Re: carp ipv6 ndp issue
Alexander Bluhm wrote Monday, August 08, 2011 10:50 AM
> On Sun, Aug 07, 2011 at 04:02:32AM +0200, Florian Fuessl wrote:
> > Alexander Bluhm wrote Sat., Aug. 06, 2011
> > > On Sat, Aug 06, 2011 at 12:47:27AM +0200, Alexander Bluhm wrote:
> > > > To trigger the bug, you need two adresses in the same network on
> > > > the carp and on the parent interface. One of them has the route,
> > > > the other cannot do ndp.
> >
> > Thank you. This patch works like a charm! :-)
>
> By thinking about it, I found another bug with carp and neighbor
> discovery. When you have two carp interfaces on one physical
> interface and the same prefix on both carp interfaces but not on
> the physical, neighbor discovery will fail for one fo the carp
> interfaces.
Running "the simple the carp setup" this updated patch also runs fine, here.
> I don't know wether this is a common use case.
>
> It is easy to fix. When comparing two carp interfaces, assume they
> have same prefixes if they have the same parent.
>
> ok?
> Can this go into 5.0?
+1
> bluhm
Thank you,
-Florian
> Index: netinet6/in6.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v
> retrieving revision 1.92
> diff -u -p -r1.92 in6.c
> --- netinet6/in6.c7 Aug 2011 15:18:40 - 1.92
> +++ netinet6/in6.c8 Aug 2011 08:22:19 -
> @@ -1956,6 +1956,8 @@ in6_ifpprefix(const struct ifnet *ifp, c
> #if NCARP > 0
> (ifp->if_type != IFT_CARP || rt->rt_ifp != ifp->if_carpdev)
> &&
> (rt->rt_ifp->if_type != IFT_CARP || rt->rt_ifp->if_carpdev !=
> ifp)&&
> + (ifp->if_type != IFT_CARP || rt->rt_ifp->if_type != IFT_CARP
> ||
> + rt->rt_ifp->if_carpdev != ifp->if_carpdev) &&
> #endif
> 1)) {
> RTFREE(rt);
Re: carp ipv6 ndp issue
On Sun, Aug 07, 2011 at 04:02:32AM +0200, Florian Fuessl wrote:
> Alexander Bluhm wrote Sat., Aug. 06, 2011
> > On Sat, Aug 06, 2011 at 12:47:27AM +0200, Alexander Bluhm wrote:
> > > To trigger the bug, you need two adresses in the same network on
> > > the carp and on the parent interface. One of them has the route,
> > > the other cannot do ndp.
>
> Thank you. This patch works like a charm! :-)
By thinking about it, I found another bug with carp and neighbor
discovery. When you have two carp interfaces on one physical
interface and the same prefix on both carp interfaces but not on
the physical, neighbor discovery will fail for one fo the carp
interfaces.
I don't know wether this is a common use case.
It is easy to fix. When comparing two carp interfaces, assume they
have same prefixes if they have the same parent.
ok?
Can this go into 5.0?
bluhm
Index: netinet6/in6.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v
retrieving revision 1.92
diff -u -p -r1.92 in6.c
--- netinet6/in6.c 7 Aug 2011 15:18:40 - 1.92
+++ netinet6/in6.c 8 Aug 2011 08:22:19 -
@@ -1956,6 +1956,8 @@ in6_ifpprefix(const struct ifnet *ifp, c
#if NCARP > 0
(ifp->if_type != IFT_CARP || rt->rt_ifp != ifp->if_carpdev) &&
(rt->rt_ifp->if_type != IFT_CARP || rt->rt_ifp->if_carpdev != ifp)&&
+ (ifp->if_type != IFT_CARP || rt->rt_ifp->if_type != IFT_CARP ||
+ rt->rt_ifp->if_carpdev != ifp->if_carpdev) &&
#endif
1)) {
RTFREE(rt);
Re: carp ipv6 ndp issue
Alexander Bluhm wrote Sat., Aug. 06, 2011
> On Sat, Aug 06, 2011 at 12:47:27AM +0200, Alexander Bluhm wrote:
> > To trigger the bug, you need two adresses in the same network on
> > the carp and on the parent interface. One of them has the route,
> > the other cannot do ndp.
