netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Vasily Averin <vvs@parallels.com>
To: "Linus Lüssing" <linus.luessing@web.de>, netdev@vger.kernel.org
Cc: Herbert Xu <herbert@gondor.apana.org.au>,
	bridge@lists.linux-foundation.org,
	Adam Baker <linux@baker-net.linuxfoundation.org>,
	linux-kernel@vger.kernel.org,
	"David S. Miller" <davem@davemloft.net>,
	Cong Wang <amwang@redhat.com>
Subject: Re: bride: IPv6 multicast snooping enhancements
Date: Tue, 10 Feb 2015 11:44:29 +0300	[thread overview]
Message-ID: <54D9C4ED.6040601@parallels.com> (raw)
In-Reply-To: <1378253619-23918-1-git-send-email-linus.luessing@web.de>

This patch prevent forwarding of ICMPv6 in bridges,
so containers/VMs with virtual eth adapters connected in local bridge cannot ping each other via ipv6 (but can do it via ipv4)

Could you please clarify, is it expected behavior?
Do we need to enable multicast routing or multicast_snooping on all local ports on such bridges to enable just ICMPv6?
I believe ICMPv6 is an exception and should not be filtered by multicast spoofing.

Thank you,
	Vasily Averin

On 04.09.2013 04:13, Linus Lüssing wrote:
> Hi,
> 
> Here are two, small feature changes I would like to submit to increase
> the usefulness of the multicast snooping of the bridge code.
> 
> The first patch is an unaltered one I had submitted before, but since it
> got no feedback I'm resubmitting it here for net-next. With the recently
> added patch to disable snooping if there is no querier (b00589af + 248ba8ec05
> + 8d50af4fb), it should be a safe choice now (without these, patch 1/2 would
> have introduced another potential for lost IPv6 multicast packets).
> 
> Both conceptually and also with some testing and fuzzing, I couldn't spot
> any more causes for potential packet loss. And since the multicast snooping
> code has now been tried by various people, I think it should be a safe
> choice to apply the multicast snooping not only for IPv6 multicast packets
> with a scope greater than link-local, but also for packets of exactly this
> scope. The IPv6 standard mandates MLD reports for link-local multicast, too,
> so we can safely snoop them as well (in contrast to IPv4 link-local).
> 
> Cheers, Linus
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> Please read the FAQ at  http://www.tux.org/lkml/
> 
> 
> 

  parent reply	other threads:[~2015-02-10  8:44 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-09-04  0:13 bride: IPv6 multicast snooping enhancements Linus Lüssing
2013-09-04  0:13 ` [PATCH net-next 1/2] bridge: prevent flooding IPv6 packets that do not have a listener Linus Lüssing
2013-09-04  0:13 ` [PATCH net-next 2/2] bridge: apply multicast snooping to IPv6 link-local, too Linus Lüssing
2013-09-05 16:36 ` bride: IPv6 multicast snooping enhancements David Miller
2015-02-10  8:44 ` Vasily Averin [this message]
2015-02-10 11:44   ` Linus Lüssing
2015-02-10 13:59     ` Vasily Averin
2015-02-12 11:41       ` Linus Lüssing
2015-02-12 12:01         ` Vasily Averin

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=54D9C4ED.6040601@parallels.com \
    --to=vvs@parallels.com \
    --cc=amwang@redhat.com \
    --cc=bridge@lists.linux-foundation.org \
    --cc=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=linus.luessing@web.de \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux@baker-net.linuxfoundation.org \
    --cc=netdev@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).