[pve-devel] [PATCH pve-docs 1/1] add vxlan l3 routing
Alexandre DERUMIER
aderumier at odiso.com
Sun Aug 12 13:28:44 CEST 2018
>>But I think we cannot simply turn off rp_filter, see
>>
>>https://vincent.bernat.im/en/blog/2017-linux-bridge-isolation
>>
>>Maybe we can use vrf (instead of rp_filter) to isolate our bridges??
with symmetric routing, all bridges are in a vrf.
so you can't access to host ip if it's defined on an interface not in this vrf.
But, because of a bug in >= kernel 4.14 (https://github.com/FRRouting/frr/issues/2460),
we need net.ipv4.tcp_l3mdev_accept=1, which allow to access from a vrf, to a service listeting in the default vrf.
(Note that rp_filter=0 on all interfaces is maybe a little bit too large, I think it could be done only on
specific interfaces, but I need to do tests again to very which interfaces really need it)
----- Mail original -----
De: "dietmar" <dietmar at proxmox.com>
À: "aderumier" <aderumier at odiso.com>
Cc: "pve-devel" <pve-devel at pve.proxmox.com>
Envoyé: Dimanche 12 Août 2018 07:46:38
Objet: Re: [pve-devel] [PATCH pve-docs 1/1] add vxlan l3 routing
> >>rp_filter is essential for security. Why do we
> >>need to turn this off?
>
> For example, I had problem with live migration, and symmetric model , timeout
> of 30-60s.
> https://github.com/FRRouting/frr/issues/2129
But I think we cannot simply turn off rp_filter, see
https://vincent.bernat.im/en/blog/2017-linux-bridge-isolation
Maybe we can use vrf (instead of rp_filter) to isolate our bridges??
More information about the pve-devel
mailing list