Linux Ethernet Bridging - May 2011 - [Bridge] Bug#625914: linux-image-2.6.38-2-amd64: bridging is not interacting well with multicast in 2.6.38-4

On Fri, 2011-05-06 at 13:12 -0700, Noah Meyerhans wrote:
> Package: linux-2.6
> Version: 2.6.38-3
> Severity: normal
> 
> Hi. I've got a system that hosts several kvm virtual hosts.  The VMs
> access the network via tap devices bridged with a physical interface.
> After upgrading to linux-image-2.6.38-2-amd64_2.6.38-4, I noticed that
> the virtualhosts were not autoconfiguring their IPv6 interfaces.
> Debugging revealed that no multicast was passing over the bridge.
> 
> The bridge configuration is:
> bridge name     bridge id               STP enabled     interfaces
> br0             8000.0002e3080eb5       no              eth1
>                                                         tap0
>                                                         tap1
>                                                         tap2
> 
> If I attach tcpdump to br0, I can see multicast (e.g. IPv6 Neighbor
> Solicitation) packets.  However, if I attach tcpdump to eth1, I do not
> see multicast packets sourced from one of the VMs.
> 
> Downgrading to 2.6.38-3 solves the problem.
This is pretty weird.  Debian version 2.6.38-3 has a few bridging
changes from stable 2.6.38.3 and 2.6.38.4, but they don't look like they
would cause this.

Ben.

-- 
Ben Hutchings
Once a job is fouled up, anything done to improve it makes it worse.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 828 bytes
Desc: This is a digitally signed message part
Url :
http://lists.linux-foundation.org/pipermail/bridge/attachments/20110510/e95bfa84/attachment.pgp

On Tue, 10 May 2011 03:38:44 +0100
Ben Hutchings <ben at decadent.org.uk> wrote:
> On Fri, 2011-05-06 at 13:12 -0700, Noah Meyerhans wrote:
> > Package: linux-2.6
> > Version: 2.6.38-3
> > Severity: normal
> > 
> > Hi. I've got a system that hosts several kvm virtual hosts.  The
VMs
> > access the network via tap devices bridged with a physical interface.
> > After upgrading to linux-image-2.6.38-2-amd64_2.6.38-4, I noticed that
> > the virtualhosts were not autoconfiguring their IPv6 interfaces.
> > Debugging revealed that no multicast was passing over the bridge.
> > 
> > The bridge configuration is:
> > bridge name     bridge id               STP enabled     interfaces
> > br0             8000.0002e3080eb5       no              eth1
> >                                                         tap0
> >                                                         tap1
> >                                                         tap2
> > 
> > If I attach tcpdump to br0, I can see multicast (e.g. IPv6 Neighbor
> > Solicitation) packets.  However, if I attach tcpdump to eth1, I do not
> > see multicast packets sourced from one of the VMs.
> > 
> > Downgrading to 2.6.38-3 solves the problem.
> 
> This is pretty weird.  Debian version 2.6.38-3 has a few bridging
> changes from stable 2.6.38.3 and 2.6.38.4, but they don't look like
they
> would cause this.
> 
> Ben.
There are two possible explainations:
  1. In 2.6.37 and kernels the bridge uses IGMP snooping, there were several
     fixes to that in the stable kernel; especially related to IPv6.

  2. There was also a recent change to block link local multicast
     address. But that should impact what you are doing.

On Tue, May 10, 2011 at 03:38:44AM +0100, Ben Hutchings
wrote:
> This is pretty weird.  Debian version 2.6.38-3 has a few bridging
> changes from stable 2.6.38.3 and 2.6.38.4, but they don't look like
they
> would cause this.
I have apparently filed the bug against the wrong version of Debian's
kernel.  2.6.38-3 is not affected, and works as expected.  The change
was introduced in -4.  That may have been clear from the report itself,
but the report was filed against -3.  I've fixed that in the BTS.

I've also confirmed that -5 is affected, to no great surprise.

