Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Arp reply from illegal virtual interface #2348

Closed
aapostoliuk opened this issue Oct 3, 2023 · 2 comments
Closed

Arp reply from illegal virtual interface #2348

aapostoliuk opened this issue Oct 3, 2023 · 2 comments

Comments

@aapostoliuk
Copy link

aapostoliuk commented Oct 3, 2023
edited
Loading

Describe the bug
If we create two vrrp instances based on the same interface, one with IPv4 address and the other with IPv6 address with use_vmac enabled, the router responds to ARP request with two ARP replies. One from legal virtual interface (IPv4) and the other from illegal interface (IPv6).
Configuration:

global_defs {
    dynamic_interfaces
}

vrrp_instance VRRP {
    state MASTER
    interface ens34
    virtual_router_id 19
    priority 100
    advert_int 1
    preempt_delay 60
    use_vmac ens340v19v4
    virtual_ipaddress {
        10.1.1.1/24
    }
}
vrrp_instance VRRP_V6 {
    state MASTER
    interface ens34
    virtual_router_id 20
    priority 200
    advert_int 1
    preempt_delay 60
    use_vmac ens34v20v6
    virtual_ipaddress {
        2001:67c:6c:56::1/64
    }
}

ip addr output:

3: ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
    link/ether 00:0c:29:c5:5b:f8 brd ff:ff:ff:ff:ff:ff
    altname enp2s2
    inet 10.1.1.2/24 brd 10.1.1.255 scope global ens34
       valid_lft forever preferred_lft forever
    inet6 2001:67c:6c:56::124/64 scope global
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fec5:5bf8/64 scope link
       valid_lft forever preferred_lft forever
6: ens340v19v4@ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:00:5e:00:01:13 brd ff:ff:ff:ff:ff:ff
    inet 10.1.1.1/24 scope global ens340v19v4
       valid_lft forever preferred_lft forever
7: ens34v20v6@ens34: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
    link/ether 00:00:5e:00:02:14 brd ff:ff:ff:ff:ff:ff
    inet6 2001:67c:6c:56::1/64 scope global nodad
       valid_lft forever preferred_lft forever
    inet6 fe80::20c:29ff:fec5:5bf8/64 scope link nodad deprecated
       valid_lft forever preferred_lft 0sec

TCPDUMP output:

tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on ens34, link-type EN10MB (Ethernet), snapshot length 262144 bytes
15:05:07.120901 ARP, Request who-has 10.1.1.1 (Broadcast) tell 10.1.1.100, length 50
15:05:07.120953 ARP, Reply 10.1.1.1 is-at 00:00:5e:00:01:13 (oui IANA), length 28
15:05:07.120987 ARP, Reply 10.1.1.1 is-at 00:00:5e:00:02:14 (oui IANA), length 28

It happens because the virtual interface with only IPv6 address does not inherit sysctl options from the parent interface.

net.ipv4.conf.all.arp_announce = 0
net.ipv4.conf.all.arp_filter = 0
net.ipv4.conf.all.arp_ignore = 0
net.ipv4.conf.default.arp_announce = 0
net.ipv4.conf.default.arp_filter = 0
net.ipv4.conf.default.arp_ignore = 0
net.ipv4.conf.ens34.arp_announce = 0
net.ipv4.conf.ens34.arp_filter = 1
net.ipv4.conf.ens34.arp_ignore = 1
net.ipv4.conf.ens340v19v4.arp_announce = 0
net.ipv4.conf.ens340v19v4.arp_filter = 0
net.ipv4.conf.ens340v19v4.arp_ignore = 1
net.ipv4.conf.ens34v20v6.arp_announce = 0
net.ipv4.conf.ens34v20v6.arp_filter = 0
net.ipv4.conf.ens34v20v6.arp_ignore = 0

To Reproduce
All steps are described above

Expected behavior
Expected one ARP reply from the interface where IP is configured. If keepalived sets arp_ignore and arp_filter for IPv4 in his code, it will be cool if it sets these parameters to virtual interfaces with IPv6 only too.

