search

dentproject / dentOS

dentOS SwitchDev based NOS
Other
200 stars 58 forks source link

switch may route packets to known neighbors even when ipv4 forwarding is disabled #231

Open KanjiMonster opened 12 months ago

KanjiMonster commented 12 months ago

While checking if I can get our testing pipeline to run on TN48M-DN with DentOS, I noticed that in certain conditions the switch may route packets when when it shouldn't.

Our setup is as following:

+--------------------------+         +------------------------------------------+
|  device-1                |         |    switch                                |
|  +----------+   +--------+         +--------+  VID 10         +-------------+ |
|  | eth1.10  +---+ eth1   +---------+ swp5   +----+        +---+ swbridge.10 | |
|  +----------+   +--------|         |--------+    |        |   +-------------+ |
|  10.0.10.2/24            |         |             |        |    10.0.10.1/24   |
|                          |         |             |        |                   |
+--------------------------+         |             |        |                   |
                                     |          +--------+-----+                |
                                     |          | swbridge     |                |
                                     |          +--------+-----+                |
                                     |             |        |                   |
+--------------------------+         |             |        |                   |
|  device-2                |         |             |        |    10.0.20.1/24   |
|  +----------+   +--------+         +--------+    |        |   +-------------+ |
|  | eth2.20  +---+ eth1   +---------| swp6   +----+        +---+ swbridge.20 | |
|  +----------+   +--------|         +--------+  VID 20         +-------------+ |
|  10.0.20.2/24            |         |                                          |
|                          |         |                                          |
+--------------------------+         +------------------------------------------+

The switch networking is setup like via:

ip link add swbridge type bridge vlan_filtering 1
ip link set swbridge up
ip link swp5 master swbridge
ip link swp6 master swbridge
ip link set swp5 up
ip link set swp6 up
bridge vlan add vid 10 dev swp5
bridge vlan add vid 20 dev swp6
bridge vlan add vid 10 dev swbridge self
bridge vlan add vid 20 dev swbridge self
ip link add link swbridge name swbridge.10 type vlan id 10
ip link add link swbridge name swbridge.10 type vlan id 20
ip link set swbridge.10 up
ip link set swbridge.20 up
ip address add 10.0.10.1/24 dev swbridge.10
ip address add 10.0.20.1/24 dev swbridge.20

forwarding is disabled (as by default)

root@localhost:~# sysctl -a | grep forwarding | grep swbridge
net.ipv4.conf.swbridge.bc_forwarding = 0
net.ipv4.conf.swbridge.forwarding = 0
net.ipv4.conf.swbridge.mc_forwarding = 0
net.ipv4.conf.swbridge/10.bc_forwarding = 0
net.ipv4.conf.swbridge/10.forwarding = 0
net.ipv4.conf.swbridge/10.mc_forwarding = 0
net.ipv4.conf.swbridge/20.bc_forwarding = 0
net.ipv4.conf.swbridge/20.forwarding = 0
net.ipv4.conf.swbridge/20.mc_forwarding = 0

device-1

ip link set eth1 up
ip link add link eth1 name eth1.10 type vlan id 10
ip link set eth1.10 up
ip address add 10.0.10.2/24 dev eth1.10
ip route add 10.0.20.0/24 dev eth1.10 via 10.0.10.1

device-2

ip link set eth1 up
ip link add link eth1 name eth1.20 type vlan id 20
ip link set eth1.20 up
ip address add 10.0.20.2/24 dev eth1.20
ip route add 10.0.10.0/24 dev eth1.10 via 10.0.20.1

(that the interfaces on the servers are tagged is likely irrelevant, it's just how our test is done)

Trying to ping device-2 from device-1 does not work, as expected:

ubuntu@device-1:~$ ping 10.0.20.2 -I eth1.10
PING 10.0.20.2 (10.0.20.2) from 10.0.10.2 eth1.10: 56(84) bytes of data.
^C
--- 10.0.20.2 ping statistics ---
54 packets transmitted, 0 received, 100% packet loss, time 54272ms

but once I ping device-2 from the switch, pings start to flow through the switch:

root@localhost:~# ping 10.0.20.2
PING 10.0.20.2 (10.0.20.2) 56(84) bytes of data.
64 bytes from 10.0.20.2: icmp_seq=1 ttl=64 time=0.428 ms
64 bytes from 10.0.20.2: icmp_seq=2 ttl=64 time=0.259 ms
64 bytes from 10.0.20.2: icmp_seq=3 ttl=64 time=0.296 ms
ubuntu@device-1:~$ ping 10.0.20.2 -I eth1.10
PING 10.0.20.2 (10.0.20.2) from 10.0.10.2 eth.10: 56(84) bytes of data.
64 bytes from 10.0.20.2: icmp_seq=13 ttl=63 time=0.209 ms
64 bytes from 10.0.20.2: icmp_seq=14 ttl=63 time=0.213 ms
64 bytes from 10.0.20.2: icmp_seq=15 ttl=63 time=0.179 ms

both neighs are marked as offloaded:

root@localhost:~# ip neigh
10.0.20.2 dev swbridge.20 lladdr 0c:c4:7a:93:a1:fd offload STALE 
10.0.10.2 dev swbridge.10 lladdr 0c:c4:7a:93:a1:fc offload STALE

As forwarding is disabled as shown above, the pings shouldn't be fowarded, but in my (limited) testing, they are.

This is done with DentOS current main, on TN48M-DN.

taraschornyiplv commented 12 months ago

This is expected behaviour. Once neighbors are resolved switch with perform hw routing.

https://github.com/Marvell-switching/switchdev-prestera/wiki/l3-configuration#limitations-and-assumptions

NaveenKumar3112 commented 3 months ago

I am new to the marvell switching. Now i am using marvell bobcat 2 packet processor ethernet switch card. Can you provide some details and API,s to enable IP routing between two vlan using CPSS api?