Hi, Is there a limit on the number of ips i can specify via the config file for domU''s ? -- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
anyone ?? On 4/9/09, Anand Gupta <xen.mails@gmail.com> wrote:> Hi, > > Is there a limit on the number of ips i can specify via the config file for > domU''s ? > > -- > regards, > > Anand Gupta >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Sat, Apr 11, 2009 at 12:17:19AM +0530, Anand Gupta wrote:> anyone ??I believe I had heard of a limit of 3 subnets. I don''t recall limits on the number of ips and I don''t know if the 3 subnet limit is still true. -- Nick Anderson <nick@anders0n.net> http://www.cmdln.org _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hmm... So if i have to assign lets say 6 ips to a domU, what is the best method to do so ? -- Thanks Anand Gupta On 4/11/09, Nick Anderson <nick@anders0n.net> wrote:> On Sat, Apr 11, 2009 at 12:17:19AM +0530, Anand Gupta wrote: >> anyone ?? > I believe I had heard of a limit of 3 subnets. I don''t recall limits > on the number of ips and I don''t know if the 3 subnet limit is still > true. > > > -- > Nick Anderson <nick@anders0n.net> > http://www.cmdln.org > >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I've been using VLAN interfaces encapsulated over one NIC (well, virtual NIC) in my domUs with no problems. You'll probably need a layer 2 eth switch under your control for that... -Mike --- Michael D Labriola 21 Rip Van Winkle Cir Warwick, RI 02886 401-316-9844 -----Original Message----- From: Anand Gupta <xen.mails@gmail.com> Date: Sat, 11 Apr 2009 01:35:48 To: Nick Anderson<nick@anders0n.net> Cc: Xen Users<Xen-users@lists.xensource.com> Subject: Re: [Xen-users] Re: number of ips Hmm... So if i have to assign lets say 6 ips to a domU, what is the best method to do so ? -- Thanks Anand Gupta On 4/11/09, Nick Anderson <nick@anders0n.net> wrote:> On Sat, Apr 11, 2009 at 12:17:19AM +0530, Anand Gupta wrote: >> anyone ?? > I believe I had heard of a limit of 3 subnets. I don't recall limits > on the number of ips and I don't know if the 3 subnet limit is still > true. > > > -- > Nick Anderson <nick@anders0n.net> > http://www.cmdln.org > >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote:> Hmm... So if i have to assign lets say 6 ips to a domU, what is the > best method to do so ?Well if they are all on the same subnet and your using standard bridging and using a linux domU you should be able to just bring virtual interfaces. ifconfig eth0:0 192.168.1.2 ifconfig eth0:1 192.168.1.3 ifconfig eth0:1 192.168.1.4 -- Nick Anderson <nick@anders0n.net> http://www.cmdln.org _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Nick, Thanks for the reply. What if they are on different subnet ? And then what stops a user inside domU to add any ip in that series (as long as the ips are assigned and routable to the server) and start to use it ? On 4/11/09, Nick Anderson <nick@anders0n.net> wrote:> On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote: >> Hmm... So if i have to assign lets say 6 ips to a domU, what is the >> best method to do so ? > Well if they are all on the same subnet and your using standard > bridging and using a linux domU you should be able to just bring > virtual interfaces. > > ifconfig eth0:0 192.168.1.2 > ifconfig eth0:1 192.168.1.3 > ifconfig eth0:1 192.168.1.4 > > > -- > Nick Anderson <nick@anders0n.net> > http://www.cmdln.org > >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Anand Gupta wrote:> Hi Nick, > > Thanks for the reply. What if they are on different subnet ? And then > what stops a user inside domU to add any ip in that series (as long as > the ips are assigned and routable to the server) and start to use it ? > > On 4/11/09, Nick Anderson <nick@anders0n.net> wrote: >> On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote: >>> Hmm... So if i have to assign lets say 6 ips to a domU, what is the >>> best method to do so ? >> Well if they are all on the same subnet and your using standard >> bridging