Versions Compared

Old Version 14

changes.mady.by.user Amir Shehata

Saved on

compared with

New Version 15

changes.mady.by.user Amir Shehata

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

This configuration needs to be done on all clients and servers which have multiple interfaces configured in Multi-Rail.

accept_local

In kernel version 3.10 commit

Code Block
7a9bc9b81a5b ("ipv4: Elide fib_validate_source() completely when possible.")

Introduced a behavior change where accept_local parameter was not checked and packets with local address in the source feild were not dropped, when they should be when accept_local is off.

Another patch came in kernel version 3.18 which restored the behavior. That's why we've been seeing problems on centos 8 and ubuntu with health recovery. Because Health recovery pings attempt and do arp resolutions on the local address.

Code Block
commit 1dced6a854827eb5683f3c57ddbb4595daf145e4
Author: Sébastien Barré <sebastien.barre@uclouvain.be>
Date:   Sun Aug 17 09:19:54 2014 +0200

    ipv4: Restore accept_local behaviour in fib_validate_source()
    
    Commit 7a9bc9b81a5b ("ipv4: Elide fib_validate_source() completely when possible.")
    introduced a short-circuit to avoid calling fib_validate_source when not
    needed. That change took rp_filter into account, but not accept_local.
    This resulted in a change of behaviour: with rp_filter and accept_local
    off, incoming packets with a local address in the source field should be
    dropped.
    
    Here is how to reproduce the change pre/post 7a9bc9b81a5b commit:
    -configure the same IPv4 address on hosts A and B.
    -try to send an ARP request from B to A.
    -The ARP request will be dropped before that commit, but accepted and answered
    after that commit.
    
    This adds a check for ACCEPT_LOCAL, to maintain full
    fib validation in case it is 0. We also leave __fib_validate_source() earlier
    when possible, based on the same check as fib_validate_source(), once the
    accept_local stuff is verified.
    
    Cc: Gregory Detal <gregory.detal@uclouvain.be>
    Cc: Christoph Paasch <christoph.paasch@uclouvain.be>
    Cc: Hannes Frederic Sowa <hannes@redhat.com>
    Cc: Sergei Shtylyov <sergei.shtylyov@cogentembedded.com>
    Signed-off-by: Sébastien Barré <sebastien.barre@uclouvain.be>
    Signed-off-by: David S. Miller <davem@davemloft.net>

There fore it is import to set accept_local to 1on systems to ensure health works properly.

Code Block
sysctl -w net.ipv4.conf.all.accept_local=1
# or
sysctl -w net.ipv4.conf.<intf name>.accept_local=1

trevis-401

401 is the most complicated node in the cluster. It has 2 ETH, 2 OPA and 2 MLX interfaces. 

...