>
> The bridge has the same problem there, bridge and carp can be fixed
> in the same way.
Thank you. This patch works like a charm! :-)
> In my experience ipv6 bridge has always been broken and has more
> issues. Do we want this larger diff in release mode?
Sounds reasonable to me.
> bluhm
-Florian
> Index: netinet6/in6.c
> ===
> RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v
> retrieving revision 1.91
> diff -u -p -r1.91 in6.c
> --- netinet6/in6.c26 Jul 2011 21:19:51 - 1.91
> +++ netinet6/in6.c6 Aug 2011 05:04:18 -
> @@ -61,6 +61,9 @@
> * @(#)in.c8.2 (Berkeley) 11/15/93
> */
>
> +#include "bridge.h"
> +#include "carp.h"
> +
> #include
> #include
> #include
> @@ -1945,7 +1948,16 @@ in6_ifpprefix(const struct ifnet *ifp, c
> if (rt == NULL)
> return (0);
> if ((rt->rt_flags & (RTF_CLONING | RTF_CLONED)) == 0 ||
> - rt->rt_ifp != ifp) {
> + (rt->rt_ifp != ifp &&
> +#if NBRIDGE > 0
> + (rt->rt_ifp->if_bridge == NULL || ifp->if_bridge == NULL ||
> + rt->rt_ifp->if_bridge != ifp->if_bridge) &&
> +#endif
> +#if NCARP > 0
> + (ifp->if_type != IFT_CARP || rt->rt_ifp != ifp->if_carpdev)
> &&
> + (rt->rt_ifp->if_type != IFT_CARP || rt->rt_ifp->if_carpdev !=
> ifp)&&
> +#endif
> + 1)) {
> RTFREE(rt);
> return (0);
> }
Re: carp ipv6 ndp issue
Todd T. Fries wrote Fri, Aug. 05, 2011 6:06 PM > > Are you using global IPv6 addresses for your test or link-local > addresses for your test? I'm using global IPv6 addresses. i.e. host side ping6: ...@melon:~$ ping6 2a00:1230::feed:cafe PING 2a00:1230::feed:cafe(2a00:1230::feed:cafe) 56 data bytes >From 2a00:1230::5049:6023 icmp_seq=1 Destination unreachable: Address unreachable >From 2a00:1230::5049:6023 icmp_seq=2 Destination unreachable: Address unreachable >From 2a00:1230::5049:6023 icmp_seq=3 Destination unreachable: Address unreachable carp router master ifconfig: carp100: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:0a priority: 0 carp: MASTER carpdev vlan100 vhid 10 advbase 1 advskew 0 groups: carp status: master inet6 fe80::200:5eff:fe00:10a%carp100 prefixlen 64 scopeid 0x1d inet [...] inet6 2a00:1230::feed:cafe prefixlen 64 vlan100: flags=8943 mtu 1500 lladdr 00:19:bb:e9:ae:b9 priority: 0 vlan: 100 priority: 0 parent interface: em1 groups: vlan status: active inet6 fe80::219:bbff:fee9:aeb9%vlan100 prefixlen 64 scopeid 0x9 inet [...] inet6 2a00:1230::feed:abba prefixlen 64 carp router backup ifconfig: carp100: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:0a priority: 0 carp: BACKUP carpdev vlan100 vhid 10 advbase 1 advskew 128 groups: carp status: backup inet6 fe80::200:5eff:fe00:10a%carp100 prefixlen 64 scopeid 0x1d inet [...] inet6 2a00:1230::feed:cafe prefixlen 64 vlan100: flags=8943 mtu 1500 lladdr 00:04:23:d6:cc:41 priority: 0 vlan: 100 priority: 0 parent interface: em1 groups: vlan status: active inet6 fe80::204:23ff:fed6:cc41%vlan100 prefixlen 64 scopeid 0x9 inet [...] inet6 2a00:1230::feed:baba prefixlen 64 carp master "tcpdump -i vlan100 -n ip6": tcpdump: listening on vlan100, link-type EN10MB 01:29:12.608013 2a00:1230::5049:6023 > ff02::1:ffed:cafe: icmp6: neighbor sol: who has 2a00:1230::feed:cafe 01:29:13.230592 fe80::219:bbff:fee9:aeb9 > ff02::12: CARPv2-advertise 36: vhid=10 advbase=1 advskew=0 demote=0 