and using a linux domU you should be able to just bring >> virtual interfaces. >> >> ifconfig eth0:0 192.168.1.2 >> ifconfig eth0:1 192.168.1.3 >> ifconfig eth0:1 192.168.1.4 >> >>Hi Anand, I just want to understand more about your problem. Do you want to be able to have many IPs on domU or do you worry about users trying to add too many IPs that can affect the system ? Thanks, Vu _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Vu, Actually both. I am basically offering vps services. So its critical for my setup that users use only the ips i have assigned to their domU. They shouldn''t arbitrarily add ip series and start to use them. Further i have some domU''s where i have to add multiple ips for use inside them. On 4/11/09, Vu Pham <vu@sivell.com> wrote:> Anand Gupta wrote: >> Hi Nick, >> >> Thanks for the reply. What if they are on different subnet ? And then >> what stops a user inside domU to add any ip in that series (as long as >> the ips are assigned and routable to the server) and start to use it ? >> >> On 4/11/09, Nick Anderson <nick@anders0n.net> wrote: >>> On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote: >>>> Hmm... So if i have to assign lets say 6 ips to a domU, what is the >>>> best method to do so ? >>> Well if they are all on the same subnet and your using standard >>> bridging and using a linux domU you should be able to just bring >>> virtual interfaces. >>> >>> ifconfig eth0:0 192.168.1.2 >>> ifconfig eth0:1 192.168.1.3 >>> ifconfig eth0:1 192.168.1.4 >>> >>> > Hi Anand, > > I just want to understand more about your problem. Do you want to be > able to have many IPs on domU or do you worry about users trying to add > too many IPs that can affect the system ? > > Thanks, > > Vu > >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Anand Gupta wrote:>Thanks for the reply. What if they are on different subnet ? And then >what stops a user inside domU to add any ip in that series (as long as >the ips are assigned and routable to the server) and start to use it ?I''ll chip in with a question of my own. What does specifying an IP in the DomU config actually do, and how would it actually be referenced in the guest OS ? So far, I''ve just treated each guest (all Debian) the same as I''d treat a standalone machine - ie I''ve just configured the virtual interfaces as I would configure real interfaces. If the networking in Dom0 is a bridge, then it shouldn''t care what IPs the guests use - not even what subnet. So unless I''m missing something, each guest should be able to pretty well do what it wants regarding IP addresses. -- Simon Hobson Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed author Gladys Hobson. Novels - poetry - short stories - ideal as Christmas stocking fillers. Some available as e-books. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
What is it that you''re wanting to achieve? You can use bridging for one IP and, say, a private network for another if that makes more sense. I''ve used this approach when using a VM as a QA version of a JMS server when the production server had seven NICs On Apr 10, 2009, at 5:28 PM, Anand Gupta <xen.mails@gmail.com> wrote:> Hi Nick, > > Thanks for the reply. What if they are on different subnet ? And then > what stops a user inside domU to add any ip in that series (as long as > the ips are assigned and routable to the server) and start to use it ? > > On 4/11/09, Nick Anderson <nick@anders0n.net> wrote: >> On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote: >>> Hmm... So if i have to assign lets say 6 ips to a domU, what is the >>> best method to do so ? >> Well if they are all on the same subnet and your using standard >> bridging and using a linux domU you should be able to just bring >> virtual interfaces. >> >> ifconfig eth0:0 192.168.1.2 >> ifconfig eth0:1 192.168.1.3 >> ifconfig eth0:1 192.168.1.4 >> >> >> -- >> Nick Anderson <nick@anders0n.net> >> http://www.cmdln.org >> >> > > > -- > regards, > > Anand Gupta > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Peter, Here is what i want to achieve. 1. I want to assign multiple ips to a domU. These ips can be in different subnet. 2. I want to be able to stop users from arbitrarily binding ips inside their domU, and start using them. Using bridge/ routing mode is not an issue, whatever resolves the problem, i am ready to use that. On 4/11/09, Peter Booth <peter_booth@mac.com> wrote:> What is it that you''re wanting to achieve? You can use bridging for > one IP and, say, a private network for another if that makes more > sense. I''ve used this approach when using a VM as a QA version of a > JMS server when the production server had seven NICs > > > > On Apr 10, 2009, at 5:28 PM, Anand Gupta <xen.mails@gmail.com> wrote: > >> Hi Nick, >> >> Thanks for the reply. What if they are on different subnet ? And then >> what stops a user inside domU to add any ip in that series (as long as >> the ips are assigned and routable to the server) and start to use it ? >> >> On 4/11/09, Nick Anderson <nick@anders0n.net> wrote: >>> On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote: >>>> Hmm... So if i have to assign lets say 6 ips to a domU, what is the >>>> best method to do so ? >>> Well if they are all on the same subnet and your using standard >>> bridging and using a linux domU you should be able to just bring >>> virtual interfaces. >>> >>> ifconfig eth0:0 192.168.1.2 >>> ifconfig eth0:1 192.168.1.3 >>> ifconfig eth0:1 192.168.1.4 >>> >>> >>> -- >>> Nick Anderson <nick@anders0n.net> >>> http://www.cmdln.org >>> >>> >> >> >> -- >> regards, >> >> Anand Gupta >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
http://toic.org/2008/09/22/preventing-ip-conflicts-in-xen/ If i''m reading this correctly, this is what you want. On Sat, Apr 11, 2009 at 12:02 AM, Anand Gupta <xen.mails@gmail.com> wrote:> Hi Peter, > > Here is what i want to achieve. > > 1. I want to assign multiple ips to a domU. These ips can be in > different subnet. > 2. I want to be able to stop users from arbitrarily binding ips inside > their domU, and start using them. > > Using bridge/ routing mode is not an issue, whatever resolves the > problem, i am ready to use that. > > On 4/11/09, Peter Booth <peter_booth@mac.com> wrote: > > What is it that you''re wanting to achieve? You can use bridging for > > one IP and, say, a private network for another if that makes more > > sense. I''ve used this approach when using a VM as a QA version of a > > JMS server when the production server had seven NICs > > > > > > > > On Apr 10, 2009, at 5:28 PM, Anand Gupta <xen.mails@gmail.com> wrote: > > > >> Hi Nick, > >> > >> Thanks for the reply. What if they are on different subnet ? And then > >> what stops a user inside domU to add any ip in that series (as long as > >> the ips are assigned and routable to the server) and start to use it ? > >> > >> On 4/11/09, Nick Anderson <nick@anders0n.net> wrote: > >>> On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote: > >>>> Hmm... So if i have to assign lets say 6 ips to a domU, what is the > >>>> best method to do so ? > >>> Well if they are all on the same subnet and your using standard > >>> bridging and using a linux domU you should be able to just bring > >>> virtual interfaces. > >>> > >>> ifconfig eth0:0 192.168.1.2 > >>> ifconfig eth0:1 192.168.1.3 > >>> ifconfig eth0:1 192.168.1.4 > >>> > >>> > >>> -- > >>> Nick Anderson <nick@anders0n.net> > >>> http://www.cmdln.org > >>> > >>> > >> > >> > >> -- > >> regards, > >> > >> Anand Gupta > >> > >> _______________________________________________ > >> Xen-users mailing list > >> Xen-users@lists.xensource.com > >> http://lists.xensource.com/xen-users > > > > > -- > regards, > > Anand Gupta > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Anand Gupta wrote:> Hi Vu, > > Actually both. I am basically offering vps services. So its critical > for my setup that users use only the ips i have assigned to their > domU. They shouldn''t arbitrarily add ip series and start to use them. > Further