Selective proxy ARP

Selective proxy ARP

[Alex Bligh]

I am trying to set up what is often called a pseudo-bridge
on a machine in a data centre. The config looks like this:

DC LAN
|
|
|           bond0          br0     veth0
+----------------[ Linux ] ------+-------[ VM 192.0.200.101/24 ]
| 192.0.200.23/24                |
|                                | veth1  
|                                \-------[ VM 192.0.200.101/24 ]


The data centre do not want me to simply make bond0 a member
of the br0 bridge, because they only want to see a single MAC
and are worried about forwarding loops. Fair or not, let's
assume that's a fixed point.

I could get this to work (I think) simply be putting the
appropriate /32 routes in the kernel, and then enabling
proxy_arp on bond0 and br0.

However, I want to be very cautious about what my machine arps
for on bond0. Specifically, I want to ensure it does not arp
for anything except its own address and the other 2 IP addresses
listed.

I'm pretty sure there was some arp masquerade setting that could
be used instead of a straight proxy arp, but now can't find it.
Any ideas?

-- 
Alex Bligh

Re: Selective proxy ARP

[Michal Kubecek]

On Tue, Jul 12, 2016 at 05:50:41PM +0100, Alex Bligh wrote:
> I am trying to set up what is often called a pseudo-bridge
> on a machine in a data centre. The config looks like this:
> 
> DC LAN
> |
> |
> |           bond0          br0     veth0
> +----------------[ Linux ] ------+-------[ VM 192.0.200.101/24 ]
> | 192.0.200.23/24                |
> |                                | veth1  
> |                                \-------[ VM 192.0.200.101/24 ]
> 
> 
> The data centre do not want me to simply make bond0 a member
> of the br0 bridge, because they only want to see a single MAC
> and are worried about forwarding loops. Fair or not, let's
> assume that's a fixed point.
> 
> I could get this to work (I think) simply be putting the
> appropriate /32 routes in the kernel, and then enabling
> proxy_arp on bond0 and br0.
> 
> However, I want to be very cautious about what my machine arps
> for on bond0. Specifically, I want to ensure it does not arp
> for anything except its own address and the other 2 IP addresses
> listed.

How about doing it the old manual way?

  ip neigh add proxy 192.0.200.101 dev bond0
  ip neigh add proxy 192.0.200.??? dev bond0

(in your schema above, both VMs have the same address which is probably
only a copy&paste mistake).

Michal Kubecek

Re: Selective proxy ARP

[Alex Bligh]

On 13 Jul 2016, at 01:31, John Lauro <johnalauro@gmail.com> wrote:

> Assuming you want the whole /24...
> 
> for h in `seq 1 254` ; do arp -i eth0 -Ds 192.0.200.$h eth0 pub ; done

Actually just the two addresses, but that looks good for IPv4. Thanks.

> (Well, replace the two eth0 with bond0 in your case, although I would probably tie the vms to another nic or loopback interface and route instead of bridge even if you had to appear as layer 2 to the DC)
> 
> I know, this is the proxy arp that you wanted to avoid, but not sure why you think some sort of masquerade arp would be better than routing / proxy arp?

I can't influence the routing (that's on the DC side).

If I use proxy arp and have another interface of 10.10.10.1/24 (for example) proxy arp will ARP for anything in that range (as I understand it). I only want to proxy arp for specific IPs.

> You would need some sort of ebtables rule to ensure you didn't leak any arp out the virtual machine mac addresses if you do this on l2 instead of l3. Keep to l3 for the vms behind the host and it's a non issue.

The L2 segment is only inside my VM (bond0 is not on br0) so that should be ok.

-- 
Alex Bligh

Re: Selective proxy ARP

[Alex Bligh]

On 13 Jul 2016, at 06:26, Michal Kubecek <mkubecek@suse.cz> wrote:

> How about doing it the old manual way?
> 
>  ip neigh add proxy 192.0.200.101 dev bond0
>  ip neigh add proxy 192.0.200.??? dev bond0

That actually looks fantastically useful (yes, the dupe was copy and paste
in anonymisation). Thanks.

I'm presuming this method also translates to ipv6?

-- 
Alex Bligh

Re: Selective proxy ARP

[Alex Bligh]

Interesting this does not work:

> On 13 Jul 2016, at 01:31, John Lauro <johnalauro@gmail.com> wrote:
> 
> for h in `seq 1 254` ; do arp -i eth0 -Ds 192.0.200.$h eth0 pub ; done

(with bond0 and the IP address substituted)

and neither does this:

On 13 Jul 2016, at 06:26, Michal Kubecek <mkubecek@suse.cz> wrote:
>  ip neigh add proxy 192.0.200.101 dev bond0

in that a device on the same network cannot successfully arp
for the address.

Any ideas?

-- 
Alex Bligh