Re: [pve-devel] [PATCH pve-cluster] sysctl: disable net.ipv4.igmp_link_local_mcast_reports

[Thomas Lamprecht <t.lamprecht@proxmox.com>]

On 09.11.21 16:52, DERUMIER, Alexandre wrote:
> This is really specific to local-link multicast, and it's should only
> be use for some specific routing protocol
> 
> https://yhbt.net/lore/all/1439396033-6264-1-git-send-email-pdowney@brocade.com/T/
> https://www.omnisecu.com/tcpip/ipv4-link-local-multicast-addresses.php
> 
> So, I'll not break multicast services inside the vm.
> 
> Maybe if hypervisor use ospf routing protocol, but anyway, we don't
> have any infos about true vm ip/mac on fwbr bridges.

hmm, ack thx for the info, so the sysctl can be fine.

> actually corretly activate the fwbr bridge before plugging to vmbr,
> 
> my $create_firewall_bridge_linux = sub {
>   ...
>   &$cond_create_bridge($fwbr);
>   &$activate_interface($fwbr);
>   copy_bridge_config($bridge, $fwbr);
>   veth_create($vethfw, $vethfwpeer, $bridge);
> 
>   &$bridge_add_interface($fwbr, $vethfw);
>   &$bridge_add_interface($bridge, $vethfwpeer, $tag, $trunks);
>   &$bridge_add_interface($fwbr, $iface);
> };
> 
> but it seem that igmp is sent some millisecond later
> 
> A simple sleep like,
> 
>   &$cond_create_bridge($fwbr);
>   &$activate_interface($fwbr);
>   sleep(1);
>   &$bridge_add_interface($fwbr, $vethfw);
> 
> and the igmp report from fwbr is not going to vmbr.
> (but, maybe this is more ugly than a sysctl knob)
> 

yeah such sleeps are ugly and still racy, we could poll for the fwbr to be up?

E.g., something like:

my $round = 0;
while (1) {
   last if PVE::Tools::file_read_firstline("/sys/class/net/$fwbr/operstate") =~ "up";
   die "timeout on waiting for $fwbr to become ready\n" if ++$round > 100;
   usleep(10 * 1000); # 100 * 10ms = 1s
}

(did not test it)

>> Should it be an FW option?
> 
> It could be.
> 
> but it need to be persistant at firewall service stop, as when we
> shutdown the server, igmp report could be emit on vm/ct shutdown.
> and at boot, it should be enabled before the vm auto-start
> 
> Personnaly, I think it should be disabled by default, with an knob to
> enable it.
> , as a majority of basic users don't known what it is. (And advanced
> users using routing protocol, should be aware of this option).


ah yea, with default on I meant that the sysctl would be default on (so the local
mcast reporting default off), sorry for the confusion.
We wouldn't need a actual config knob either as an admin that depends on this can
just configure a higher-priority sysctl.d file..