This likes a user configuration error. Begin forwarded message:
Date: Mon, 06 Jul 2020 09:36:58 +0000 From: bugzilla-dae...@bugzilla.kernel.org To: step...@networkplumber.org Subject: [Bug 206885] macvlan and proxy ARP can be accidentally configured to respond to ARP requests for all IPs https://bugzilla.kernel.org/show_bug.cgi?id=206885 --- Comment #2 from Thomas Parrott (thomas.parr...@canonical.com) --- Hi, Thanks for your reply. I've setup another test: ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:16:3e:14:4a:d4 brd ff:ff:ff:ff:ff:ff inet 10.109.89.91/24 brd 10.109.89.255 scope global dynamic enp5s0 valid_lft 3279sec preferred_lft 3279sec inet6 fd42:d37c:f0f2:a5f:69c1:50d9:30fe:6d20/128 scope global dynamic noprefixroute valid_lft 3282sec preferred_lft 3282sec inet6 fe80::216:3eff:fe14:4ad4/64 scope link valid_lft forever preferred_lft forever 3: vtest@enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000 link/ether f6:83:72:e4:77:0a brd ff:ff:ff:ff:ff:ff inet 192.168.1.200/32 scope global vtest valid_lft forever preferred_lft forever inet6 fe80::f483:72ff:fee4:770a/64 scope link valid_lft forever preferred_lft forever ip r default via 10.109.89.1 dev enp5s0 proto dhcp src 10.109.89.91 metric 100 10.109.89.0/24 dev enp5s0 proto kernel scope link src 10.109.89.91 10.109.89.1 dev enp5s0 proto dhcp scope link src 10.109.89.91 metric 100 sysctl -w net.ipv4.conf.vtest.rp_filter=2 sysctl -w net.ipv4.conf.vtest.proxy_arp=1 sysctl -w net.ipv4.conf.vtest.forwarding=1 On another host: sudo arping -c1 -I lxdbr0 -S 10.109.89.1 8.8.8.8 ARPING 8.8.8.8 42 bytes from f6:83:72:e4:77:0a (8.8.8.8): index=0 time=11.809 msec --- 8.8.8.8 statistics --- 1 packets transmitted, 1 packets received, 0% unanswered (0 extra) rtt min/avg/max/std-dev = 11.809/11.809/11.809/0.000 ms So are you saying the default route is triggering a response to all ARP requests due to rp_filter=2 with proxy_arp=1? The reason this seems odd is that setting these same settings on an ethernet device (rather than a macvlan device) does not result in the same behaviour (even with rp_filter=2). E.g. Remove the macvlan interface. ip a 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 scope host lo valid_lft forever preferred_lft forever inet6 ::1/128 scope host valid_lft forever preferred_lft forever 2: enp5s0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000 link/ether 00:16:3e:14:4a:d4 brd ff:ff:ff:ff:ff:ff inet 10.109.89.91/24 brd 10.109.89.255 scope global dynamic enp5s0 valid_lft 3029sec preferred_lft 3029sec inet6 fd42:d37c:f0f2:a5f:69c1:50d9:30fe:6d20/128 scope global dynamic noprefixroute valid_lft 3032sec preferred_lft 3032sec inet6 fe80::216:3eff:fe14:4ad4/64 scope link valid_lft forever preferred_lft forever ip r default via 10.109.89.1 dev enp5s0 proto dhcp src 10.109.89.91 metric 100 10.109.89.0/24 dev enp5s0 proto kernel scope link src 10.109.89.91 10.109.89.1 dev enp5s0 proto dhcp scope link src 10.109.89.91 metric 100 Set the sysctls on parent ethernet device instead: sysctl -w net.ipv4.conf.enp5s0.proxy_arp=1 sysctl -w net.ipv4.conf.enp5s0.rp_filter=2 sysctl -w net.ipv4.conf.enp5s0.forwarding=1 Now repeat the arping from a different host in same segment, and it doesn't get a response as it did with macvlan: sudo arping -c1 -I lxdbr0 -S 10.109.89.1 8.8.8.8 ARPING 8.8.8.8 Timeout --- 8.8.8.8 statistics --- 1 packets transmitted, 0 packets received, 100% unanswered (0 extra) -- You are receiving this mail because: You are the assignee for the bug.
