridge

David,

With Ubuntu 18.04.1 (kernel 4.15.0-29) pings sent out on test-vrf and br0 are successful.

# uname -rv
4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018

# ping -c 1 -I test-vrf 172.16.2.2
ping: Warning: source address might be selected on device other than test-vrf.
PING 172.16.2.2 (172.16.2.2) from 172.16.1.1 test-vrf: 56(84) bytes of data.
64 bytes from 172.16.2.2: icmp_seq=1 ttl=64 time=0.050 ms

--- 172.16.2.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.050/0.050/0.050/0.000 ms

# ping -c 1 -I br0 172.16.2.2
PING 172.16.2.2 (172.16.2.2) from 172.16.1.1 br0: 56(84) bytes of data.
64 bytes from 172.16.2.2: icmp_seq=1 ttl=64 time=0.026 ms

--- 172.16.2.2 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms

However, with Ubuntu 17.10.1 (kernel  4.13.0-21) pings on only test-vrf are successful. Pings on br0 are not successful.
So it seems like there maybe a change in versions after 4.13.0-21 that causes pings on br0 to pass.

Nelson

On 7/25/18, 5:35 PM, "D'Souza, Nelson" <ndsouza@...na.com> wrote:

    David, 
    
    I tried out the commands on an Ubuntu 17.10.1 VM.
    The pings on test-vrf are successful, but the pings on br0 are not successful.
    
    # uname -rv  
    4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017
    
     # lsb_release -a
    No LSB modules are available.
    Distributor ID:	Ubuntu
    Description:	Ubuntu 17.10    
    Release:	17.10
    Codename:	artful
    
    # ip rule  --> Note: its missing the l3mdev rule
    0:	from all lookup local 
    32766:	from all lookup main 
    32767:	from all lookup default
    
    Ran the configs from a bash script vrf.sh
    
     # ./vrf.sh 
    + ip netns add foo
    + ip li add veth1 type veth peer name veth2
    + ip li set veth2 netns foo
    + ip -netns foo li set lo up
    + ip -netns foo li set veth2 up
    + ip -netns foo addr add 172.16.1.2/24 dev veth2
    + ip li add test-vrf type vrf table 123
    + ip li set test-vrf up
    + ip ro add vrf test-vrf unreachable default
    + ip li add br0 type bridge
    + ip li set veth1 master br0
    + ip li set veth1 up
    + ip li set br0 up
    + ip addr add dev br0 172.16.1.1/24
    + ip li set br0 master test-vrf
    + ip -netns foo addr add 172.16.2.2/32 dev lo
    + ip ro add vrf test-vrf 172.16.2.2/32 via 172.16.1.2
    
    # ping -I test-vrf 172.16.2.2 -c 2  <<< successful on test-vrf
    ping: Warning: source address might be selected on device other than test-vrf.
    PING 172.16.2.2 (172.16.2.2) from 172.16.1.1 test-vrf: 56(84) bytes of data.
    64 bytes from 172.16.2.2: icmp_seq=1 ttl=64 time=0.035 ms
    64 bytes from 172.16.2.2: icmp_seq=2 ttl=64 time=0.045 ms
    
    --- 172.16.2.2 ping statistics ---
    2 packets transmitted, 2 received, 0% packet loss, time 1022ms
    rtt min/avg/max/mdev = 0.035/0.040/0.045/0.005 ms
    
    #ping -I br0 172.16.2.2 -c 2   <<< fails on br0
    PING 172.16.2.2 (172.16.2.2) from 172.16.1.1 br0: 56(84) bytes of data.
    
    --- 172.16.2.2 ping statistics ---
    2 packets transmitted, 0 received, 100% packet loss, time 1022ms
    
    Please let me know if I should try a different version.
    
    Nelson
    
    On 7/24/18, 9:08 AM, "D'Souza, Nelson" <ndsouza@...na.com> wrote:
    
        It's strange that enslaving eth1 -> br0 -> test-vrf does not work, but enslaving eth1->test-vrf works fine.
        
        Nelson
        
        On 7/24/18, 8:58 AM, "D'Souza, Nelson" <ndsouza@...na.com> wrote:
        
            Thank you David, really appreciate the help. Most likely something specific to my environment.
            
            ip vrf id, does not report anything on my system. Here's the result after running the command.
            
            # ip vrf id
            #
            
            I'll follow up with a VM.
            
            Nelson
            
            On 7/24/18, 5:55 AM, "David Ahern" <dsa@...ulusnetworks.com> wrote:
            
                On 7/23/18 7:43 PM, D'Souza, Nelson wrote:
                > I copy and pasted the configs onto my device, but pings on test-vrf do not work in my setup. 
                > I'm essentially seeing the same issue as I reported before.
                > 
                > In this case, pings sent out on test-vrf (host ns) are received and replied to by the loopback interface (foo ns). Although the replies are seen at the test-vrf level, they are not locally delivered to the ping application.
                > 
                
                I just built v4.14.52 kernel and ran those commands - worked fine. It is
                something specific to your environment. Is your shell tied to a VRF --
                (ip vrf id)?
                
                After that, I suggest you create a VM running a newer distribution of
                your choice (Ubuntu 17.10 or newer, debian stretch with 4.14 kernel, or
                Fedora 26 or newer) and run the commands there.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