From: Andrew Lunn <andrew@lunn.ch>
To: Hirotaka Yamamoto <ymmt@cybozu.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>
Subject: Re: ECMP routing: problematic selection of outgoing interface
Date: Wed, 16 May 2018 15:01:28 +0200 [thread overview]
Message-ID: <20180516130128.GE22000@lunn.ch> (raw)
In-Reply-To: <TY1PR0301MB10074DC6D1F5CE4F4B5AF7B5A0920@TY1PR0301MB1007.apcprd03.prod.outlook.com>
On Wed, May 16, 2018 at 01:51:36AM +0000, Hirotaka Yamamoto wrote:
> Hi,
>
> Recently I have built a highly-available network using an ECMP
> route connected to two isolated L2 switches as follows.
>
> Router-- ToR switch 1 ---- Linux
> | 192.168.11.1/24 | eth0: 192.168.11.2/24
> | | eth1: 192.168.12.2/24
> +-- ToR switch 2 ------+
> 192.168.12.1/24
>
> The (default) route has been configured with:
>
> $ sudo ip route add default \
> nexthop via 192.168.11.1 \
> nexthop via 192.168.12.1
>
> Then I found that Linux chooses a wrong outgoing device for some
> destination/source address pairs like this:
>
> $ ip route get 12.34.56.78 from 192.168.12.2:
> 12.34.56.78 from 192.168.12.2 via 192.168.11.1 dev eth0 uid 0
> # dev should be "eth1"
>
> As a consequence, programs like SSH or curl do not work for such
> destinations because routers drop packets having strange source
> addresses.
Hi Hirotaka
I assume you add the 192.168.11.1 and 192.168.12.1 to the interfaces
using global scope? Global scope means the IP addresses are valid
everywhere. All routers should know how to route packets to these IP
addresses. So a host is free to pick any of its global scope IP
addresses and use them. The outgoing interface should not matter,
since all routers downstream of it should have routes for the global
scope IP addresses.
It sounds like your router is doing reverse path filtering. It is
checking its routing table for the source address, and throwing the
packets away if they don't come in the interface the route points out
of. If you don't trust your network, this makes sense. It helps to
stop a host spoofing another host, by sending packets with a spoofed
IP address. But you probably want to do reverse path filtering on the
gateway which borders between the networks you do trust and those you
don't.
Andrew
next prev parent reply other threads:[~2018-05-16 13:01 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-05-16 1:51 ECMP routing: problematic selection of outgoing interface Hirotaka Yamamoto
2018-05-16 13:01 ` Andrew Lunn [this message]
2018-05-16 16:16 ` Hirotaka Yamamoto
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180516130128.GE22000@lunn.ch \
--to=andrew@lunn.ch \
--cc=netdev@vger.kernel.org \
--cc=ymmt@cybozu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).