Skip to content

Instantly share code, notes, and snippets.

@qlyoung

qlyoung/ghosts-linux-net-stack.rst

Last active November 11, 2019 19:21
Show Gist options
  • Save qlyoung/7de19b0f75b13fc3b7f56cb9f7a08d05 to your computer and use it in GitHub Desktop.
Save qlyoung/7de19b0f75b13fc3b7f56cb9f7a08d05 to your computer and use it in GitHub Desktop.
Download ZIP
Curiosities and notes on the Linux networking stack
Raw
ghosts-linux-net-stack.rst

  • Linux will send IPv4 (and probably IPv6) datagrams with no payload - just a header.

  • It is possible to bind() a socket to an address X on interface A, set the outgoing multicast interface to interface B with IP[V6]_MULTICAST_IF and then send datagrams IP sourced from X but transmitted on B (i.e. using B's MAC address).

  • The above does not work when the source address is an IPv6 link local.

  • socket(7) states, about SO_BINDTODEVICE:

    If a socket is bound to an interface, only packets received from that particular interface are processed by the socket.

    This is true, but it also restricts packets sent on the socket to egressing on that particular interface, when they might have egressed elsewhere before.

  • Binding (with SO_BINDTODEVICE) any interface slaved to a VRF device "places" the socket in the VRF. Binding to the VRF device itself is not necessary.

  • IP[V6]_MULTICAST_IF is ignored if the socket has already been bound to a VRF device with SO_BINDTODEVICE. In that case multicast datagrams will egress on the VRF device, sourced from its MAC.

  • Binding to any interface slaved to a VRF device "places" the socket in the VRF. Binding to the VRF device itself is not necessary in this case.

  • Sockets bound to a VRF behave in interesting ways when the VRF device is deleted; TCP listen sockets are not closed, still appear in netstat, but simply become unroutable. Even if the VRF device is recreated, the socket will still be useless.

  • When using macvlan interfaces in modes other than VEPA and bridge, ingress multicast packets with a source MAC matching the MAC of one of your macvlan devices will be transferred to that particular interface and will not be replicated to any other device, even if those devices are joined to the multicast group. This only happens for multicast packets, and only when the macvlan with the matching MAC is in a mode other than VEPA or bridge. However, if the macvlan device is in VEPA or bridge mode, ingress multicast packets will only be delivered to the physical interface, even if said macvlan device is joined to the multicast group.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment