Andrew Niemantsverdriet
2009-Nov-04 23:11 UTC
Bridge Setup and Kernel Virtual Machines aka KVM
I am trying to follow this document: http://shorewall.net/bridge-Shorewall-perl.html I am confused as to how to write my interfaces file, my host has two interfaces eth0 and vmbr0 all the KVM machines attach to vmbr0 so how do I define that in my interfaces file? Currently my interfaces files looks like this: world vmbr0 detect bridge net vmbr0:eth0 dmz ???? My zones file looks like this: fw firewall world ipv4 net:world bport dmz:world bport How would I go about setting this up? Before I just made did each firewall on the virtual machine but that is now to hard to administrate so Shorewall makes perfect sense. Any suggestions? Thanks, _ /-\ ndrew ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Andrew Niemantsverdriet wrote:> I am trying to follow this document: > http://shorewall.net/bridge-Shorewall-perl.html > > I am confused as to how to write my interfaces file, my host has two > interfaces eth0 and vmbr0 all the KVM machines attach to vmbr0 so how > do I define that in my interfaces file? > > Currently my interfaces files looks like this: > world vmbr0 detect bridge > net vmbr0:eth0 > dmz ???? > > My zones file looks like this: > fw firewall > world ipv4 > net:world bport > dmz:world bport > > How would I go about setting this up? Before I just made did each > firewall on the virtual machine but that is now to hard to > administrate so Shorewall makes perfect sense. Any suggestions?Please forward the output of ''brctl show'' -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Andrew Niemantsverdriet
2009-Nov-05 14:48 UTC
Re: Bridge Setup and Kernel Virtual Machines aka KVM
Hi On Wed, Nov 4, 2009 at 7:06 PM, Tom Eastep <teastep@shorewall.net> wrote:> Andrew Niemantsverdriet wrote: >> I am trying to follow this document: >> http://shorewall.net/bridge-Shorewall-perl.html >> >> I am confused as to how to write my interfaces file, my host has two >> interfaces eth0 and vmbr0 all the KVM machines attach to vmbr0 so how >> do I define that in my interfaces file? >> >> Currently my interfaces files looks like this: >> world vmbr0 detect bridge >> net vmbr0:eth0 >> dmz ???? >> >> My zones file looks like this: >> fw firewall >> world ipv4 >> net:world bport >> dmz:world bport >> >> How would I go about setting this up? Before I just made did each >> firewall on the virtual machine but that is now to hard to >> administrate so Shorewall makes perfect sense. Any suggestions? > > Please forward the output of 'brctl show' > > -Tomlocalhost:~# brctl show bridge name bridge id STP enabled interfaces vmbr0 8000.00151746d264 no eth0 vmtab108i0 vmtab115i0 vmtab116i0 Hopefully the formatting does not get eaten by the mailing list manager The ultimate goal is to allow for migrations of virtual machines between physical servers all running Shorewall. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Andrew Niemantsverdriet wrote:> Hi > On Wed, Nov 4, 2009 at 7:06 PM, Tom Eastep <teastep@shorewall.net> wrote: >> Andrew Niemantsverdriet wrote: >>> I am trying to follow this document: >>> http://shorewall.net/bridge-Shorewall-perl.html >>> >>> I am confused as to how to write my interfaces file, my host has two >>> interfaces eth0 and vmbr0 all the KVM machines attach to vmbr0 so how >>> do I define that in my interfaces file? >>> >>> Currently my interfaces files looks like this: >>> world vmbr0 detect bridge >>> net vmbr0:eth0 >>> dmz ???? >>> >>> My zones file looks like this: >>> fw firewall >>> world ipv4 >>> net:world bport >>> dmz:world bport >>> >>> How would I go about setting this up? Before I just made did each >>> firewall on the virtual machine but that is now to hard to >>> administrate so Shorewall makes perfect sense. Any suggestions? >> Please forward the output of ''brctl show'' >> >> -Tom > > localhost:~# brctl show > bridge name bridge id STP enabled interfaces > vmbr0 8000.00151746d264 no eth0 > vmtab108i0 > vmtab115i0 > vmtab116i0 > > Hopefully the formatting does not get eaten by the mailing list manager > > The ultimate goal is to allow for migrations of virtual machines > between physical servers all running Shorewall.In /etc/shorewall/interfaces, you want: dmz vmbr0:vmtab+ -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Andrew Niemantsverdriet
2009-Nov-05 16:10 UTC
Re: Bridge Setup and Kernel Virtual Machines aka KVM
Hi, On Thu, Nov 5, 2009 at 7:58 AM, Tom Eastep <teastep@shorewall.net> wrote:> Andrew Niemantsverdriet wrote: >> Hi >> On Wed, Nov 4, 2009 at 7:06 PM, Tom Eastep <teastep@shorewall.net> wrote: >>> Andrew Niemantsverdriet wrote: >>>> I am trying to follow this document: >>>> http://shorewall.net/bridge-Shorewall-perl.html >>>> >>>> I am confused as to how to write my interfaces file, my host has two >>>> interfaces eth0 and vmbr0 all the KVM machines attach to vmbr0 so how >>>> do I define that in my interfaces file? >>>> >>>> Currently my interfaces files looks like this: >>>> world vmbr0 detect bridge >>>> net vmbr0:eth0 >>>> dmz ???? >>>> >>>> My zones file looks like this: >>>> fw firewall >>>> world ipv4 >>>> net:world bport >>>> dmz:world bport >>>> >>>> How would I go about setting this up? Before I just made did each >>>> firewall on the virtual machine but that is now to hard to >>>> administrate so Shorewall makes perfect sense. Any suggestions? >>> Please forward the output of 'brctl show' >>> >>> -Tom >> >> localhost:~# brctl show >> bridge name bridge id STP enabled interfaces >> vmbr0 8000.00151746d264 no eth0 >> vmtab108i0 >> vmtab115i0 >> vmtab116i0 >> >> Hopefully the formatting does not get eaten by the mailing list manager >> >> The ultimate goal is to allow for migrations of virtual machines >> between physical servers all running Shorewall. > > In /etc/shorewall/interfaces, you want: > > dmz vmbr0:vmtab+ > > -TomGreat thanks for that, as I was thinking about how to put this into production I came across one more issue. The production machines have a much more complicated network setup. The main issue is they have an additional bridge interface. nickle:~# brctl show bridge name bridge id STP enabled interfaces vmbr0 8000.001b2133eab8 no bond0 vmtab120i0 vmtab108i0 vmtab115i0 vmtab116i0 vmbr1 8000.00221958c73d no eth4 vmtab101i1 So I edited my interfaces file to look like this: world vmbr0 detect bridge world vmbr1 detect bridge net vmbr0:bond0 net vmbr0:eth4 dmz vmbr0:vmtab+ dmz vmbr1:vmtab+ dmz venet0 When I run shorewall check it complains: ERROR: Duplicate Interface (vmtab+) Also the venet0 interface can be ignored that is what OpenVZ machines connect to. Sorry for so many questions this is by far the most difficult firewall I have every tried to do. Thanks, _ /-\ ndrew ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Andrew Niemantsverdriet wrote:> Hi, > On Thu, Nov 5, 2009 at 7:58 AM, Tom Eastep <teastep@shorewall.net> wrote: >> In /etc/shorewall/interfaces, you want: >> >> dmz vmbr0:vmtab+ >> >> -Tom > Great thanks for that, as I was thinking about how to put this into > production I came across one more issue. The production machines have > a much more complicated network setup. The main issue is they have an > additional bridge interface. > > nickle:~# brctl show > bridge name bridge id STP enabled interfaces > vmbr0 8000.001b2133eab8 no bond0 > vmtab120i0 > vmtab108i0 > vmtab115i0 > vmtab116i0 > vmbr1 8000.00221958c73d no eth4 > vmtab101i1 > > So I edited my interfaces file to look like this: > world vmbr0 detect bridge > world vmbr1 detect bridge > net vmbr0:bond0 > net vmbr0:eth4 > dmz vmbr0:vmtab+ > dmz vmbr1:vmtab+ > dmz venet0 > > When I run shorewall check it complains: ERROR: Duplicate Interface (vmtab+) >Hmmm -- that is an interesting limitation of the Shorewall-perl implementation of bridge-firewall. Let me look at the code a bit and get back to you. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Andrew Niemantsverdriet
2009-Nov-05 16:46 UTC
Re: Bridge Setup and Kernel Virtual Machines aka KVM
