lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <572BE4EE0DE0E74EAE41F3932BDE6AB83917952B@SZXEMA510-MBS.china.huawei.com>
Date:	Thu, 2 Jul 2015 03:04:35 +0000
From:	"pengyi Peng(Yi)" <pengyi.pengyi@...wei.com>
To:	"netdev@...r.kernel.org" <netdev@...r.kernel.org>
CC:	Lichunhe <lichunhe@...wei.com>,
	"Zhangwei (FF)" <zw.zhang@...wei.com>
Subject: Issue with active-backup mode bond and bridge

I find that kernel seems to be not well handled with the combination of bonding and bridge module. I have a physical host with two nics that are bonded together (active backup mode).  Each nic is connected to a separate L2 switch. And the two L2 switchs are connected to a L3 switch.

If the host only has the bond device, when I manually make the active slave down, bonding will issue one or more gratuitous ARPs on the newly active slave. One gratuitous ARP is issued for the bonding master interface, provided that the interface has at least one IP address configured. 

However, if there is a bridge named br0 and the bond device joins in the bridge br0, the IP address of the bond moves to the br0 device. First, I make two nics up. But this time, when I again make the active slave down, I can't capture the gratuitous ARP in the bond device with tcpdump. And this can result in the bad connect to the host, because with no ARP packet sended out of the host, the L3 switch may still send the packets from outside to the old L2 switch which connect to the new backup nic. These packets can't get any responses.

I read the kernel code. 
When change the active slave into the specified one, in bond_change_active_slave function, bond will send the NETDEV_NOTIFY_PEERS event:
			netdev_bonding_change(bond->dev, NETDEV_BONDING_FAILOVER);
			if (should_notify_peers)
				netdev_bonding_change(bond->dev,
						      NETDEV_NOTIFY_PEERS);
							  							  
And in inetdev_event function, if event is NETDEV_NOTIFY_PEERS, it will call inetdev_send_gratuitous_arp to send gratuitous ARP.
	case NETDEV_NOTIFY_PEERS:
		/* Send gratuitous ARP to notify of link change */
		inetdev_send_gratuitous_arp(dev, in_dev);
		break;

But when the bond is in the bridge, the code won't change the dev to the bridge device, and there is no IP address in bond device, so there is no gratuitous ARP.
		
My question is, why the latest kernel(4.1) still does not consider this conditoin ?


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...xxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