lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <VI1P18901MB00478FA643CC8E553C3BDFFEABAE0@VI1P18901MB0047.EURP189.PROD.OUTLOOK.COM>
Date:   Mon, 3 Dec 2018 09:32:50 +0000
From:   Lars Ekman G <lars.g.ekman@....tech>
To:     "netdev@...r.kernel.org" <netdev@...r.kernel.org>
Subject: ipv6: multipatth routing (ecmp) does not work for local outgoing
 connects


Hi,

Kernel version; 4.19.3

A multipath ipv6 route is setup;

# ip -6 ro
1000:: proto zebra metric 20 
        nexthop via 1000::1:c0a8:101 dev eth1 weight 1 
        nexthop via 1000::1:c0a8:104 dev eth1 weight 1 
        nexthop via 1000::1:c0a8:102 dev eth1 weight 1 
        nexthop via 1000::1:c0a8:103 dev eth1 weight 1 pref medium
...

When traffic is forwarded through this node it is distributed among the
targets, but if the connections originates from the local node just
one target is selected.


Sysctl settings;

# cat /proc/sys/net/ipv6/fib_multipath_hash_policy
0
# cat /proc/sys/net/ipv6/auto_flowlabels 
1

Setting these sysctl's to different values does not seem to help.

If I assign a subnet to the loopback device and set
"net.ipv6.ip_nonlocal_bind=1" I can use different source addresses for
outgoing connects and then the multipath distribution works. Also if
the FlowLabel is set explicitly different routes are taken.

My guess is that the auto_flowlabels are set post-routing.

IMHO this should be fixed since ecmp for ipv6 does not work unless the
Linux machine acts as a router.

In my particular case I use this in my test traffic generator. I can
find work-arounds but they require support in the test program;

- Use multiple random source addresses
- Explicitly set a random flow-label

Very few tools have these features, not iperf2/3 at least.

Or I can move the test generator into a netns and by that enforce
forwarding, but that will affect performance tests.


I have searched the netdev archive but did not found
anything relevant.

Best Regards,
Lars Ekman

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