[ovs-discuss] LSC does not affect traffic flow

[Ben Pfaff]

On Wed, May 01, 2019 at 01:02:41PM -0500, Christopher Seeley wrote:
> Good afternoon. I have run across a problem using version 2.9.2 on Ubuntu
> 18.04.2. When the bridge is set to a down state, traffic is still flowing
> through it. Is there a configuration that I have missed?
> 
> Steps to reproduce:
> 1) Clean Ubuntu 18.04.2 install
> 2) sudo apt update && sudo apt upgrade -y
> 3) sudo apt install openvswitch-switch openvswitch-common -y
> 4) sudo ovs-vsctl add-br br0 -- add-port br0 eth0 -- add-port br0
> intern-extern -- set interface intern-extern type=internal
> 5) sudo ip addr flush dev eth0 && sudo dhclient intern-extern
> 6) sudo ip link set down dev br0
> 7) run ping  and still get a response
> 
> 
> Any assitance you can give me with this would be appreciated.

Sounds like the same issue described in the FAQ, possibly same solution.

Q: I configured one IP address on VLAN 0 and another on VLAN 9, like this::

    $ ovs-vsctl add-br br0
    $ ovs-vsctl add-port br0 eth0
    $ ip addr add 192.168.0.5/24 dev br0
    $ ip link set br0 up
    $ ovs-vsctl add-port br0 vlan9 tag=9 -- set interface vlan9 type=internal
    $ ip addr add 192.168.0.9/24 dev vlan9
    $ ip link set vlan9 up

but other hosts that are only on VLAN 0 can reach the IP address configured on
VLAN 9.  What's going on?

    A: `RFC 1122 section 3.3.4.2 "Multihoming Requirements"
    <https://tools.ietf.org/html/rfc1122>`__ describes two approaches to IP
    address handling in Internet hosts:

    - In the "Strong ES Model", where an ES is a host ("End System"), an IP
      address is primarily associated with a particular interface.  The host
      discards packets that arrive on interface A if they are destined for an
      IP address that is configured on interface B.  The host never sends
      packets from interface A using a source address configured on interface
      B.

    - In the "Weak ES Model", an IP address is primarily associated with a
      host.  The host accepts packets that arrive on any interface if they are
      destined for any of the host's IP addresses, even if the address is
      configured on some interface other than the one on which it arrived.  The
      host does not restrict itself to sending packets from an IP address
      associated with the originating interface.

    Linux uses the weak ES model.  That means that when packets destined to the
    VLAN 9 IP address arrive on eth0 and are bridged to br0, the kernel IP
    stack accepts them there for the VLAN 9 IP address, even though they were
    not received on vlan9, the network device for vlan9.

    To simulate the strong ES model on Linux, one may add iptables rule to
    filter packets based on source and destination address and adjust ARP
    configuration with sysctls.

    BSD uses the strong ES model.