LXC, veth interface linked with a bridge, multicast packets are dropped

oytunyapar · August 4, 2021, 7:51am

Hi,

I am running a LXC container, which has a veth type interface (if_veth), linked with a bridge (if_bridge) which is in the host(outside of the container). When I sent multicast packets (UDP) from if_bridge, I could observe ethernet frames from if_veth, when I capture the packets with Wireshark. However, if I listen the if_veth interface, by opening a UDP socket, I could not observe the multicast packets. So I think multicast packets are dropped.

Unicast is OK, routing entries in the host machine is OK. Additionally only multicast address which could be received is 224.0.0.1, which is interesting.

I checked for the root cause,

netstat -u -s output in the LXC container

InCsumErrors are more than 0.

I observe skb:kfree_skb events excessively, when I checked “perf” tool output.

I am using CentOS8 kernel 4.18, LXC version 1.0.11

stgraber · August 4, 2021, 2:04pm

It’s pretty odd that tcpdump/wireshark would see it but that a listener doesn’t…
Normally the usual suspect there would be a firewall as that runs in between the two.

oytunyapar · August 4, 2021, 3:24pm

Thank you for the reply, I checked, there isn’t any DROP policy in the iptables.

oytunyapar · August 9, 2021, 10:51am

The problem is fixed, there are two steps to apply,

1- Be sure, multicast JOIN messages are sent to the interface, where multicast packets will be received. Add related routing entries, than be sure JOIN messages are sent.

2- Disable checksum offloading, an example command is “ethtool --offload eth0 rx off tx off sg off”

Additionally, check rp_filter

Credits to Jeffery Weston, NRL

stgraber · August 9, 2021, 2:08pm

Thanks for posting your solution, I’m sure it will be useful to someone else at some point!