Re: [pve-devel] [PATCH pve-common] network: disable unicast flooding on tap|veth|fwln ports

[alexandre derumier <aderumier@odiso.com>]

Le mercredi 15 septembre 2021 à 19:09 +0200, Thomas Lamprecht a écrit :
> On 15.09.21 17:33, alexandre derumier wrote:
> > I have looked at other hypervisors implementations (as it don't see
> > to
> > have problem with hetzner),
> > 
> > 
> > https://listman.redhat.com/archives/libvir-list/2014-December/msg00173.html
> > 
> > 
> > https://docs.vmware.com/en/VMware-NSX-T-Data-Center/3.1/administration/GUID-C5752084-A582-4AEA-BD5D-03FE5DBC746E.html
> > 
> > 
> > Both vmware && libvirt have a mode to manually manage fdb entries
> > in
> > bridge mac table.
> > 
> > This will work if only 1mac is behind 1 nic, so it should be an
> > option
> > (nested hypervisor for examples).
> > 
> > but for classic vm , it could allow to disable unicast_flood &&
> > learning for the tap interface, but also promisc mode on tap
> > interface!
> > 
> > I was think about add an option on vmbrX  or vnetX directly to
> > enable/disable.
> 
> As this would be on the VM tap devices it would sound somewhat
> reasonable to
> have it as per vNIC setting, but naturally it would then be a bit
> annoying to
> change for all; a tradeoff could be to allow setting the default
> value per
> bridge, node or datacenter (I'd do only one of those).
> 
> What do you think?
> 
I have done test, I think the best way is to enable it on the bridge
 or vnet for sdn.
because ovs don't support it for example, or its not needed for routed
setup or vxlan.
I don't known too much where add this option for classic vmbr ? in
/etc/network/interfaces ?.
I can't reuse bridge-unicast-flood off, bridge-learning off on vmbr
with ifupdown, because it's apply on all ports (ethX), and we don't
want that.
I could add a custom attribute, but I need to parse
/etc/network/interfaces in this case  for the tap_plug sub. 
For vnet, it's easy.

the worktlow is:

1)
- plug veth/tap iface (+fwbr if firewall)
   - disable unicast_flood + bridge_learning on the tap|veth + fwpr
interfaces

2)
then add static mac with "bridge fdb add <mac> dev <tap|veth|fwpr>
master static.

for 2), for live migration, we need to do it just before the resume of
the target vm
         for normal start, just after the start or after a nic hotplug.

static mac is autoremoved if the interface is removed, so it should be
auto handle by cleanup on vm crash too



As bonus, the benefit to configure it at bridge level, is that if all
egress ports (tap|veth|fwpb) have unicast_flood && learning disable,
the only remaining port (physical ethX ingress), is auto set in non-
promiscous, so bad traffic never go inside the server.
(another requirement is that the bridge need to be vlan-aware, but I
think it could work at herzner is default pvid 1 for untagged traffic)
https://git.backbone.ws/kolan/backbone-sources/commit/2796d0c648c9

https://legacy.netdevconf.info/0.1/docs/netdev_tutorial_bridge_makita_150213.pdf

I'ill try to send patches next week, I'm a bit busy at work this week.


Alexandre


> > 
> > I'm going to do tests, testing vlan aware && live migration too.
> 
> great, thanks for your work on this!
>