Hi, On Thu, Nov 5, 2009 at 9:10 AM, Andrew Niemantsverdriet <andrewniemants@gmail.com> wrote:> Hi, > On Thu, Nov 5, 2009 at 7:58 AM, Tom Eastep <teastep@shorewall.net> wrote: >> Andrew Niemantsverdriet wrote: >>> Hi >>> On Wed, Nov 4, 2009 at 7:06 PM, Tom Eastep <teastep@shorewall.net> wrote: >>>> Andrew Niemantsverdriet wrote: >>>>> I am trying to follow this document: >>>>> http://shorewall.net/bridge-Shorewall-perl.html >>>>> >>>>> I am confused as to how to write my interfaces file, my host has two >>>>> interfaces eth0 and vmbr0 all the KVM machines attach to vmbr0 so how >>>>> do I define that in my interfaces file? >>>>> >>>>> Currently my interfaces files looks like this: >>>>> world vmbr0 detect bridge >>>>> net vmbr0:eth0 >>>>> dmz ???? >>>>> >>>>> My zones file looks like this: >>>>> fw firewall >>>>> world ipv4 >>>>> net:world bport >>>>> dmz:world bport >>>>> >>>>> How would I go about setting this up? Before I just made did each >>>>> firewall on the virtual machine but that is now to hard to >>>>> administrate so Shorewall makes perfect sense. Any suggestions? >>>> Please forward the output of 'brctl show' >>>> >>>> -Tom >>> >>> localhost:~# brctl show >>> bridge name bridge id STP enabled interfaces >>> vmbr0 8000.00151746d264 no eth0 >>> vmtab108i0 >>> vmtab115i0 >>> vmtab116i0 >>> >>> Hopefully the formatting does not get eaten by the mailing list manager >>> >>> The ultimate goal is to allow for migrations of virtual machines >>> between physical servers all running Shorewall. >> >> In /etc/shorewall/interfaces, you want: >> >> dmz vmbr0:vmtab+ >> >> -Tom > Great thanks for that, as I was thinking about how to put this into > production I came across one more issue. The production machines have > a much more complicated network setup. The main issue is they have an > additional bridge interface. > > nickle:~# brctl show > bridge name bridge id STP enabled interfaces > vmbr0 8000.001b2133eab8 no bond0 > vmtab120i0 > vmtab108i0 > vmtab115i0 > vmtab116i0 > vmbr1 8000.00221958c73d no eth4 > vmtab101i1 > > So I edited my interfaces file to look like this: > world vmbr0 detect bridge > world vmbr1 detect bridge > net vmbr0:bond0 > net vmbr0:eth4 > dmz vmbr0:vmtab+ > dmz vmbr1:vmtab+ > dmz venet0 > > When I run shorewall check it complains: ERROR: Duplicate Interface (vmtab+) > > Also the venet0 interface can be ignored that is what OpenVZ machines > connect to. > > Sorry for so many questions this is by far the most difficult firewall > I have every tried to do. > > Thanks, > _ > /-\ ndrew >I retract my question. That just gets to complicated to deal with. I will change the architecture of my network so that there is just one bond device. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Andrew Niemantsverdriet
2009-Nov-05 18:19 UTC
Re: Bridge Setup and Kernel Virtual Machines aka KVM
Hi, On Thu, Nov 5, 2009 at 9:38 AM, Tom Eastep <teastep@shorewall.net> wrote:> Andrew Niemantsverdriet wrote: >> Hi, >> On Thu, Nov 5, 2009 at 7:58 AM, Tom Eastep <teastep@shorewall.net> wrote: >>> In /etc/shorewall/interfaces, you want: >>> >>> dmz vmbr0:vmtab+ >>> >>> -Tom >> Great thanks for that, as I was thinking about how to put this into >> production I came across one more issue. The production machines have >> a much more complicated network setup. The main issue is they have an >> additional bridge interface. >> >> nickle:~# brctl show >> bridge name bridge id STP enabled interfaces >> vmbr0 8000.001b2133eab8 no bond0 >> vmtab120i0 >> vmtab108i0 >> vmtab115i0 >> vmtab116i0 >> vmbr1 8000.00221958c73d no eth4 >> vmtab101i1 >> >> So I edited my interfaces file to look like this: >> world vmbr0 detect bridge >> world vmbr1 detect bridge >> net vmbr0:bond0 >> net vmbr0:eth4 >> dmz vmbr0:vmtab+ >> dmz vmbr1:vmtab+ >> dmz venet0 >> >> When I run shorewall check it complains: ERROR: Duplicate Interface (vmtab+) >> > > Hmmm -- that is an interesting limitation of the Shorewall-perl > implementation of bridge-firewall. Let me look at the code a bit and get > back to you. > > -TomI am resubmitting my question. I have to have two bridges for one virtual machine. So if you would look at the code and see what can be done I would appreciate it. Thanks, _ /-\ ndrew ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Andrew Niemantsverdriet wrote:> I am resubmitting my question. I have to have two bridges for one > virtual machine. So if you would look at the code and see what can be > done I would appreciate it.Attached is a lightly-tested patch against 4.4.3. cd /usr/share/shorewall/Shorewall patch -p4 < <path to>/bridges.diff Please let me know if you have problems. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Andrew Niemantsverdriet
2009-Nov-05 19:58 UTC
Re: Bridge Setup and Kernel Virtual Machines aka KVM
