Return to Revisions

2 of 2

Formatting

edited Apr 16, 2020 at 7:30

23.6k
25
56
77

Linux Interface Mode MACVLAN with Private mode doesn't seem to work as advertised (Ubuntu)

I am trying to create virtual interfaces (type MACVLAN) such that all communication between the interfaces is sent out of the host towards the eternal default gateway. There is plenty of writeups describing "private" mode such as here

Private: Filter all incoming packets so that no MAC VLAN bound to an interface can communicate with each other (drop all packets ingressing over the interface that have a source MAC address that matches one of the MAC VLAN interfaces).

I configured a couple of interfaces and it looks like the "private" mode isn't working as advertised. Am I doing something wrong? The host is Ubuntu 18.04 Bionic release.

The packets are getting switched within the host ignoring the "mode private" command. It is simple to reproduce with just 4 commands. Any help would be appreciated.

root@ubnt-bkp:/home/super# uname -a Linux ubnt-bkp 4.15.0-96-generic #97-Ubuntu SMP Wed Apr 1 03:25:46 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux root@ubnt-bkp:/home/super# ip link add link ens160 address 38:94:ed:99:99:1A ens160.3 type macvlan mode private root@ubnt-bkp:/home/super# ip link set ens160.3 up root@ubnt-bkp:/home/super# ip link show 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN mode DEFAULT group default qlen 1000 link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP mode DEFAULT group default qlen 1000 link/ether 08:4f:a9:99:99:02 brd ff:ff:ff:ff:ff:ff ... ... 18: ens160.3@ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP **mode** **DEFAULT** group default qlen 1000 link/ether 38:94:ed:99:99:1a brd ff:ff:ff:ff:ff:ff

Commands to reproduce the problem

root@ubnt-bkp:/home/super# ip link add link ens160 address 38:94:ed:99:99:1B ens160.5 type macvlan mode private root@ubnt-bkp:/home/super# ip link set ens160.5 up root@ubnt-bkp:/home/super# dhclient ens160.5 root@ubnt-bkp:/home/super# ip link add link ens160 address 38:94:ed:99:99:1C ens160.6 type macvlan mode private root@ubnt-bkp:/home/super# ip link set ens160.6 up root@ubnt-bkp:/home/super# dhclient ens160.6

Then ping using -I option:

root@ubnt-bkp:/home/super#ping -I <IP address of ens160.5> <IP address of ens160.6>

(replace ens160 with your ethernet interface name, e.g. eth0, when trying to reproduce)

network-interface macvlan

asked Apr 16, 2020 at 5:38

Ricky