Re: Debian VMs on a routed libvirt ULA network are not exchanging neighbor sollicitations with the host
> This sounds like multicast packets aren't getting through the bridge.
> Check the values of /sys/class/net/$IFACE/bridge/multicast_querier and
> /sys/class/net/$IFACE/bridge/multicast_snooping
On the host, I get:
cat /sys/class/net/virbr2/bridge/multicast_querier
0
cat /sys/class/net/virbr2/bridge/multicast_snooping
1
Searching based on your comment seems to show that it could be the other way round for my use case:
https://unix.stackexchange.com/questions/391672/what-is-multicast-snooping-and-why-does-it-break-upnp-dlna
https://bugzilla.redhat.com/show_bug.cgi?id=880035
and even more precisely:
https://bugzilla.redhat.com/show_bug.cgi?id=902922
https://access.redhat.com/solutions/784373
I tested:
echo 1 > /sys/class/net/virbr2/bridge/multicast_querier
echo 0 > /sys/class/net/virbr2/bridge/multicast_snooping
(see detailed test procedure below)
but the result was the same:
- no sollicitations observed, except when the guest is started
- the ULA address is dropped at the end of its lifetime (3600s)
Interestingly, a restart of the libvirt virtual network resets these flags to their original value for the related bridge.
Is there maybe something I could also test at the Debian guest level?
(The CentOS/RHEL guests don't have this problem, but they seem to use Network Manager for this, not the default mechanism)
Thank you for your help,
Mathieu
## Test procedure
# After a fresh reboot of the host, as root
ip address show dev virbr2
8: virbr2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default qlen 1000
link/ether 52:54:00:fa:ba:58 brd ff:ff:ff:ff:ff:ff
inet6 fd34:fe56:7891:6::1/64 scope global
valid_lft forever preferred_lft forever
inet6 fe80::5054:ff:fefa:ba58/64 scope link
valid_lft forever preferred_lft forever
cat /sys/class/net/virbr2/bridge/multicast_querier
0
cat /sys/class/net/virbr2/bridge/multicast_snooping
1
# Change both flags
echo 1 > /sys/class/net/virbr2/bridge/multicast_querier
echo 0 > /sys/class/net/virbr2/bridge/multicast_snooping
# Shutdown all guests on this host
# Restart the routed libvirt virtual network using virbr2
!! The flags have been reset to their previous values
cat /sys/class/net/virbr2/bridge/multicast_snooping
1
cat /sys/class/net/virbr2/bridge/multicast_querier
0
# Set again the flags
echo 1 > /sys/class/net/virbr2/bridge/multicast_querier
echo 0 > /sys/class/net/virbr2/bridge/multicast_snooping
# Monitor icmp6
tcpdump -n -i virbr2 icmp6
# Start only the Debian guest VM
brctl show virbr2
bridge name bridge id STP enabled interfaces
virbr2 8000.525400faba58 yes virbr2-nic
vnet1
Link address of the bridge (virbr2):
fe80::5054:ff:fefa:ba58/64
Link address guest (vnet1 from the host perspective, enp2s0 from the guets perspective):
fe80::fc54:ff:fe47:812f/64
On the host, during the VM startup, tcpdump shows:
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on virbr2, link-type EN10MB (Ethernet), capture size 262144 bytes
06:18:56.187251 IP6 :: > ff02::1:ff47:812f: ICMP6, neighbor solicitation, who has fe80::5054:ff:fe47:812f, length 32
06:18:57.211370 IP6 fe80::5054:ff:fe47:812f > ff02::2: ICMP6, router solicitation, length 16
06:18:57.211698 IP6 fe80::5054:ff:fefa:ba58 > fe80::5054:ff:fe47:812f: ICMP6, router advertisement, length 88
06:18:57.415428 IP6 :: > ff02::1:ff47:812f: ICMP6, neighbor solicitation, who has fd34:fe56:7891:6:5054:ff:fe47:812f, length 32
06:19:02.320961 IP6 fe80::5054:ff:fefa:ba58 > fe80::5054:ff:fe47:812f: ICMP6, neighbor solicitation, who has fe80::5054:ff:fe47:812f, length 32
06:19:02.321166 IP6 fe80::5054:ff:fe47:812f > fe80::5054:ff:fefa:ba58: ICMP6, neighbor advertisement, tgt is fe80::5054:ff:fe47:812f, length 24
06:19:07.358070 IP6 fe80::5054:ff:fe47:812f > fe80::5054:ff:fefa:ba58: ICMP6, neighbor solicitation, who has fe80::5054:ff:fefa:ba58, length 32
06:19:07.358136 IP6 fe80::5054:ff:fefa:ba58 > fe80::5054:ff:fe47:812f: ICMP6, neighbor advertisement, tgt is fe80::5054:ff:fefa:ba58, length 24
# Log in to the guest via the public interface and monitor icmp6 on the guest
sudo tcpdump -n -i enp2s0 icmp6
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp2s0, link-type EN10MB (Ethernet), capture size 262144 bytes
# RESULT
- no additional exchanges observed, neither on the host nor on the guest
- ULA address dropped after 3600s, as before
- host router seems STALE, as seen from the guest
ip -6 neigh
...
fe80::5054:ff:fefa:ba58 dev enp2s0 lladdr 52:54:00:fa:ba:58 router STALE
...
Reply to: