From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-x112e.google.com (mail-yw1-x112e.google.com [IPv6:2607:f8b0:4864:20::112e]) by passt.top (Postfix) with ESMTPS id 7C0E85A026D for ; Mon, 18 Sep 2023 17:52:35 +0200 (CEST) Received: by mail-yw1-x112e.google.com with SMTP id 00721157ae682-59e8d963adbso15347957b3.0 for ; Mon, 18 Sep 2023 08:52:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1695052354; x=1695657154; darn=passt.top; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=YTgLU5jw0p+8CnnZSUtioid738Tt+NO0Em1jVLVC7rI=; b=FC944I+9CYmleBvI32ukqDa8J7QrKmTPtPZwb5tzH/r/CRsa7VXN1NfDvbjvRkDIuK Q5iO3meJHQ4CeuKbOF2NJYj+aq1Ps3ZGYGH8mY1zQK8Vw4zHD7/sPUp56mNusXeryca9 xO4LIqi7dhVp5teibqE36WfM5ws7rixMTMSlR/Yoh7Xb383uAp2y/6tO7DaWLmHODg7T W37L/mq/d5jjxUYDHzqD8BA2l09cyn8ZTa+AaqouUFPj1JKzEFq+FP4StzW8R5v4qLJn ecnzHLGnF42EyolGZsIHTpBLqNa8IhAlx7SlawV93k2wuiDviebMruYRCyn2LTOqFvhI YfZA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1695052354; x=1695657154; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YTgLU5jw0p+8CnnZSUtioid738Tt+NO0Em1jVLVC7rI=; b=h1/n2rhXEArhbMVNDfCS57SkWqi2c6WTw53KvSZo8aWj2NNbqHNCO/ZZjbJRHtshWe vMHxYCuGdL5zWU313kOmXMGNRYUjs34t5THarkHs+tDDZKZqcDHnRlws7a9Y5S/HMdih n+jTZ0/7JlTO+S1Mjv5yjxF9MqsVnfWGrFCSQE9MTpbP2qF8aIedyUAAOaSYGh7I5N+6 2j3HJji6jb55hBkBDRXVpMau+vviQ5zCPl/ZO8JCE+GgZ67HiTDX4rIeZktMnA4D0NCn QXdnvFYuBZsOfc69Hcna0MstUQ7NJkK72GE1OuUcZFlJWyxnAhCnfIwHMyIKXfUWJGFz OtiA== X-Gm-Message-State: AOJu0YyviDmUmGuB8XWmWh/+4AxLvtqeyckE4KTvWApo+fDcGKfuphs3 BdhBJu3V7aW2njNlYu+ikblpP+Dl7KE1YucSE5M= X-Google-Smtp-Source: AGHT+IF8OLjdfM85U0iTJq3rnJuhuruui5HZeq32+ULZA8AEhtoiRQmRbEaIg3gxhXADf/Gj5QHxMpO9Oal2tV8fbFY= X-Received: by 2002:a5b:905:0:b0:d80:1bbf:fabf with SMTP id a5-20020a5b0905000000b00d801bbffabfmr8599958ybq.2.1695052354108; Mon, 18 Sep 2023 08:52:34 -0700 (PDT) MIME-Version: 1.0 References: <20230915142045.73457-1-edigaryev@gmail.com> <20230918160134.09d2b706@elisabeth> In-Reply-To: <20230918160134.09d2b706@elisabeth> From: Nikolay Edigaryev Date: Mon, 18 Sep 2023 19:52:23 +0400 Message-ID: Subject: Re: [PATCH] arp: only send ARP replies for --gateway address To: Stefano Brivio Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable Message-ID-Hash: 4PBNAZYEMBCLHJKVV4M2HIXISYZHDGD5 X-Message-ID-Hash: 4PBNAZYEMBCLHJKVV4M2HIXISYZHDGD5 X-MailFrom: edigaryev@gmail.com X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation; nonmember-moderation; administrivia; implicit-dest; max-recipients; max-size; news-moderation; no-subject; digests; suspicious-header CC: passt-dev@passt.top X-Mailman-Version: 3.3.8 Precedence: list List-Id: Development discussion and patches for passt Archived-At: Archived-At: List-Archive: List-Archive: List-Help: List-Owner: List-Post: List-Subscribe: List-Unsubscribe: Hello Stefano, I will try to clarify: I have a single host machine, a dedicated amd64 server, capable of running multiple Cloud Hypervisor virtual machines backed by /dev/kvm. I also have a daemon-less CLI software that can provision as many VM instances as the user wants, e.g. by running "mycli create --kernel ... --disk ... ubuntu". To run a VM, the user types "mycli run ubuntu", which results in the creation of two TAP interfaces: one is for passt, one is for Cloud Hypervisor "mycli run" then creates a bridge(8) interface, assigns a free IP from /29 network to it (for example, 10.0.0.3/29), and adds both the TAP interfaces to that bridge forming up a virtual switch, which allows passt <-> VM and host <-> communication. "mycli run ubuntu" also invokes the passt with the following arguments: >passt --foreground --address 10.0.0.2 --netmask 255.255.255.248 --gateway = 10.0.0.1 --mac-addr 52:f1:18:34:28:0b -4 --mtu 1500 --tap-fd 3 Now to the issue: if the user wants to access the VM, for provisioning purposes, e.g. by running "ssh 10.0.0.2", there's a race between the real ARP reply from that VM and an ARP reply from passt due to the code fixed in the patch above. And even if we add a static ARP entry for that VM on the host, there's still exist a race on the VM's side. Here the VM looks up the host's ethernet address and receives one reply from host (ba:46:4e:27:8b:93) and another from passt (52:f1:18:34:28:0b): 17:26:42.685718 5a:b7:e3:dc:bb:9f > ba:46:4e:27:8b:93, ethertype ARP (0x0806), length 42: Request who-has 10.0.0.3 tell 10.0.0.2, length 28 17:26:42.685744 ba:46:4e:27:8b:93 > 5a:b7:e3:dc:bb:9f, ethertype ARP (0x0806), length 42: Reply 10.0.0.3 is-at ba:46:4e:27:8b:93, length 28 17:26:42.685908 52:f1:18:34:28:0b > 5a:b7:e3:dc:bb:9f, ethertype ARP (0x0806), length 42: Reply 10.0.0.3 is-at 52:f1:18:34:28:0b, length 28 On Mon, Sep 18, 2023 at 6:01=E2=80=AFPM Stefano Brivio = wrote: > > On Mon, 18 Sep 2023 12:26:03 +1000 > David Gibson wrote: > > > On Fri, Sep 15, 2023 at 06:20:45PM +0400, Nikolay Edigaryev wrote: > > > Problem: when passt/pasta are working in a broadcast domain with more > > > than one host machine, > > > > Oof. So, at present, passt/pasta is really not designed to have more > > than a single machine on the "tap" side. Changing the ARP behaviour > > is likely to be the least of the problems with that setup. > > Now I'm confused on which "side" this happens. :) Nikolay, can you > articulate the issue a bit better? Do you really have multiple *host* > machines? Does the passt process... move between them? > > By the way, the only concern I have with this change is that the guest > might ignore the gateway address it's being assigned, for whatever > reason, and by just resolving "almost everything" we guarantee the > traffic goes out anyway. > > If there's no other way to solve the issue you're facing, I would > rather propose to have this as an option, and perhaps have it off by > default. > > -- > Stefano >