hello, i have a setup which worked without a problem on debian squeeze (shorewall 4.4.11.6-3) and now don''t work any more on debian wheezy (shorewall 4.5.5.3-3). the setup inlcudes 2 bridges br0 which briges to eth0 and br1 which bridges all virtual machines in a virtual lan.> brctl showbridge name bridge id STP enabled interfaces br0 8000.001517ee821c no eth0 br1 8000.fe54365c6402 no vnet0 vnet1 vnet2 if i try to ping/connect the lan machines i get drops. Shorewall:FORWARD:DROP:IN=br1 OUT=br1 PHYSIN=vnet0 PHYSOUT=vnet2 MAC=52:54:36:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=10.12.10.5 DST=10.12.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP TYPE=8 CODE=0 ID=2686 SEQ=187 /etc/shorewall/policy ..... lan $FW ACCEPT info lan net ACCEPT info lan lan ACCEPT info .... /etc/shorewall/shorewall.conf .... #this is set to Keep on squeeze and it is working IP_FORWARDING=Yes .... /etc/sysctl.conf .... net.ipv4.ip_forward=1 .... it''s quite strange because, as i said before, the same setup works for me on squeeze (i am deploying with puppet). if i disable filtering the vmachines can ping each other. /etc/sysctl.conf .... net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 .... any ideas? regards julian ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
On 05/23/2013 12:54 PM, dev@c33s.net wrote:> hello, > > i have a setup which worked without a problem on debian squeeze > (shorewall 4.4.11.6-3) and now don''t work any more on debian wheezy > (shorewall 4.5.5.3-3). > > the setup inlcudes 2 bridges br0 which briges to eth0 and br1 which > bridges all virtual machines in a virtual lan. > >> brctl show > > bridge name bridge id STP enabled interfaces > br0 8000.001517ee821c no eth0 > br1 8000.fe54365c6402 no vnet0 > vnet1 > vnet2 > > if i try to ping/connect the lan machines i get drops. > > Shorewall:FORWARD:DROP:IN=br1 OUT=br1 PHYSIN=vnet0 PHYSOUT=vnet2 > MAC=52:54:36:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=10.12.10.5 > DST=10.12.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP > TYPE=8 CODE=0 ID=2686 SEQ=187 > > > /etc/shorewall/policy > ..... > lan $FW ACCEPT info > lan net ACCEPT info > lan lan ACCEPT info > .... > > > /etc/shorewall/shorewall.conf > .... > #this is set to Keep on squeeze and it is working > IP_FORWARDING=Yes > .... > > /etc/sysctl.conf > .... > net.ipv4.ip_forward=1 > .... > > > it''s quite strange because, as i said before, the same setup works for > me on squeeze (i am deploying with puppet). > > if i disable filtering the vmachines can ping each other. > /etc/sysctl.conf > .... > net.bridge.bridge-nf-call-ip6tables = 0 > net.bridge.bridge-nf-call-iptables = 0 > net.bridge.bridge-nf-call-arptables = 0 > .... > > any ideas?Add the ''routeback'' option for br1 in /etc/shorewall/interfaces. -Tom -- Tom Eastep \ When I die, I want to go like my Grandfather who Shoreline, \ died peacefully in his sleep. Not screaming like Washington, USA \ all of the passengers in his car http://shorewall.net \________________________________________________ ------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may
works like charm. thank you very much. regards julian On 23/05/2013 22:38, Tom Eastep wrote:> On 05/23/2013 12:54 PM, dev@c33s.net wrote: >> hello, >> >> i have a setup which worked without a problem on debian squeeze >> (shorewall 4.4.11.6-3) and now don''t work any more on debian wheezy >> (shorewall 4.5.5.3-3). >> >> the setup inlcudes 2 bridges br0 which briges to eth0 and br1 which >> bridges all virtual machines in a virtual lan. >> >>> brctl show >> >> bridge name bridge id STP enabled interfaces >> br0 8000.001517ee821c no eth0 >> br1 8000.fe54365c6402 no vnet0 >> vnet1 >> vnet2 >> >> if i try to ping/connect the lan machines i get drops. >> >> Shorewall:FORWARD:DROP:IN=br1 OUT=br1 PHYSIN=vnet0 PHYSOUT=vnet2 >> MAC=52:54:36:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx:xx SRC=10.12.10.5 >> DST=10.12.10.2 LEN=84 TOS=0x00 PREC=0x00 TTL=64 ID=0 DF PROTO=ICMP >> TYPE=8 CODE=0 ID=2686 SEQ=187 >> >> >> /etc/shorewall/policy >> ..... >> lan $FW ACCEPT info >> lan net ACCEPT info >> lan lan ACCEPT info >> .... >> >> >> /etc/shorewall/shorewall.conf >> .... >> #this is set to Keep on squeeze and it is working >> IP_FORWARDING=Yes >> .... >> >> /etc/sysctl.conf >> .... >> net.ipv4.ip_forward=1 >> .... >> >> >> it''s quite strange because, as i said before, the same setup works for >> me on squeeze (i am deploying with puppet). >> >> if i disable filtering the vmachines can ping each other. >> /etc/sysctl.conf >> .... >> net.bridge.bridge-nf-call-ip6tables = 0 >> net.bridge.bridge-nf-call-iptables = 0 >> net.bridge.bridge-nf-call-arptables = 0 >> .... >> >> any ideas? > > Add the ''routeback'' option for br1 in /etc/shorewall/interfaces. > > -Tom > > > > ------------------------------------------------------------------------------ > Try New Relic Now & We''ll Send You this Cool Shirt > New Relic is the only SaaS-based application performance monitoring service > that delivers powerful full stack analytics. Optimize and monitor your > browser, app, & servers with just a few lines of code. Try New Relic > and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may > > > > _______________________________________________ > Shorewall-users mailing list > Shorewall-users@lists.sourceforge.net > https://lists.sourceforge.net/lists/listinfo/shorewall-users >------------------------------------------------------------------------------ Try New Relic Now & We''ll Send You this Cool Shirt New Relic is the only SaaS-based application performance monitoring service that delivers powerful full stack analytics. Optimize and monitor your browser, app, & servers with just a few lines of code. Try New Relic and get this awesome Nerd Life shirt! http://p.sf.net/sfu/newrelic_d2d_may