[ovs-discuss] Leaking packets from one bridge to another or how can I isolate networks with OVS?

Peter Schmitt p.schmitt.82 at gmx.net
Fri Aug 21 06:41:29 UTC 2015

thank you for the answer. Yes I saw that, but that does not explain why
I see
ARP requests from the host network on br1000. Maybe I did not explain
this quite well.

Assume I have my normal home network here being All my hosts
are connected to this network, and also the KVM host machine.
Now I start ovs, pox and some KVMs on the KVM host machine.
The br0 on ovs is also in the network The network between
my KVM machines is on br1000. With the setup described below,
I can see ARP requests from two different hosts in the
network (not the IP address of the KVM host) on my KVM appliances in the network.
That would (in my understanding) mean, that the KVM forwards ARP requests
for some reason to the second bridge or there is anything fishy with
ovs. I don't
have any bridges or anything configured on the KVM host.
The strange thing is that if I remove the interface of my KVM from the
br0 in ovs,
the ARP requests disappear on br1000.

I hope this got a little bit clearer now. I don't think this might be
related to the ES Model,
or am I wrong here?

Best regards,

On 20.08.2015 19:07, Ben Pfaff wrote:
> On Thu, Aug 20, 2015 at 02:21:47PM +0200, Peter Schmitt wrote:
>> Hi,
>> thanks for adding me to this list. I have a fairly strange problem and I am
>> not sure if it is a design flaw in my setup or a bug.
>> I want to use OpenVSwitch and KVMs to create some testnetworks that have
>> Internet access but are strictly separated otherwise, so that I have VLAN
>> functionality and packets from different networks do not interfere with each
>> other.
>> My setup is as following:
>> I have one host and I use one instance of ovs 2.3.0 and pox with the
>> l2_learning module as
>> controller on every bridge.
>> I have a bridge br0 that should be used for the access to the outer network.
>> This bridge has an IP address on the host and also the physical devices
>> added
>> as a bond. Also one interface from a KVM (KVM0) is added to this bridge.
>> Bridge "br0"
>>     Controller "tcp:"
>>         is_connected: true
>>     Port "tap0"
>>         Interface "tap0"
>>     Port "br0"
>>         Interface "br0"
>>             type: internal
>>     Port "bond0"
>>         Interface "p12p2"
>>         Interface "p10p1"
>>         Interface "p12p1"
>> I have access to the outer network from KVM0. Now I added a second bridge
>> br1000. This device is not up on the host and only used in ovs. I
>> start some KVMs and connect the tap devices to this bridge br1000 and
>> also some
>> interfaces from KVM0. So basically, KVM0
>> is connected to br0 and br1000. I use IP forwarding on KVM0 to enable
>> access for all the other KVMs on br1000. This does also work.
>> Bridge "br1000"
>>     Controller "tcp:"
>>         is_connected: true
>>     Port "br1000"
>>         Interface "br1000"
>>             type: internal
>>     Port "tap4"
>>         Interface "tap4"
>>     Port "tap1"
>>         Interface "tap1"
>>     Port "tap3"
>>         Interface "tap3"
>>     Port "tap2"
>>         Interface "tap2"
>> What happens now is, that I can see ARP requests and other traffic from
>> the outer network on
>> br1000, which should (in my understanding) not be visible on br1000. It
>> should
>> only be visible on br0. I can also see this traffic from inside the KVMs
>> connected to br1000 only.
>> Some experiments I did:
>> Removing KVM0's interface tap0 from br0 and adding it to br1000 fixes the
>> problem that I can see other traffic, but of course, access to the outer
>> network is not available from all KVMs.
>> Adding a patch connection between br0 and br1000 of course lets the traffic
>> appear again on both bridges and I have again internet access.
>> I cannot see why my KVM0 should forward ARP requests to a different
>> Layer 3 network?!
>> Can anyone point me in the right direction on what is going wrong here?
>> Is the
>> setup in general ok? How can I achieve that I have isolated networks and
>> only
>> IP forwarding between my outer network and the KVM networks?
>> If any further information is needed, I am happy to give it to you. I
>> have this setup
>> ready and can do tests if needed.
> Did you see this question in the FAQ?
> ### Q: I configured one IP address on VLAN 0 and another on VLAN 9, like
>    this:
>        ovs-vsctl add-br br0
>        ovs-vsctl add-port br0 eth0
>        ifconfig br0
>        ovs-vsctl add-port br0 vlan9 tag=9 -- set interface vlan9 type=internal
>        ifconfig vlan9
>    but other hosts that are only on VLAN 0 can reach the IP address
>    configured on VLAN 9.  What's going on?
> A: RFC 1122 section "Multihoming Requirements" describes two
>    approaches to IP address handling in Internet hosts:
>    - In the "Strong ES Model", where an ES is a host ("End
>      System"), an IP address is primarily associated with a
>      particular interface.  The host discards packets that arrive
>      on interface A if they are destined for an IP address that is
>      configured on interface B.  The host never sends packets from
>      interface A using a source address configured on interface B.
>    - In the "Weak ES Model", an IP address is primarily associated
>      with a host.  The host accepts packets that arrive on any
>      interface if they are destined for any of the host's IP
>      addresses, even if the address is configured on some
>      interface other than the one on which it arrived.  The host
>      does not restrict itself to sending packets from an IP
>      address associated with the originating interface.
>    Linux uses the weak ES model.  That means that when packets
>    destined to the VLAN 9 IP address arrive on eth0 and are bridged to
>    br0, the kernel IP stack accepts them there for the VLAN 9 IP
>    address, even though they were not received on vlan9, the network
>    device for vlan9.
>    To simulate the strong ES model on Linux, one may add iptables rule
>    to filter packets based on source and destination address and
>    adjust ARP configuration with sysctls.
>    BSD uses the strong ES model.

More information about the discuss mailing list