Hi, On Thu, Nov 5, 2009 at 11:58 AM, Tom Eastep <teastep@shorewall.net> wrote:> Andrew Niemantsverdriet wrote: > >> I am resubmitting my question. I have to have two bridges for one >> virtual machine. So if you would look at the code and see what can be >> done I would appreciate it. > > Attached is a lightly-tested patch against 4.4.3. > > cd /usr/share/shorewall/Shorewall > patch -p4 < <path to>/bridges.diff > > Please let me know if you have problems. >That still throws an errors however a different one: ERROR: Bridge Port zones may only be associated with a single bridge : /etc/shorewall/interfaces LINE 24 Line 24 is this: dmz vmbr1:vmtab+ I am wondering if what I am trying to do is impossible using this method? My other idea would be to just use VLANs. I have never used VLANs inside of a KVM machine before. I would assume the bridge would pass the tagging just fine so in the KVM machine I could make eth0.vlanid type interfaces and still have everything work? I don't know as I don't have a way to test it. My switch that is in our non-production cluster does not do VLANs. ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Andrew Niemantsverdriet wrote:> Hi, > > On Thu, Nov 5, 2009 at 11:58 AM, Tom Eastep <teastep@shorewall.net> wrote: >> Andrew Niemantsverdriet wrote: >> >>> I am resubmitting my question. I have to have two bridges for one >>> virtual machine. So if you would look at the code and see what can be >>> done I would appreciate it. >> Attached is a lightly-tested patch against 4.4.3. >> >> cd /usr/share/shorewall/Shorewall >> patch -p4 < <path to>/bridges.diff >> >> Please let me know if you have problems. >> > That still throws an errors however a different one: ERROR: Bridge > Port zones may only be associated with a single bridge : > /etc/shorewall/interfaces LINE 24 > > Line 24 is this: > dmz vmbr1:vmtab+ >Please: a) shorewall show -f capabilities > /etc/shorewall/caps b) tar -zcf shorewall.tgz /etc/shorewall Send me the shorewall.tgz file. Thanks, -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Andrew Niemantsverdriet wrote:> Hi, > > On Thu, Nov 5, 2009 at 11:58 AM, Tom Eastep <teastep@shorewall.net> wrote: >> Andrew Niemantsverdriet wrote: >> >>> I am resubmitting my question. I have to have two bridges for one >>> virtual machine. So if you would look at the code and see what can be >>> done I would appreciate it. >> Attached is a lightly-tested patch against 4.4.3. >> >> cd /usr/share/shorewall/Shorewall >> patch -p4 < <path to>/bridges.diff >> >> Please let me know if you have problems. >> > That still throws an errors however a different one: ERROR: Bridge > Port zones may only be associated with a single bridge : > /etc/shorewall/interfaces LINE 24 > > Line 24 is this: > dmz vmbr1:vmtab+ >Please disregard my last post. That error is legit; You must define separate zones (e.g., dmz1 and dmz2) for the two different bridges. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Andrew Niemantsverdriet
2009-Nov-05 21:14 UTC
Re: Bridge Setup and Kernel Virtual Machines aka KVM
Hi, On Thu, Nov 5, 2009 at 1:14 PM, Tom Eastep <teastep@shorewall.net> wrote:> Andrew Niemantsverdriet wrote: >> Hi, >> >> On Thu, Nov 5, 2009 at 11:58 AM, Tom Eastep <teastep@shorewall.net> wrote: >>> Andrew Niemantsverdriet wrote: >>> >>>> I am resubmitting my question. I have to have two bridges for one >>>> virtual machine. So if you would look at the code and see what can be >>>> done I would appreciate it. >>> Attached is a lightly-tested patch against 4.4.3. >>> >>> cd /usr/share/shorewall/Shorewall >>> patch -p4 < <path to>/bridges.diff >>> >>> Please let me know if you have problems. >>> >> That still throws an errors however a different one: ERROR: Bridge >> Port zones may only be associated with a single bridge : >> /etc/shorewall/interfaces LINE 24 >> >> Line 24 is this: >> dmz vmbr1:vmtab+ >> > > Please: > > a) shorewall show -f capabilities > /etc/shorewall/caps > b) tar -zcf shorewall.tgz /etc/shorewall > > Send me the shorewall.tgz file. > > Thanks, > -TomOh yeah, duh should have caught that myself I will try that patch out and report any issues. Thanks Tom, _ /-\ ndrew ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what's new with Crystal Reports now. http://p.sf.net/sfu/bobj-july _______________________________________________ Shorewall-users mailing list Shorewall-users@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/shorewall-users
