bridge.py from cumulus package have a lot of new features vs this repo #47
Comments
|
Hi @aderumier Yes, we plan to push our Cumulus package upstream and update this repository sometime before summer. @roopa-prabhu should be able to give you more info on that. Thanks, |
|
Thanks ! Seem that iproute2 4.15 have neigh_suppress on|off, so it should do the trick :) |
|
@aderumier, I'll take a look at iproute2 code and consult with @roopa-prabhu! Thanks! |
|
@aderumier , thanks for reaching out. arp nd suppress ifupdown2 support as julien mentions is something he will push to github repo soon. We are testing a version of the patch. Until julien pushes the patch to the github repo..., if you are using an upstream kernel and upstream iproute2, I would recommend configuring it via post-up command: 'bridge link set dev neigh_suppress on ' command. Let us know if it does not work for you. thanks. |
|
@roopa-prabhu Going to test lwtunnel with bridge vlan aware now. Thanks to cumulus team for the big work on vxlan support. (I'm currently testing implementation of sdn with bgp evpn on hypervisor) |
|
do you have a link to kernel patch for IFLA_BRPORT_ARP_SUPPRESS netlink ? (don't known if it's public ? or only cumulus specific). I'm trying to use the cl3u18 tag on debian with 4.15, but indeed, netlink link_set_add is not working. I'm not sure if they are other cumulus specific netlink attributes in cumulus kernel ? |
|
ok, I see that on upstream kernel, it's IFLA_BRPORT_NEIGH_SUPPRESS, with attribute number 32 instead 152. It's working fine with 32 now. If I understand, this attributes with high numbers: are custom attributes in cumulus kernel, until they are in upstream kernel ? |
|
@aderumier good analysis :) I'm focused on ifupdown2 rather than kernel stuff, but you got the idea :) |
…e : (fixes CumulusNetworks#47) this has been upstreamed recently in linux kernel, with IFLA_BRPORT_NEIGH_SUPPRESS, with 32 as netlink value. https://www.spinics.net/lists/linux-ethernet-bridging/msg06910.html Cumulus is using a temp 152 number in his own kernel. This is needed for bgp evpn and anycast gateway. auto vmbr3 iface vmbr3 bridge_ports vxlan3 bridge_stp off bridge_fd 0 auto vxlan3 iface vxlan3 inet manual vxlan-id 3 vxlan-local-tunnelip 10.59.100.231 bridge-learning off bridge-arp-nd-suppress on info: reading '/sys/class/net/vmbr3/bridge/stp_state' debug: vmbr3: evaluating port expr '['vxlan3']' debug: _cache_get(['vxlan3', 'hwaddress']) : ['hwaddress'] debug: reading '/sys/class/net/vxlan3/address' info: writing '1' to file /proc/sys/net/ipv6/conf/vxlan3/disable_ipv6 info: executing /bin/ip -force -batch - [link set dev vxlan3 master vmbr3 addr flush dev vxlan3 ] info: vmbr3: applying bridge port configuration: ['vxlan3'] info: vmbr3: vxlan3: set bridge-learning off debug: (cache None) info: vmbr3: vxlan3: set bridge-arp-nd-suppress on debug: (cache None) info: vmbr3: vxlan3: vxlan learning and bridge learning out of sync: set False info: vxlan3: netlink: ip link set dev vxlan3: bridge slave attributes debug: vxlan3: ifla_info_data {7: False} debug: vxlan3: ifla_info_slave_data {8: False, 152: True}
…e : (fixes CumulusNetworks#47) this has been upstreamed recently in linux kernel, with IFLA_BRPORT_NEIGH_SUPPRESS, with 32 as netlink value. https://www.spinics.net/lists/linux-ethernet-bridging/msg06910.html Cumulus is using a temp 152 number in his own kernel. This is needed for bgp evpn and anycast gateway. auto vmbr3 iface vmbr3 bridge_ports vxlan3 bridge_stp off bridge_fd 0 auto vxlan3 iface vxlan3 inet manual vxlan-id 3 vxlan-local-tunnelip 10.59.100.231 bridge-learning off bridge-arp-nd-suppress on info: reading '/sys/class/net/vmbr3/bridge/stp_state' debug: vmbr3: evaluating port expr '['vxlan3']' debug: _cache_get(['vxlan3', 'hwaddress']) : ['hwaddress'] debug: reading '/sys/class/net/vxlan3/address' info: writing '1' to file /proc/sys/net/ipv6/conf/vxlan3/disable_ipv6 info: executing /bin/ip -force -batch - [link set dev vxlan3 master vmbr3 addr flush dev vxlan3 ] info: vmbr3: applying bridge port configuration: ['vxlan3'] info: vmbr3: vxlan3: set bridge-learning off debug: (cache None) info: vmbr3: vxlan3: set bridge-arp-nd-suppress on debug: (cache None) info: vmbr3: vxlan3: vxlan learning and bridge learning out of sync: set False info: vxlan3: netlink: ip link set dev vxlan3: bridge slave attributes debug: vxlan3: ifla_info_data {7: False} debug: vxlan3: ifla_info_slave_data {8: False, 152: True}
