lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <5283AC86.9060601@gmail.com>
Date:	Wed, 13 Nov 2013 11:44:54 -0500
From:	Vlad Yasevich <vyasevich@...il.com>
To:	Stefan Priebe - Profihost AG <s.priebe@...fihost.ag>,
	Veaceslav Falico <vfalico@...hat.com>
CC:	Linux Netdev List <netdev@...r.kernel.org>
Subject: Re: how to mix bridges and bonding inc. vlans correctly on Kernel
 > 3.10

On 11/13/2013 10:17 AM, Stefan Priebe - Profihost AG wrote:
> Am 13.11.2013 16:05, schrieb Vlad Yasevich:
>> On 11/13/2013 09:20 AM, Stefan Priebe - Profihost AG wrote:
>>> Hi Falico,
>>> Am 13.11.2013 15:12, schrieb Veaceslav Falico:
>>>> On Wed, Nov 13, 2013 at 02:58:40PM +0100, Stefan Priebe - Profihost AG
>>>> wrote:
>>>>> Hello,
>>>>>
>>>>> while my vlans, bridging and bonding stuff was working until 3.9 i
>>>>> never
>>>>> thought about how it is right. So maybe i was always wrong.
>>>>>
>>>>> I've this:
>>>>>
>>>>> eth2
>>>>>       \
>>>>>        -- bond1 -- vmbr1
>>>>>       /
>>>>> eth3
>>>>>
>>>>> This works fine and as expected now i want to have a vlan using the
>>>>> bonding and using a bridge.
>>>>>
>>>>> I the past i had this:
>>>>> eth2
>>>>>       \
>>>>>        -- bond1 -- vmbr1
>>>>>       /              \
>>>>> eth3                 \ vmbr1.3000
>>>>>                             \ ---- tap114i1
>>>>>
>>>>> This was working fine until 3.9.X since 3.10. Right now using 3.10 i
>>>>> need to put eth2 and eth3 into promisc mode to get it working ;-( this
>>>>> is bad!
>>>>
>>>> As a guess - do you use arp monitoring for bonding? Try using miimon -
>>>> there were some issues with it in 3.10, which were fixed by some huge
>>>> patchsets that will never hit 3.10 stable.
>>>> Also, the bonding configuration would be welcome.
>>>
>>> Debian Bonding konfiguration looks like this:
>>> auto bond1
>>> iface bond1 inet manual
>>>           slaves eth2 eth3
>>>           bond-mode 802.3ad
>>>           bond_miimon 100
>>>           bond_updelay 200
>>>           bond_downdelay 0
>>>
>>> This should be miimon using lacp and not arp isn't it?
>>> Anything more needed?
>>>
>>
>> Hmm..  With 802.3ad mode, when the bond is a port on the bridge, the
>> bond should place all of its ports into promiscuous mode.  Do you see
>> the the kernel messages that say that?
>
> No it does not - i only see:
> # dmesg -c|egrep "promiscuous|forward"
> [    5.445161] device bond0 entered promiscuous mode
> [    7.670701] device bond1 entered promiscuous mode
> [    7.845472] vmbr0: port 1(bond0) entered forwarding state
> [    7.845474] vmbr0: port 1(bond0) entered forwarding state
> [    8.269769] vmbr1: port 1(bond1) entered forwarding state
> [    8.269771] vmbr1: port 1(bond1) entered forwarding state
>

So this can happen if bond interfaces are down at the time of joining
the bridge.  The promisc flag propagation to lower interfaces only 
happens when those interfaces are up.  So if for whatever reason,
the lower interfaces happen to be down during the crating of this
hierarchy, the promiscuity flag may not get set on the lower level port
device an we may end up in this situation.

-vlad

> Now adding variant 1:
> # dmesg -c|egrep "promiscuous|forward"
> [   85.919382] device tap113i0 entered promiscuous mode
> [   85.965018] vmbr0: port 2(tap113i0) entered forwarding state
> [   85.965023] vmbr0: port 2(tap113i0) entered forwarding state
> [   86.263292] device tap113i1 entered promiscuous mode
> [   86.314151] device vmbr1.3000 entered promiscuous mode
> [   86.314153] device vmbr1 entered promiscuous mode
> [   86.314192] vmbr1v3000: port 1(vmbr1.3000) entered forwarding state
> [   86.314196] vmbr1v3000: port 1(vmbr1.3000) entered forwarding state
> [   86.318116] vmbr1v3000: port 2(tap113i1) entered forwarding state
> [   86.318120] vmbr1v3000: port 2(tap113i1) entered forwarding state
> [  101.382129] vmbr1v3000: port 1(vmbr1.3000) entered forwarding state
>
> Now it looks like this:
> # ip a l|grep PROMISC
> 13: tap113i0: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
> htb master vmbr0 state UNKNOWN qlen 500
> 14: tap113i1: <BROADCAST,MULTICAST,PROMISC,UP,LOWER_UP> mtu 1500 qdisc
> htb master vmbr1v3000 state UNKNOWN qlen 500
>
> Greets,
> Stefan
>
>
> Main question is - is this one correct:
>>>>> eth2
>>>>>       \
>>>>>        -- bond1 -- vmbr1
>>>>>       /              \
>>>>> eth3                 \ vmbr1.3000
>>>>>                             \ ---- tap114i1
>
> <= does not work at all
>
> or this one?:
>>>>> eth2
>>>>>       \
>>>>>        -- bond1 -- vmbr1
>>>>>       /     \
>>>>> eth3        ----- bond1.3000 --- vmbr1v3000
>>>>>                                       \ ---- tap114i1
>
> <= works if i manually put eth2 and eth3 into promiscous mode.
>
>> -vlad
>>
>>> One thing i forgot the one with vmbr1.3000 does not work at all eben not
>>> with promisc mode. The one below works fine if i set eth2 and eth3 into
>>> promisc mode.
>>>
>>> Stefan
>>>
>>>>> I also tried this one without success:
>>>>> eth2
>>>>>       \
>>>>>        -- bond1 -- vmbr1
>>>>>       /     \
>>>>> eth3        ----- bond1.3000 --- vmbr1v3000
>>>>>                                       \ ---- tap114i1
>>>>>
>>>>>
>>>>>
>>>>> Greets,
>>>>> Stefan
>>>>> --
>>>>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>>>>> the body of a message to majordomo@...r.kernel.org
>>>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>> --
>>> To unsubscribe from this list: send the line "unsubscribe netdev" in
>>> the body of a message to majordomo@...r.kernel.org
>>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>>
>>

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