Andrew Niemantsverdriet wrote:> Oh yeah, duh should have caught that myself I will try that patch out > and report any issues.It is a vile hack that breaks if you push it very far -- it would be much better if you can control the leading part of the generated interface names such that they are unique on the two bridges. -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Tom Eastep wrote:> Andrew Niemantsverdriet wrote: > >> Oh yeah, duh should have caught that myself I will try that patch out >> and report any issues. > > It is a vile hack that breaks if you push it very far -- it would be > much better if you can control the leading part of the generated > interface names such that they are unique on the two bridges.I''ve decided to approach this problem differently by adding a ''physical'' interface option. The option is currently only allowed when defining a bridge port and give the actual name to be used in Netfilter rules. There is an early version of Shorewall 4.4.4 at http://www1.shorewall.net/pub/private/4.4/shorewall-4.4.4/. The releasenotes.txt file describes the change (new feature 3). I believe that this is a much better approach as it preserves the notion that bridge port names are unique while at the same time allowing the same wildcard expression to be applied to the ports on multiple bridges. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Andrew Niemantsverdriet
2009-Nov-06 19:49 UTC
Re: Bridge Setup and Kernel Virtual Machines aka KVM
Hi, On Fri, Nov 6, 2009 at 10:08 AM, Tom Eastep <teastep@shorewall.net> wrote:> Tom Eastep wrote: >> Andrew Niemantsverdriet wrote: >> >>> Oh yeah, duh should have caught that myself I will try that patch out >>> and report any issues. >> >> It is a vile hack that breaks if you push it very far -- it would be >> much better if you can control the leading part of the generated >> interface names such that they are unique on the two bridges. > > I''ve decided to approach this problem differently by adding a ''physical'' > interface option. The option is currently only allowed when defining a > bridge port and give the actual name to be used in Netfilter rules. > > There is an early version of Shorewall 4.4.4 at > http://www1.shorewall.net/pub/private/4.4/shorewall-4.4.4/. The > releasenotes.txt file describes the change (new feature 3). I believe > that this is a much better approach as it preserves the notion that > bridge port names are unique while at the same time allowing the same > wildcard expression to be applied to the ports on multiple bridges. > > -TomTom, so if I am understanding this correctly the Proxmox VE bridge naming convention does not need to be changed? I have not had a chance to test it yet. Thanks, _ /-\ ndrew ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july
Andrew Niemantsverdriet wrote:> Hi, > On Fri, Nov 6, 2009 at 10:08 AM, Tom Eastep <teastep@shorewall.net> wrote: >> Tom Eastep wrote: >>> It is a vile hack that breaks if you push it very far -- it would be >>> much better if you can control the leading part of the generated >>> interface names such that they are unique on the two bridges. >> I''ve decided to approach this problem differently by adding a ''physical'' >> interface option. The option is currently only allowed when defining a >> bridge port and give the actual name to be used in Netfilter rules. >> >> There is an early version of Shorewall 4.4.4 at >> http://www1.shorewall.net/pub/private/4.4/shorewall-4.4.4/. The >> releasenotes.txt file describes the change (new feature 3). I believe >> that this is a much better approach as it preserves the notion that >> bridge port names are unique while at the same time allowing the same >> wildcard expression to be applied to the ports on multiple bridges. > Tom, so if I am understanding this correctly the Proxmox VE bridge > naming convention does not need to be changed? I have not had a > chance to test it yet.That''s correct. You can simply specify the same ''physical'' name for the ports on both bridges. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day trial. Simplify your report design, integration and deployment - and focus on what you do best, core application coding. Discover what''s new with Crystal Reports now. http://p.sf.net/sfu/bobj-july