Bridge connectivity interruptions while devices join or leave the bridge

Bridge connectivity interruptions while devices join or leave the bridge

[Johannes Wienke]

I am sorry for probably misusing this list, but I couldn't find any
other mailing list suitable for asking in-detail Linux networking
questions. As I am not subscribed, please CC me in a potential reply.

I am currently tracking down a connectivity issues of docker containers
on a custom bridge network, which I could reduce to the Linux network
stack without docker being involved.

The situation that I am observing is the following: I have a bridge
device, which is connected to the outer world using forwarding and
masquerading (so the bridge does not contain the outgoing network
interface of the host). This bridge is used to perform network
operations by a long-running process, which is restricted to this bridge
using network namespaces and veth devices (exactly what docker does
internally). What I see is that every time a (virtual) network device is
added to or removed from the bridge, the communication of the
long-running process is interrupted.

I have created two scripts that can be used to replicate the situation.
They are available at:
https://gist.github.com/languitar/9ac8dc5c8db7cf4a89e1546f6e32ca7b

setup.bash sets up the bridge, veth devices, network namespace and the
iptables rules to replicate the network setup and simulates the
long-running process by periodically performing (volatile) UDP DNS
requests in a while loop.

When launching this script, all DNS requests should succeed and you
should see success messages at a regular pace.

To simulate devices joining and leaving the bridge, you can start
interruptor.bash.

As soon as this script is running, you can observe that DNS requests
will be delayed frequently and some of them even fail. In a parallel
pcap you would see that sometimes the UDP packages from the DNS lookup
are not routed to the outside world, but instead end up at the bridge
device without ever leaving the host system.

Can someone explain what is happening here and why adding and removing
devices to a bridge results in the connectivity issues? How to avoid
this behavior? I'd be glad for any hint on that.

Kind regards
Johannes
-- 
Johannes Wienke, Researcher at CoR-Lab / CITEC, Bielefeld University
Address: Inspiration 1, D-33619 Bielefeld, Germany (Room 1.307)
Phone: +49 521 106-67277

Re: Bridge connectivity interruptions while devices join or leave the bridge

[Ido Schimmel]

On Wed, Sep 19, 2018 at 11:10:22AM +0200, Johannes Wienke wrote:
> Can someone explain what is happening here and why adding and removing
> devices to a bridge results in the connectivity issues? How to avoid
> this behavior? I'd be glad for any hint on that.

The MAC address of the bridge ('brtest' in your example) is inherited
from the bridge port with the "smallest" MAC address. Thus, when you
generate veth devices with random MACs and enslave them to the bridge,
you sometimes change the bridge's MAC address as well. And since the
bridge is the default gateway sometimes packets are sent to the wrong
MAC address.

You can avoid randomly changing the bridge's MAC by setting it
explicitly:
# ip link set dev brtest address <some_mac>

Re: Bridge connectivity interruptions while devices join or leave the bridge

[Johannes Wienke]

[-- Attachment #1.1: Type: text/plain, Size: 1081 bytes --]

Dear Ido,

On 9/19/18 12:07 PM, Ido Schimmel wrote:
> On Wed, Sep 19, 2018 at 11:10:22AM +0200, Johannes Wienke wrote:
>> Can someone explain what is happening here and why adding and removing
>> devices to a bridge results in the connectivity issues? How to avoid
>> this behavior? I'd be glad for any hint on that.
> 
> The MAC address of the bridge ('brtest' in your example) is inherited
> from the bridge port with the "smallest" MAC address. Thus, when you
> generate veth devices with random MACs and enslave them to the bridge,
> you sometimes change the bridge's MAC address as well. And since the
> bridge is the default gateway sometimes packets are sent to the wrong
> MAC address.

Thank you very much! This was the important hint and solves the issues.

This behavior of inheriting the mac address is really unexpected to us.
Is it documented somewhere?

Kind regards
Johannes
-- 
Johannes Wienke, Researcher at CoR-Lab / CITEC, Bielefeld University
Address: Inspiration 1, D-33619 Bielefeld, Germany (Room 1.307)
Phone: +49 521 106-67277


[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: Bridge connectivity interruptions while devices join or leave the bridge

[Ido Schimmel]

On Wed, Sep 19, 2018 at 01:00:15PM +0200, Johannes Wienke wrote:
> This behavior of inheriting the mac address is really unexpected to us.
> Is it documented somewhere?

Not that I'm aware, but it's a well established behavior.

Re: Bridge connectivity interruptions while devices join or leave the bridge

[Stephen Hemminger]

On Wed, 19 Sep 2018 19:45:08 +0300
Ido Schimmel <idosch@idosch.org> wrote:

> On Wed, Sep 19, 2018 at 01:00:15PM +0200, Johannes Wienke wrote:
> > This behavior of inheriting the mac address is really unexpected to us.
> > Is it documented somewhere?  
> 
> Not that I'm aware, but it's a well established behavior.

Not documented, has always been that way. It seems to be part of 802 standard maybe?
Anyway, if you set a MAC address of the bridge device it makes it sticky;
i.e it won't change if ports of bridge change.

Re: Bridge connectivity interruptions while devices join or leave the bridge

[Johannes Wienke]

On 19.09.18 19:03, Stephen Hemminger wrote:
> On Wed, 19 Sep 2018 19:45:08 +0300
> Ido Schimmel <idosch@idosch.org> wrote:
> 
>> On Wed, Sep 19, 2018 at 01:00:15PM +0200, Johannes Wienke wrote:
>>> This behavior of inheriting the mac address is really unexpected to us.
>>> Is it documented somewhere?  
>>
>> Not that I'm aware, but it's a well established behavior.
> 
> Not documented, has always been that way. It seems to be part of 802 standard maybe?
> Anyway, if you set a MAC address of the bridge device it makes it sticky;
> i.e it won't change if ports of bridge change.

Yes sure. It was just unexpected to meet this and we ha no clue that
this could be a reasonable default. I just wonder what the motivation
for hat is and of course some more obvious documentation would have
helped a lot in debugging/avoid this.

Cheers,
Johannes
-- 
Johannes Wienke, Researcher at CoR-Lab / CITEC, Bielefeld University
Address: Inspiration 1, D-33619 Bielefeld, Germany (Room 1.307)
Phone: +49 521 106-67277