On 09.11.21 16:52, DERUMIER, Alexandre wrote:
> This is really specific to local-link multicast, and it's should only
> be use for some specific routing protocol
>
> https://yhbt.net/lore/all/1439396033-6264-1-git-send-email-pdow...@brocade.com/T/
> https://www.omnisecu.com/tcpip/ipv4-link-local-multicast-addresses.php
>
> So, I'll not break multicast services inside the vm.
>
> Maybe if hypervisor use ospf routing protocol, but anyway, we don't
> have any infos about true vm ip/mac on fwbr bridges.
hmm, ack thx for the info, so the sysctl can be fine.
> actually corretly activate the fwbr bridge before plugging to vmbr,
>
> my $create_firewall_bridge_linux = sub {
> ...
> &$cond_create_bridge($fwbr);
> &$activate_interface($fwbr);
> copy_bridge_config($bridge, $fwbr);
> veth_create($vethfw, $vethfwpeer, $bridge);
>
> &$bridge_add_interface($fwbr, $vethfw);
> &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks);
> &$bridge_add_interface($fwbr, $iface);
> };
>
> but it seem that igmp is sent some millisecond later
>
> A simple sleep like,
>
> &$cond_create_bridge($fwbr);
> &$activate_interface($fwbr);
> sleep(1);
> &$bridge_add_interface($fwbr, $vethfw);
>
> and the igmp report from fwbr is not going to vmbr.
> (but, maybe this is more ugly than a sysctl knob)
>
yeah such sleeps are ugly and still racy, we could poll for the fwbr to be up?
E.g., something like:
my $round = 0;
while (1) {
last if PVE::Tools::file_read_firstline("/sys/class/net/$fwbr/operstate") =~
"up";
die "timeout on waiting for $fwbr to become ready\n" if ++$round > 100;
usleep(10 * 1000); # 100 * 10ms = 1s
}
(did not test it)
>> Should it be an FW option?
>
> It could be.
>
> but it need to be persistant at firewall service stop, as when we
> shutdown the server, igmp report could be emit on vm/ct shutdown.
> and at boot, it should be enabled before the vm auto-start
>
> Personnaly, I think it should be disabled by default, with an knob to
> enable it.
> , as a majority of basic users don't known what it is. (And advanced
> users using routing protocol, should be aware of this option).
ah yea, with default on I meant that the sysctl would be default on (so the
local
mcast reporting default off), sorry for the confusion.
We wouldn't need a actual config knob either as an admin that depends on this
can
just configure a higher-priority sysctl.d file..
_______________________________________________
pve-devel mailing list
pve-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
