Hi David,

Just following up.... would you be able to confirm that this is a Linux VRF 

Also, how do I log a VRF related defect to ensure this gets resolved in a 
subsequent release.


On 8/2/18, 4:12 PM, "D'Souza, Nelson" <ndso...@ciena.com> wrote:

    Hi David,
    Turns out the VRF bridge Rx issue is triggered by a docker install.
    Docker makes the following sysctl changes:
      net.bridge.bridge-nf-call-arptables = 1
      net.bridge.bridge-nf-call-ip6tables = 1
      net.bridge.bridge-nf-call-iptables = 1     <<< exposes the ipv4 VRF Rx 
issue when a bridge is enslaved to a VRF
    which causes packets flowing through all bridges to be subjected to 
netfilter rules. This is required for bridge net filtering when ip forwarding 
is enabled.
    Please refer to 
    Setting net.bridge.bridge-nf-call-iptables = 0 resolves the issue, but is 
not really a viable option given that bridge net filtering is a basic 
requirement in existing docker deployments.
    It's not clear to me why this conf setting breaks local Rx delivery for a 
bridge enslaved to a VRF, because these packets would always be sent up by the 
bridge for IP netfilter processing.
    This issue is easily reproducible on an Ubuntu 18.04.1 VM. Simply 
installing docker will cause pings running on test-vrf to fail. Clearing the 
sysctl conf restores Rx local delivery.
    On 7/27/18, 4:29 PM, "D'Souza, Nelson" <ndso...@ciena.com> wrote:
        With Ubuntu 18.04.1 (kernel 4.15.0-29) pings sent out on test-vrf and 
br0 are successful.
        # uname -rv
        4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018
        # ping -c 1 -I test-vrf
        ping: Warning: source address might be selected on device other than 
        PING ( from test-vrf: 56(84) bytes of 
        64 bytes from icmp_seq=1 ttl=64 time=0.050 ms
        --- ping statistics ---
        1 packets transmitted, 1 received, 0% packet loss, time 0ms
        rtt min/avg/max/mdev = 0.050/0.050/0.050/0.000 ms
        # ping -c 1 -I br0
        PING ( from br0: 56(84) bytes of data.
        64 bytes from icmp_seq=1 ttl=64 time=0.026 ms
        --- ping statistics ---
        1 packets transmitted, 1 received, 0% packet loss, time 0ms
        rtt min/avg/max/mdev = 0.026/0.026/0.026/0.000 ms
        However, with Ubuntu 17.10.1 (kernel  4.13.0-21) pings on only test-vrf 
are successful. Pings on br0 are not successful.
        So it seems like there maybe a change in versions after 4.13.0-21 that 
causes pings on br0 to pass.
        On 7/25/18, 5:35 PM, "D'Souza, Nelson" <ndso...@ciena.com> wrote:
            I tried out the commands on an Ubuntu 17.10.1 VM.
            The pings on test-vrf are successful, but the pings on br0 are not 
            # uname -rv  
            4.13.0-21-generic #24-Ubuntu SMP Mon Dec 18 17:29:16 UTC 2017
             # lsb_release -a
            No LSB modules are available.
            Distributor ID:     Ubuntu
            Description:        Ubuntu 17.10    
            Release:    17.10
            Codename:   artful
            # ip rule  --> Note: its missing the l3mdev rule
            0:  from all lookup local 
            32766:      from all lookup main 
            32767:      from all lookup default
            Ran the configs from a bash script vrf.sh
             # ./vrf.sh 
            + ip netns add foo
            + ip li add veth1 type veth peer name veth2
            + ip li set veth2 netns foo
            + ip -netns foo li set lo up
            + ip -netns foo li set veth2 up
            + ip -netns foo addr add dev veth2
            + ip li add test-vrf type vrf table 123
            + ip li set test-vrf up
            + ip ro add vrf test-vrf unreachable default
            + ip li add br0 type bridge
            + ip li set veth1 master br0
            + ip li set veth1 up
            + ip li set br0 up
            + ip addr add dev br0
            + ip li set br0 master test-vrf
            + ip -netns foo addr add dev lo
            + ip ro add vrf test-vrf via
            # ping -I test-vrf -c 2  <<< successful on test-vrf
            ping: Warning: source address might be selected on device other 
than test-vrf.
            PING ( from test-vrf: 56(84) bytes 
of data.
            64 bytes from icmp_seq=1 ttl=64 time=0.035 ms
            64 bytes from icmp_seq=2 ttl=64 time=0.045 ms
            --- ping statistics ---
            2 packets transmitted, 2 received, 0% packet loss, time 1022ms
            rtt min/avg/max/mdev = 0.035/0.040/0.045/0.005 ms
            #ping -I br0 -c 2   <<< fails on br0
            PING ( from br0: 56(84) bytes of 
            --- ping statistics ---
            2 packets transmitted, 0 received, 100% packet loss, time 1022ms
            Please let me know if I should try a different version.
            On 7/24/18, 9:08 AM, "D'Souza, Nelson" <ndso...@ciena.com> wrote:
                It's strange that enslaving eth1 -> br0 -> test-vrf does not 
work, but enslaving eth1->test-vrf works fine.
                On 7/24/18, 8:58 AM, "D'Souza, Nelson" <ndso...@ciena.com> 
                    Thank you David, really appreciate the help. Most likely 
something specific to my environment.
                    ip vrf id, does not report anything on my system. Here's 
the result after running the command.
                    # ip vrf id
                    I'll follow up with a VM.
                    On 7/24/18, 5:55 AM, "David Ahern" 
<d...@cumulusnetworks.com> wrote:
                        On 7/23/18 7:43 PM, D'Souza, Nelson wrote:
                        > I copy and pasted the configs onto my device, but 
pings on test-vrf do not work in my setup. 
                        > I'm essentially seeing the same issue as I reported 
                        > In this case, pings sent out on test-vrf (host ns) 
are received and replied to by the loopback interface (foo ns). Although the 
replies are seen at the test-vrf level, they are not locally delivered to the 
ping application.
                        I just built v4.14.52 kernel and ran those commands - 
worked fine. It is
                        something specific to your environment. Is your shell 
tied to a VRF --
                        (ip vrf id)?
                        After that, I suggest you create a VM running a newer 
distribution of
                        your choice (Ubuntu 17.10 or newer, debian stretch with 
4.14 kernel, or
                        Fedora 26 or newer) and run the commands there.

Reply via email to