4

I'm trying to setup a test scenario regarding linux bridges for which I need a full virtual IP stack. Basically, I'd like to simulate the network between a VM (or container) and its host, just without a VM, i.e. virtualization layer.

The host side is a bridge (br0) with a configured IP address (the default gw of the simulated VM) as seen in other, working KVM setups. I've tried to simulate the VM-side of the connection as follows:

  • using a tap interface (OpenVPN connection to another server, pinging from there)
  • a veth pair with one end configured with an IP address and the other attached to the bridge
  • a secondary bridge with an IP address connected to the primary bridge via veth pair

In none of these setups I was able to ping the host bridge (the VMs default gw). In all setups the problem was the same: the bridge interface didn't respond to ARP packets.

configuration (local veth):

    +-----+
    | br0 |
    |     | +------+    +------+
    |     ==| vip1 |<-->| vip2 |
    +-----| +------+    +------+

    br0:  type=bridge, UP, 172.16.1.1/24
    vip1: type=veth, UP
    vip2: type=veth peer, UP, 172.16.1.2/24

    # brctl addbr br0
    # ifconfig br0 172.16.1.1 netmask 255.255.255.0 up
    # ip link add vip1 type veth peer name vip2
    # ifconfig vip2 172.16.1.2 netmask 255.255.255.0 up
    # brctl addif br0 vip1
    # ifconfig vip1 up

Now I'm trying to ping the br0 from vip2:

    # [root@host ~]# ping -I vip2 172.16.1.1
    # PING 172.16.1.1 (172.16.1.1) from 172.16.1.2 vip2: 56(84) bytes of data.
    # ^C
    # --- 172.16.1.1 ping statistics ---
    # 2 packets transmitted, 0 received, 100% packet loss, time 1493ms

tcpdump on the bridge:

    # [root@host ~]# tcpdump -i br0
    # tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
    # listening on br0, link-type EN10MB (Ethernet), capture size 65535 bytes
    # 23:14:02.367624 ARP, Request who-has 172.16.1.1 tell 172.16.1.2, length 28
    # 23:14:03.367657 ARP, Request who-has 172.16.1.1 tell 172.16.1.2, length 28
    # 23:14:04.367345 ARP, Request who-has 172.16.1.1 tell 172.16.1.2, length 28
    # ...

Which is rather strange, since the br0 interface on which these packets arrive is UP and should respond to the ARP requests. 

    # [root@host ~]# ifconfig br0
    # br0       Link encap:Ethernet  HWaddr F6:F3:5A:A7:A2:5B
    #           inet addr:172.16.1.1  Bcast:172.16.1.255  Mask:255.255.255.0
    #           inet6 addr: fe80::f4f3:5aff:fea7:a25b/64 Scope:Link
    #           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
    #           RX packets:53 errors:0 dropped:0 overruns:0 frame:0
    #           TX packets:4 errors:0 dropped:0 overruns:0 carrier:0
    #           collisions:0 txqueuelen:0
    #           RX bytes:1580 (1.5 KiB)  TX bytes:360 (360.0 b)

I've tried:

  • OpenVPN tap interface (ping from another host through OpenVPN so packet arrive on tap interface vs. veth interface)
  • another bridge (br1), using a veth pair to connect both bridges
  • setting net.ipv4.conf.all.arp_filter and others, but nothings seems to have an effect
  • iptables and ebtables are empty and ACCEPT everything.

So I'm struggling to find out why this is not working an what's the difference to container or virtualization solutions. Any help is highly appreciated!

Thanks!

grasbueschel
  • 208
  • 2
  • 8
  • What are your host routes ? Are you moving veth2 to a dedicated network namespace ? If you touched kernel settings, post their actual values. – Xavier Lucas Dec 29 '14 at 17:20
  • @XavierLucas The routes were as expected: 172.16.1.0/24 via vip2 and the same again via br0. Nevertheless, from firewall configuration I learned that veth pairs are unsuitable for configurations like this (packets don't go the expected routing path). – grasbueschel Jan 02 '15 at 10:27
  • I'm having the exact same issue. Any updates on this? – George J. Adams Jun 18 '16 at 11:45
  • @GeorgeAdams no, not really. It's been a while since then, so I can't remember exactly what my workaround was, but I never had a solution for this (actually, I really don't know what I was trying to test ;)). What I can say, is that the Linux network stack (and especially software bridge) does not always behaves as one would expect. Nowadays I'd run OpenVPN in tun mode once as server and once as client connecting to localhost, resulting in 2 tun interfaces where one can be plugged into the bridge and the other used as simulated client interface. – grasbueschel Jun 18 '16 at 18:12

0 Answers0