Keepalived version

Keepalived v2.2.8 (04/04,2023), git commit v2.2.7-154-g292b299e+

Copyright(C) 2001-2023 Alexandre Cassen, <acassen@gmail.com>

Built with kernel headers for Linux 6.1.52
Running on Linux 6.1.0-12-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07)
Distro: Debian GNU/Linux 12 (bookworm)

configure options:

Config options:  LIBIPSET_DYNAMIC NFTABLES LVS VRRP VRRP_AUTH VRRP_VMAC OLD_CHKSUM_COMPAT INIT=systemd SYSTEMD_NOTIFY

System options:  VSYSLOG MEMFD_CREATE IPV6_MULTICAST_ALL LIBKMOD IPV4_DEVCONF LIBNL3 RTA_ENCAP RTA_EXPIRES RTA_NEWDST RTA_PREF FRA_SUPPRESS_PREFIXLEN FRA_SUPPRESS_IFGROUP FRA_TUN_ID RTAX_CC_ALGO RTAX_QUICKACK RTEXT_FILTER_SKIP_STATS FRA_L3MDEV FRA_UID_RANGE RTAX_FASTOPEN_NO_COOKIE RTA_VIA FRA_PROTOCOL FRA_IP_PROTO FRA_SPORT_RANGE FRA_DPORT_RANGE RTA_TTL_PROPAGATE IFA_FLAGS LWTUNNEL_ENCAP_MPLS LWTUNNEL_ENCAP_ILA IPTABLES NET_LINUX_IF_H_COLLISION LIBIPVS_NETLINK IPVS_DEST_ATTR_ADDR_FAMILY IPVS_SYNCD_ATTRIBUTES IPVS_64BIT_STATS IPVS_TUN_TYPE IPVS_TUN_CSUM IPVS_TUN_GRE VRRP_IPVLAN IFLA_LINK_NETNSID GLOB_BRACE GLOB_ALTDIRFUNC INET6_ADDR_GEN_MODE VRF SO_MARK

Distro (please complete the following information):

  • Name: Debian
  • Version: 12.1
  • Architecture: amd64

Details of any containerisation or hosted service (e.g. AWS)
If keepalived is being run in a container or on a hosted service, provide full details

Configuration file:

global_defs {
    dynamic_interfaces
}

vrrp_instance VRRP {
    state MASTER
    interface ens34
    virtual_router_id 19
    priority 100
    advert_int 1
    preempt_delay 60
    use_vmac ens340v19v4
    virtual_ipaddress {
        10.1.1.1/24
    }
}
vrrp_instance VRRP_V6 {
    state MASTER
    interface ens34
    virtual_router_id 20
    priority 200
    advert_int 1
    preempt_delay 60
    use_vmac ens34v20v6
    virtual_ipaddress {
        2001:67c:6c:56::1/64
    }
}

System Log entries

Oct 03 13:42:34 debian12 systemd[1]: Starting keepalived.service - LVS and VRRP High Availability Monitor...
Oct 03 13:42:34 debian12 Keepalived[10746]: WARNING - keepalived was built for newer Linux 6.1.52, running on Linux 6.1.0-12-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.52-1 (2023-09-07)
Oct 03 13:42:34 debian12 Keepalived[10746]: Command line: '/usr/local/sbin/keepalived' '--dont-fork' '-D'
Oct 03 13:42:34 debian12 Keepalived[10746]: WARNING - using deprecated default config file '/etc/keepalived/keepalived.conf' - please move to 'NONE/etc/keepalived/keepalived.conf'
Oct 03 13:42:34 debian12 Keepalived[10746]: Opening file '/etc/keepalived/keepalived.conf'.
Oct 03 13:42:34 debian12 Keepalived[10746]: Configuration file /etc/keepalived/keepalived.conf
Oct 03 13:42:34 debian12 Keepalived[10746]: NOTICE: setting config option max_auto_priority should result in better keepalived performance
Oct 03 13:42:34 debian12 systemd[1]: Started keepalived.service - LVS and VRRP High Availability Monitor.
@pqarmitage
Copy link
Collaborator

I have tested this on 5.17.12 and 6.5.5 kernels (both Fedora) and I don't see any ARP reply being sent on ens34v20v6 (the IPv6 VMAC). However, since there is no harm in setting arp_ignore = 1 on an IPv6 VMAC, I don't see any harm in doing so (I don't think it is necessary to set arp_filter, and we don't set it on an IPv4 VMAC), but I would be grateful if you could test the patch to see if it resolves your issue or needs arp_filter also set).

Commit 9ca8688 adds this functionality.

@aapostoliuk
Copy link
Author

aapostoliuk commented Oct 27, 2023
edited
Loading

I have tested it. It works as expected. Thank you.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pqarmitage @aapostoliuk