01:29:13.607932 2a00:1230::5049:6023 > ff02::1:ffed:cafe: icmp6: neighbor sol: who has 2a00:1230::feed:cafe 01:29:14.241597 fe80::219:bbff:fee9:aeb9 > ff02::12: CARPv2-advertise 36: vhid=10 advbase=1 advskew=0 demote=0 01:29:14.607946 2a00:1230::5049:6023 > ff02::1:ffed:cafe: icmp6: neighbor sol: who has 2a00:1230::feed:cafi sysctl net.inet6.icmp6.nd6_debug=1 and dmesg output on carp master: nd6_ns_input: NS packet from non-neighbor nd6_ns_input: src=2a00:1230::5049:6023 nd6_ns_input: dst=ff02:001d::0001:ffed:cafe nd6_ns_input: tgt=2a00:1230::feed:cafe nd6_ns_input: NS packet from non-neighbor nd6_ns_input: src=2001:067c:2088::c1c0:0e0d nd6_ns_input: dst=ff02:001e::0001:ffed:cafe nd6_ns_input: tgt=2001:067c:2088::feed:cafe nd6_ns_input: NS packet from non-neighbor nd6_ns_input: src=2a00:1230::5049:6060 nd6_ns_input: dst=ff02:001d::0001:ffed:cafe nd6_ns_input: tgt=2a00:1230::feed:cafe [...] > I have found that you sometimes need to ping6 the link-local address > on a carp interface from a workstation before it will respond to ndp. Thank's for this hint: ping6 to link-local address works fine. But afterwards still no response on carp inet6 address. > For reference, this scenario happens if you run rtadvd against a carp > interface for fail-over routers to advertise the carp address for > routing. At the moment I've set up static ipv6 address and routing for a few less important services only. Rtadvd follows as the next step if the basics run fine. > Thanks, feedback on patches of Alexander follows... > Penned by Florian Fuessl on 20110805 7:00.21, we have: > | Feature or bug? > | > | Latest snapshot /bsd kernel (03. Aug. 11) does not react to neighbor > | discovery requests for inet6 address on carp master interface, here.
Re: carp ipv6 ndp issue
On Sat, Aug 06, 2011 at 12:47:27AM +0200, Alexander Bluhm wrote:
> To trigger the bug, you need two adresses in the same network on
> the carp and on the parent interface. One of them has the route,
> the other cannot do ndp.
The bridge has the same problem there, bridge and carp can be fixed
in the same way.
In my experience ipv6 bridge has always been broken and has more
issues. Do we want this larger diff in release mode?
bluhm
Index: netinet6/in6.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v
retrieving revision 1.91
diff -u -p -r1.91 in6.c
--- netinet6/in6.c 26 Jul 2011 21:19:51 - 1.91
+++ netinet6/in6.c 6 Aug 2011 05:04:18 -
@@ -61,6 +61,9 @@
* @(#)in.c8.2 (Berkeley) 11/15/93
*/
+#include "bridge.h"
+#include "carp.h"
+
#include
#include
#include
@@ -1945,7 +1948,16 @@ in6_ifpprefix(const struct ifnet *ifp, c
if (rt == NULL)
return (0);
if ((rt->rt_flags & (RTF_CLONING | RTF_CLONED)) == 0 ||
- rt->rt_ifp != ifp) {
+ (rt->rt_ifp != ifp &&
+#if NBRIDGE > 0
+ (rt->rt_ifp->if_bridge == NULL || ifp->if_bridge == NULL ||
+ rt->rt_ifp->if_bridge != ifp->if_bridge) &&
+#endif
+#if NCARP > 0
+ (ifp->if_type != IFT_CARP || rt->rt_ifp != ifp->if_carpdev) &&
+ (rt->rt_ifp->if_type != IFT_CARP || rt->rt_ifp->if_carpdev != ifp)&&
+#endif
+ 1)) {
RTFREE(rt);
return (0);
}
Re: carp ipv6 ndp issue
On Fri, Aug 05, 2011 at 11:50:41PM +0200, Alexander Bluhm wrote:
> On Fri, Aug 05, 2011 at 02:00:21PM +0200, Florian Fuessl wrote:
> > Feature or bug?
