[ovs-discuss] Leaking packets from one bridge to another or how can I isolate networks with OVS?

Peter Schmitt p.schmitt.82 at gmx.net
Fri Aug 21 06:41:29 UTC 2015


Hi,
thank you for the answer. Yes I saw that, but that does not explain why
I see
ARP requests from the host network on br1000. Maybe I did not explain
this quite well.

Assume I have my normal home network here being 192.168.0.0/24. All my hosts
are connected to this network, and also the KVM host machine.
Now I start ovs, pox and some KVMs on the KVM host machine.
The br0 on ovs is also in the network 192.168.0.0/24. The network between
my KVM machines is 10.0.0.0/24 on br1000. With the setup described below,
I can see ARP requests from two different hosts in the 192.168.0.0/24
network (not the IP address of the KVM host) on my KVM appliances in the
10.0.0.0/24 network.
That would (in my understanding) mean, that the KVM forwards ARP requests
for some reason to the second bridge or there is anything fishy with
ovs. I don't
have any bridges or anything configured on the KVM host.
The strange thing is that if I remove the interface of my KVM from the
br0 in ovs,
the ARP requests disappear on br1000.

I hope this got a little bit clearer now. I don't think this might be
related to the ES Model,
or am I wrong here?

Best regards,
Peter


On 20.08.2015 19:07, Ben Pfaff wrote:
> On Thu, Aug 20, 2015 at 02:21:47PM +0200, Peter Schmitt wrote:
>> Hi,
>>
>> thanks for adding me to this list. I have a fairly strange problem and I am
>> not sure if it is a design flaw in my setup or a bug.
>>
>> I want to use OpenVSwitch and KVMs to create some testnetworks that have
>> Internet access but are strictly separated otherwise, so that I have VLAN
>> functionality and packets from different networks do not interfere with each
>> other.
>>
>> My setup is as following:
>>
>> I have one host and I use one instance of ovs 2.3.0 and pox with the
>> l2_learning module as
>> controller on every bridge.
>> I have a bridge br0 that should be used for the access to the outer network.
>> This bridge has an IP address on the host and also the physical devices
>> added
>> as a bond. Also one interface from a KVM (KVM0) is added to this bridge.
>>
>> Bridge "br0"
>>     Controller "tcp:127.0.0.1:6633"
>>         is_connected: true
>>     Port "tap0"
>>         Interface "tap0"
>>     Port "br0"
>>         Interface "br0"
>>             type: internal
>>     Port "bond0"
>>         Interface "p12p2"
>>         Interface "p10p1"
>>         Interface "p12p1"
>>
>> I have access to the outer network from KVM0. Now I added a second bridge
>> br1000. This device is not up on the host and only used in ovs. I
>> start some KVMs and connect the tap devices to this bridge br1000 and
>> also some
>> interfaces from KVM0. So basically, KVM0
>> is connected to br0 and br1000. I use IP forwarding on KVM0 to enable
>> access for all the other KVMs on br1000. This does also work.
>>
>> Bridge "br1000"
>>     Controller "tcp:127.0.0.1:6633"
>>         is_connected: true
>>     Port "br1000"
>>         Interface "br1000"
>>             type: internal
>>     Port "tap4"
>>         Interface "tap4"
>>     Port "tap1"
>>         Interface "tap1"
>>     Port "tap3"
>>         Interface "tap3"
>>     Port "tap2"
>>         Interface "tap2"
>>
>> What happens now is, that I can see ARP requests and other traffic from
>> the outer network on
>> br1000, which should (in my understanding) not be visible on br1000. It
>> should
>> only be visible on br0. I can also see this traffic from inside the KVMs
>> connected to br1000 only.
>>
>> Some experiments I did:
>>
>> Removing KVM0's interface tap0 from br0 and adding it to br1000 fixes the
>> problem that I can see other traffic, but of course, access to the outer
>> network is not available from all KVMs.
>> Adding a patch connection between br0 and br1000 of course lets the traffic
>> appear again on both bridges and I have again internet access.
>> I cannot see why my KVM0 should forward ARP requests to a different
>> Layer 3 network?!
>>
>> Can anyone point me in the right direction on what is going wrong here?
>> Is the
>> setup in general ok? How can I achieve that I have isolated networks and
>> only
>> IP forwarding between my outer network and the KVM networks?
>> If any further information is needed, I am happy to give it to you. I
>> have this setup
>> ready and can do tests if needed.
> Did you see this question in the FAQ?
>
> ### Q: I configured one IP address on VLAN 0 and another on VLAN 9, like
>    this:
>
>        ovs-vsctl add-br br0
>        ovs-vsctl add-port br0 eth0
>        ifconfig br0 192.168.0.5
>        ovs-vsctl add-port br0 vlan9 tag=9 -- set interface vlan9 type=internal
>        ifconfig vlan9 192.168.0.9
>
>    but other hosts that are only on VLAN 0 can reach the IP address
>    configured on VLAN 9.  What's going on?
>
> A: RFC 1122 section 3.3.4.2 "Multihoming Requirements" describes two
>    approaches to IP address handling in Internet hosts:
>
>    - In the "Strong ES Model", where an ES is a host ("End
>      System"), an IP address is primarily associated with a
>      particular interface.  The host discards packets that arrive
>      on interface A if they are destined for an IP address that is
>      configured on interface B.  The host never sends packets from
>      interface A using a source address configured on interface B.
>
>    - In the "Weak ES Model", an IP address is primarily associated
>      with a host.  The host accepts packets that arrive on any
>      interface if they are destined for any of the host's IP
>      addresses, even if the address is configured on some
>      interface other than the one on which it arrived.  The host
>      does not restrict itself to sending packets from an IP
>      address associated with the originating interface.
>
>    Linux uses the weak ES model.  That means that when packets
>    destined to the VLAN 9 IP address arrive on eth0 and are bridged to
>    br0, the kernel IP stack accepts them there for the VLAN 9 IP
>    address, even though they were not received on vlan9, the network
>    device for vlan9.
>
>    To simulate the strong ES model on Linux, one may add iptables rule
>    to filter packets based on source and destination address and
>    adjust ARP configuration with sysctls.
>
>    BSD uses the strong ES model.




More information about the discuss mailing list