…e : (fixes #47) this has been upstreamed recently in linux kernel, with IFLA_BRPORT_NEIGH_SUPPRESS, with 32 as netlink value. https://www.spinics.net/lists/linux-ethernet-bridging/msg06910.html Cumulus is using a temp 152 number in his own kernel. This is needed for bgp evpn and anycast gateway. auto vmbr3 iface vmbr3 bridge_ports vxlan3 bridge_stp off bridge_fd 0 auto vxlan3 iface vxlan3 inet manual vxlan-id 3 vxlan-local-tunnelip 10.59.100.231 bridge-learning off bridge-arp-nd-suppress on info: reading '/sys/class/net/vmbr3/bridge/stp_state' debug: vmbr3: evaluating port expr '['vxlan3']' debug: _cache_get(['vxlan3', 'hwaddress']) : ['hwaddress'] debug: reading '/sys/class/net/vxlan3/address' info: writing '1' to file /proc/sys/net/ipv6/conf/vxlan3/disable_ipv6 info: executing /bin/ip -force -batch - [link set dev vxlan3 master vmbr3 addr flush dev vxlan3 ] info: vmbr3: applying bridge port configuration: ['vxlan3'] info: vmbr3: vxlan3: set bridge-learning off debug: (cache None) info: vmbr3: vxlan3: set bridge-arp-nd-suppress on debug: (cache None) info: vmbr3: vxlan3: vxlan learning and bridge learning out of sync: set False info: vxlan3: netlink: ip link set dev vxlan3: bridge slave attributes debug: vxlan3: ifla_info_data {7: False} debug: vxlan3: ifla_info_slave_data {8: False, 152: True}
|
hi guys, #(2) setup eth pair veth1212-veth1212p and add veth1212 to bridge vbm1212 #(3) setup eth pair veth1213-veth1213p and add veth1213 to bridge vbm1212 #(4) setup all bridge link enable neigh_suppress on #(5) add neigh and fdb as below #(6) I flush the ip neigh on ns1212, and then ping 192.168.1.2 on ns1212 My expectation is the first ARP request will not send to vxlan1212 interface, but actually I saw it. I am not sure if I have misunderstanding of this feature, I try to find answer in this doc 'https://www.netdevconf.org/2.2/slides/prabhu-linuxbridge-tutorial.pdf', but have no luck. Could you share the script/command/diagram on how you guys verify this feature? Thanks a lot for help! |
|
I had also try set the neigh_suppress on with ifupdown2 command as below, but still can't get expected result. |
|
@ljlu1504 there is a dynamic debug print in https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/tree/net/bridge/br_arp_nd_proxy.c Which you can enable to see if it is hitting the neigh proxy code: |
|
@ljlu1504 From your configuration, it looks like it is not hitting the proxy code because the input port has neigh suppress on: https://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next.git/tree/net/bridge/br_arp_nd_proxy.c#n155 What are you trying to test ?. If you unset neigh_suppress on veth1212, bridge should proxy it. But depends on what you are trying to test. In vxlan environments neigh_suppress is used to suppress arps going over the vxlan port. But bridge will not flood to vxlan ports here only if the proxy conditions are successful and it really generates a proxy reply. In your case that is not happening either |
|
@roopa-prabhu , Thanks! What I want to test is the difference of arp-proxy on vxlan and the neigh suppression on linux bridge/vxlan. I don't quite understand what's the feature of neigh suppression. My initial understanding of neigh suppression feature is the incoming arp/rarp packet on the specific bridge port if it have 'neigh_suppress on', but based on your above explanation, the 'neigh suppression feature works on vxlan interface only. so I adjust my test script on two host as below now. ip link add veth1212 type veth peer name veth1212p ip link add veth1212 type veth peer name veth1212p
root@i-3uxp0h2m:/sys/kernel/debug/dynamic_debug# cat control | grep arp Thanks a lot for helping! |
|
I think i figure it out. VxLAN proxy-arp will work based on ip neigh on VTEP only.
While bridge “neigh suppress” will work based on the "ip neigh" and “fdb” on bridge as below:
Thanks! |
Hi,
I'm looking to implemented ebgp-vpn on a debian host,
following this nice presentation
https://www.netdevconf.org/2.2/slides/prabhu-linuxbridge-tutorial.pdf
(thanks Roopa !)
But it seem that bridge.py from this repo is missing a lot of new features , like "arp-nd-suppress".
Is is planned to backport bridge.py from cumulus package ?
The text was updated successfully, but these errors were encountered: