15:00 <stintel> hrrmmm

15:00 <stintel> weird logspam

15:00 <stintel> Wed Apr 30 17:59:04 2025 kern.warn kernel: [ 255.057348] reject iot out: IN=switch.23 OUT=switch.23 MAC=00:90:7f:d7:e3:07:60:55:f9:f7:06:98:86:dd SRC=fe80:0000:0000:0000:6255:f9ff:fef7:0698 DST=fe80:0000:0000:0000:0000:0000:0000:0001 LEN=72 TC=0 HOPLIMIT=254 FLOWLBL=0 PROTO=ICMPv6 TYPE=135 CODE=0

15:03 <stintel> why would it forward neighbor solicitations?

15:03 <stintel> or try to forward, firewall says no

16:12 <dwfreed> stintel: what device is 60:55:f9:f7:06:98, the router?

16:13 <dwfreed> the router that produced that log message, that is

16:14 <dwfreed> actually I think the MAC I wanted was 00:90:7f:d7:e3:07

16:29 <KanjiMonster> stintel: forward in l3 or l2?

16:29 <dwfreed> given hoplimit is 254 instead of 255, that appears to be an l3 forward

16:34 <KanjiMonster> good point

16:34 <stintel> dwfreed: indeed, 00:90:7f:d7:e3:07 is router, 60:55:f9:f7:06:98 is client

16:35 <KanjiMonster> though that log is obviously a violation of rfc4861 "A node MUST silently discard any received Neighbor Solicitation messages that do not satisfy all of the following validity checks: ... The IP Hop Limit field has a value of 255"

16:35 <KanjiMonster> that was not silently ;p

16:36 <stintel> so the problem came from a wrong arp entry, vrrp setup, the client had fe80::1 associated with the mac of the router that went to backup state

16:36 <dwfreed> KanjiMonster: that's not received, note it says "reject iot out"

16:37 <KanjiMonster> true

16:37 <dwfreed> stintel: ah, so the backup router was trying to forward all traffic to the active router

16:38 <stintel> well the client was sending packets for fe80::1 to the backup router, which did not have the IP assigned to that interface, and thus decides to forward it again

16:38 <dwfreed> yeah

16:39 <stintel> I think the problem was vrrp_startup_delay too low

16:39 <dwfreed> "I don't have that IP, I don't know why you sent it to me, but I do know how to reach that IP and I can forward, so let me forward that for you"

16:39 <dwfreed> "oh wait, firewall says lolno"

16:40 <stintel> yeah, I can see why it happens, still it seems weird to forward that kind of packet

16:40 <dwfreed> routers do weird things

16:40 <stintel> :P

16:43 <stintel> ugh I should dig into this whole vrrp setup again

16:44 <stintel> I have use_vmac enabled, but then

16:44 <stintel> my switch is constantly complaining about the MAC flapping

16:45 <stintel> so I enabled vmac_xmit_base

16:52 <dwfreed> meanwhile I'm about to attempt to transmit a routing protocol over a tunnel protocol that was not intended to carry it, with some nasty hacks

16:53 <dwfreed> (IS-IS over wireguard, with the help of gretap, intended such that only IS-IS goes over the gretap)

16:55 <stintel> :D

16:55 <stintel> not only routers do weird things ;)

16:56 <jakllsch> dwfreed: to be fair, ISIS wasn't originally intended for IP..

16:58 <dwfreed> jakllsch: but that's the beauty of IS-IS, routing any packet protocol is just a matter of adding a few more types

16:58 <dwfreed> OSPF had to be redesigned to implement IPv6

17:12 <KanjiMonster> the routing protocol where searching for it might put you on some terror watch lists ;P

17:14 <SwedeMike> you can all rejoice that in the IETF, extensions to IS-IS and OSPF are now done in the same working group, at the same time, because the protocols are very similar to what mechanisms and information they carry

17:14 <jakllsch> there are a lot of innocuous words that do that now...

17:14 <jakllsch> like "diversity"

17:21 <dwfreed> yeah...