I'll investigate further.

noah

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url :
http://lists.linux-foundation.org/pipermail/bridge/attachments/20110509/39d0542f/attachment.pgp

Le vendredi 13 mai 2011 ? 12:53 -0700, Stephen Hemminger a ?crit
:
> The commit 6b1e960fdbd75dcd9bcc3ba5ff8898ff1ad30b6e
>     bridge: Reset IPCB when entering IP stack on NF_FORWARD
> broke forwarding of IPV6 packets in bridge because it would
> call bp_parse_ip_options with an IPV6 packet.
> 
> Reported-by: Noah Meyerhans <noahm at debian.org>
> Signed-off-by: Stephen Hemminger <shemminger at vyatta.com>
> 
> ---
> Patch against net-next-2.6 but must be applied to net-2.6
> and stable as well
> 
Well, stable is not needed, since faulty commit is not in 2.6.38

Reviewed-by: Eric Dumazet <eric.dumazet at gmail.com>

From: Eric Dumazet <eric.dumazet at gmail.com>
Date: Fri, 13 May 2011 22:00:44 +0200
> Le vendredi 13 mai 2011 ? 12:53 -0700, Stephen Hemminger a ?crit :
>> The commit 6b1e960fdbd75dcd9bcc3ba5ff8898ff1ad30b6e
>>     bridge: Reset IPCB when entering IP stack on NF_FORWARD
>> broke forwarding of IPV6 packets in bridge because it would
>> call bp_parse_ip_options with an IPV6 packet.
>> 
>> Reported-by: Noah Meyerhans <noahm at debian.org>
>> Signed-off-by: Stephen Hemminger <shemminger at vyatta.com>
>> 
>> ---
>> Patch against net-next-2.6 but must be applied to net-2.6
>> and stable as well
>> 
> 
> Well, stable is not needed, since faulty commit is not in 2.6.38
> 
> Reviewed-by: Eric Dumazet <eric.dumazet at gmail.com>
I do need to queue it up for -stable because the faulty commit is
also queued up there :-)

From: Stephen Hemminger <shemminger at vyatta.com>
Date: Fri, 13 May 2011 12:53:14 -0700
> The commit 6b1e960fdbd75dcd9bcc3ba5ff8898ff1ad30b6e
>     bridge: Reset IPCB when entering IP stack on NF_FORWARD
> broke forwarding of IPV6 packets in bridge because it would
> call bp_parse_ip_options with an IPV6 packet.
> 
> Reported-by: Noah Meyerhans <noahm at debian.org>
> Signed-off-by: Stephen Hemminger <shemminger at vyatta.com>
> 
> ---
> Patch against net-next-2.6 but must be applied to net-2.6
> and stable as well
Applied and queued up for -stable, thanks!

Le vendredi 13 mai 2011 ? 16:02 -0400, David Miller a ?crit :
> I do need to queue it up for -stable because the faulty commit is
> also queued up there :-)
okay ;)

On Fri, 13 May 2011 16:02:32 -0400 (EDT)
David Miller <davem at davemloft.net> wrote:
> From: Eric Dumazet <eric.dumazet at gmail.com>
> Date: Fri, 13 May 2011 22:00:44 +0200
> 
> > Le vendredi 13 mai 2011 ? 12:53 -0700, Stephen Hemminger a ?crit :
> >> The commit 6b1e960fdbd75dcd9bcc3ba5ff8898ff1ad30b6e
> >>     bridge: Reset IPCB when entering IP stack on NF_FORWARD
> >> broke forwarding of IPV6 packets in bridge because it would
> >> call bp_parse_ip_options with an IPV6 packet.
> >> 
> >> Reported-by: Noah Meyerhans <noahm at debian.org>
> >> Signed-off-by: Stephen Hemminger <shemminger at vyatta.com>
> >> 
> >> ---
> >> Patch against net-next-2.6 but must be applied to net-2.6
> >> and stable as well
> >> 
> > 
> > Well, stable is not needed, since faulty commit is not in 2.6.38
> > 
> > Reviewed-by: Eric Dumazet <eric.dumazet at gmail.com>
> 
> I do need to queue it up for -stable because the faulty commit is
> also queued up there :-)
The faulty commit was in 2.6.38.4