>
> Sounds like a bug, but I cannot reproduce it.
To trigger the bug, you need two adresses in the same network on
the carp and on the parent interface. One of them has the route,
the other cannot do ndp.
Does this diff help?
I still see some nd6_lookup errors but after a short time ndp works.
Perhaps that is the problem Todd mentioned.
bluhm
Index: netinet6/in6.c
===
RCS file: /data/mirror/openbsd/cvs/src/sys/netinet6/in6.c,v
retrieving revision 1.91
diff -u -p -r1.91 in6.c
--- netinet6/in6.c 26 Jul 2011 21:19:51 - 1.91
+++ netinet6/in6.c 5 Aug 2011 22:19:48 -
@@ -1945,7 +1945,10 @@ in6_ifpprefix(const struct ifnet *ifp, c
if (rt == NULL)
return (0);
if ((rt->rt_flags & (RTF_CLONING | RTF_CLONED)) == 0 ||
- rt->rt_ifp != ifp) {
+ (rt->rt_ifp != ifp &&
+ (ifp->if_type != IFT_CARP || rt->rt_ifp != ifp->if_carpdev) &&
+ (rt->rt_ifp->if_type != IFT_CARP || rt->rt_ifp->if_carpdev != ifp)
+ )) {
RTFREE(rt);
return (0);
}
Re: carp ipv6 ndp issue
On Fri, Aug 05, 2011 at 02:00:21PM +0200, Florian Fuessl wrote: > Feature or bug? Sounds like a bug, but I cannot reproduce it. > Latest snapshot /bsd kernel (03. Aug. 11) does not react to neighbor > discovery requests for inet6 address on carp master interface, here. With this kernel kern.version=OpenBSD 5.0 (GENERIC) #30: Wed Aug 3 16:08:44 MDT 2011 dera...@i386.openbsd.org:/usr/src/sys/arch/i386/compile/GENERIC and this carp device carp0: flags=8843 mtu 1500 lladdr 00:00:5e:00:01:01 priority: 0 carp: MASTER carpdev ne3 vhid 1 advbase 1 advskew 0 groups: carp status: master inet6 fdd7:e83e:66bc:7:200:5eff:fe00:101 prefixlen 64 inet6 fe80::200:5eff:fe00:101%carp0 prefixlen 64 scopeid 0x5 ndp and ping6 fdd7:e83e:66bc:7:200:5eff:fe00:101 works for me. To figure out what is going on I need more information: - Is this a regression? Did it work before? - Please set sysctl net.inet6.icmp6.nd6_debug=1 and look for errors in dmesg. - What icmp6 packets do you see with tcpdump? - How is your configuration and setup? bluhm
Re: carp ipv6 ndp issue
Are you using global IPv6 addresses for your test or link-local addresses for your test? I have found that you sometimes need to ping6 the link-local address on a carp interface from a workstation before it will respond to ndp. For reference, this scenario happens if you run rtadvd against a carp interface for fail-over routers to advertise the carp address for routing. Thanks, Penned by Florian Fuessl on 20110805 7:00.21, we have: | Feature or bug? | | | | Latest snapshot /bsd kernel (03. Aug. 11) does not react to neighbor | discovery requests for inet6 address on carp master interface, here. | | | | -Florian -- Todd Fries .. t...@fries.net _ | \ 1.636.410.0632 (voice) | Free Daemon Consulting, LLC \ 1.405.227.9094 (voice) | http://FreeDaemonConsulting.com \ 1.866.792.3418 (FAX) | 2525 NW Expy #525, Oklahoma City, OK 73112 \ sip:freedae...@ekiga.net | "..in support of free software solutions." \ sip:4052279...@ekiga.net \\ 37E7 D3EB 74D0 8D66 A68D B866 0326 204E 3F42 004A http://todd.fries.net/pgp.txt
carp ipv6 ndp issue
Feature or bug? Latest snapshot /bsd kernel (03. Aug. 11) does not react to neighbor discovery requests for inet6 address on carp master interface, here. -Florian