i have some domU''s where i have to add multiple ips for use > inside them.Are the users just non-root users ? Or are you going to let them access their domU as root accounts so they have systems with all permissions ? Non-root users cannot assign ip address, I believe. Vu> > > On 4/11/09, Vu Pham <vu@sivell.com> wrote: >> Anand Gupta wrote: >>> Hi Nick, >>> >>> Thanks for the reply. What if they are on different subnet ? And then >>> what stops a user inside domU to add any ip in that series (as long as >>> the ips are assigned and routable to the server) and start to use it ? >>> >>> On 4/11/09, Nick Anderson <nick@anders0n.net> wrote: >>>> On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote: >>>>> Hmm... So if i have to assign lets say 6 ips to a domU, what is the >>>>> best method to do so ? >>>> Well if they are all on the same subnet and your using standard >>>> bridging and using a linux domU you should be able to just bring >>>> virtual interfaces. >>>> >>>> ifconfig eth0:0 192.168.1.2 >>>> ifconfig eth0:1 192.168.1.3 >>>> ifconfig eth0:1 192.168.1.4 >>>> >>>> >> Hi Anand, >> >> I just want to understand more about your problem. Do you want to be >> able to have many IPs on domU or do you worry about users trying to add >> too many IPs that can affect the system ? >> >> Thanks, >> >> Vu >> >> > >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Vu Pham wrote:> > Anand Gupta wrote: >> Hi Vu, >> >> Actually both. I am basically offering vps services. So its critical >> for my setup that users use only the ips i have assigned to their >> domU. They shouldn''t arbitrarily add ip series and start to use them. >> Further i have some domU''s where i have to add multiple ips for use >> inside them. > > Are the users just non-root users ? Or are you going to let them access > their domU as root accounts so they have systems with all permissions ? > > Non-root users cannot assign ip address, I believe.I click Send to fast. If they are root users, you can set up iptables on dom0 to block them according to the IPs you assign to them. If they assign more, those IPs cannot get out. Vu> > Vu > >> >> >> On 4/11/09, Vu Pham <vu@sivell.com> wrote: >>> Anand Gupta wrote: >>>> Hi Nick, >>>> >>>> Thanks for the reply. What if they are on different subnet ? And then >>>> what stops a user inside domU to add any ip in that series (as long as >>>> the ips are assigned and routable to the server) and start to use it ? >>>> >>>> On 4/11/09, Nick Anderson <nick@anders0n.net> wrote: >>>>> On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote: >>>>>> Hmm... So if i have to assign lets say 6 ips to a domU, what is the >>>>>> best method to do so ? >>>>> Well if they are all on the same subnet and your using standard >>>>> bridging and using a linux domU you should be able to just bring >>>>> virtual interfaces. >>>>> >>>>> ifconfig eth0:0 192.168.1.2 >>>>> ifconfig eth0:1 192.168.1.3 >>>>> ifconfig eth0:1 192.168.1.4 >>>>> >>>>> >>> Hi Anand, >>> >>> I just want to understand more about your problem. Do you want to be >>> able to have many IPs on domU or do you worry about users trying to add >>> too many IPs that can affect the system ? >>> >>> Thanks, >>> >>> Vu >>> >>> >> >> > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Sat, Apr 11, 2009 at 6:02 AM, Anand Gupta <xen.mails@gmail.com> wrote:> Hi Peter, > > Here is what i want to achieve. > > 1. I want to assign multiple ips to a domU. These ips can be in > different subnet. > 2. I want to be able to stop users from arbitrarily binding ips inside > their domU, and start using them. >Short answer : If you have both clients with real server and clients on domU, the easiest way is to treat domU like a real server. That means you should assign IPs in small blocks. For example, if you have a big 10.11.25.0/24 address space, you give them out in small blocks : 10.11.25.0/29, 10.11.25.8/29, and so on. If they need additional address, you can route it via their existing address. Each domU is connected via its own bridge to dom0. Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I think you would have to use etanles to do what you want. It is no different than having customers on dedicated servers with root access. On Apr 10, 2009, at 9:16 PM, "Fajar A. Nugraha" <fajar@fajar.net> wrote:> On Sat, Apr 11, 2009 at 6:02 AM, Anand Gupta <xen.mails@gmail.com> > wrote: >> Hi Peter, >> >> Here is what i want to achieve. >> >> 1. I want to assign multiple ips to a domU. These ips can be in >> different subnet. >> 2. I want to be able to stop users from arbitrarily binding ips >> inside >> their domU, and start using them. >> > > Short answer : If you have both clients with real server and clients > on domU, the easiest way is to treat domU like a real server. > > That means you should assign IPs in small blocks. For example, if you > have a big 10.11.25.0/24 address space, you give them out in small > blocks : 10.11.25.0/29, 10.11.25.8/29, and so on. If they need > additional address, you can route it via their existing address. Each > domU is connected via its own bridge to dom0. > > Regards, > > Fajar > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Sat, Apr 11, 2009 at 10:05 AM, Nick Anderson <nick@anders0n.net> wrote:> I think you would have to use etanles to do what you want. It is no > different than having customers on dedicated servers with root access.etanles? Do you mean ebtables? If that''s what you mean, then no, it''s not a requirement. Not if each domU (or physical server) is located on it''s own separate network (or vlan), and you only give the domU that vlan (not using trunk). _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Yup this is a lot like what i want to achieve. Does this work with the version of xen which ships with centos5.3 ? I have a new machine being setup today, i will need to try this out, if it works. On 4/11/09, David <admin@dmarkey.com> wrote:> http://toic.org/2008/09/22/preventing-ip-conflicts-in-xen/ > > If i''m reading this correctly, this is what you want. > > > On Sat, Apr 11, 2009 at 12:02 AM, Anand Gupta <xen.mails@gmail.com> wrote: > >> Hi Peter, >> >> Here is what i want to achieve. >> >> 1. I want to assign multiple ips to a domU. These ips can be in >> different subnet. >> 2. I want to be able to stop users from arbitrarily binding ips inside >> their domU, and start using them. >> >> Using bridge/ routing mode is not an issue, whatever resolves the >> problem, i am ready to use that. >> >> On 4/11/09, Peter Booth <peter_booth@mac.com> wrote: >> > What is it that you''re wanting to achieve? You can use bridging for >> > one IP and, say, a private network for another if that makes more >> > sense. I''ve used this approach when using a VM as a QA version of a >> > JMS server when the production server had seven NICs >> > >> > >> > >> > On Apr 10, 2009, at 5:28 PM, Anand Gupta <xen.mails@gmail.com> wrote: >> > >> >> Hi Nick, >> >> >> >> Thanks for the reply. What if they are on different subnet ? And then >> >> what stops a user inside domU to add any ip in that series (as long as >> >> the ips are assigned and routable to the server) and start to use it ? >> >> >> >> On 4/11/09, Nick Anderson <nick@anders0n.net> wrote: >> >>> On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote: >> >>>> Hmm... So if i have to assign lets say 6 ips to a domU, what is the >> >>>> best method to do so ? >> >>> Well if they are all on the same subnet and your using standard >> >>> bridging and using a linux domU you should be able to just bring >> >>> virtual interfaces. >> >>> >> >>> ifconfig eth0:0 192.168.1.2 >> >>> ifconfig eth0:1 192.168.1.3 >> >>> ifconfig eth0:1 192.168.1.4 >> >>> >> >>> >> >>> -- >> >>> Nick Anderson <nick@anders0n.net> >> >>> http://www.cmdln.org >> >>> >> >>> >> >> >> >> >> >> -- >> >> regards, >> >> >> >> Anand Gupta >> >> >> >> _______________________________________________ >> >> Xen-users mailing list >> >> Xen-users@lists.xensource.com >> >> http://lists.xensource.com/xen-users >> > >> >> >> -- >> regards, >> >> Anand Gupta >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Vu, Ofcourse these users are all root users, each domU root user is maintaining their themselves. Can you recommend how to use iptables to achieve this ? The earlier solutions i seem to have seen are all based on ebtables. On Sat, Apr 11, 2009 at 5:33 AM, Vu Pham <vu@sivell.com> wrote:> > Vu Pham wrote: > >> >> Anand Gupta wrote: >> >>> Hi Vu, >>> >>> Actually both. I am basically offering vps services. So its critical >>> for my setup that users use only the ips i have assigned to their >>> domU. They shouldn''t arbitrarily add ip series and start to use them. >>> Further i have some domU''s where i have to add multiple ips for use >>> inside them. >>> >> >> Are the users just non-root users ? Or are you going to let them access >> their domU as root accounts so they have systems with all permissions ? >> >> Non-root users cannot assign ip address, I believe. >> > > I click Send to fast. If they are root users, you can set up iptables on > dom0 to block them according to the IPs you assign to them. If they assign > more, those IPs cannot get out. > > Vu > > > >> Vu >> >> >>> >>> On 4/11/09, Vu Pham <vu@sivell.com> wrote: >>> >>>> Anand Gupta wrote: >>>> >>>>> Hi Nick, >>>>> >>>>> Thanks for the reply. What if they are on different subnet ? And then >>>>> what stops a user inside domU to add any ip in that series (as long as >>>>> the ips are assigned and routable to the server) and start to use it ? >>>>> >>>>> On 4/11/09, Nick Anderson <nick@anders0n.net> wrote: >>>>> >>>>>> On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote: >>>>>> >>>>>>> Hmm... So if i have to assign lets say 6 ips to a domU, what is the >>>>>>> best method to do so ? >>>>>>> >>>>>> Well if they are all on the same subnet and your using standard >>>>>> bridging and using a linux domU you should be able to just bring >>>>>> virtual interfaces. >>>>>> >>>>>> ifconfig eth0:0 192.168.1.2 >>>>>> ifconfig eth0:1 192.168.1.3 >>>>>> ifconfig eth0:1 192.168.1.4 >>>>>> >>>>>> >>>>>> Hi Anand, >>>> >>>> I just want to understand more about your problem. Do you want to be >>>> able to have many IPs on domU or do you worry about users trying to add >>>> too many IPs that can affect the system ? >>>> >>>> Thanks, >>>> >>>> Vu >>>> >>>> >>>> >>> >>> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> >>-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Fajar, Right now i have 10 odd ips for a dom0, and in process more will be allocated (perhaps from a different subnet). Now for starters i wish to assign 4 ips on a domU, 5 on another. I just don''t want the users to try and bind additional ips, unless they have been authorized to do so. So you mean to say, i should create different bridges for each domU ? Can you give more idea on how i can do so ? On Sat, Apr 11, 2009 at 7:46 AM, Fajar A. Nugraha <fajar@fajar.net> wrote:> On Sat, Apr 11, 2009 at 6:02 AM, Anand Gupta <xen.mails@gmail.com> wrote: > > Hi Peter, > > > > Here is what i want to achieve. > > > > 1. I want to assign multiple ips to a domU. These ips can be in > > different subnet. > > 2. I want to be able to stop users from arbitrarily binding ips inside > > their domU, and start using them. > > > > Short answer : If you have both clients with real server and clients > on domU, the easiest way is to treat domU like a real server. > > That means you should assign IPs in small blocks. For example, if you > have a big 10.11.25.0/24 address space, you give them out in small > blocks : 10.11.25.0/29, 10.11.25.8/29, and so on. If they need > additional address, you can route it via their existing address. Each > domU is connected via its own bridge to dom0. > > Regards, > > Fajar > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Disclaimer: I have never actually tried this, but I don''t see any reasons why it wouldn''t work. You might also be interested reading http://ebtables.sourceforge.net/br_fw_ia/br_fw_ia.html As far as I''m aware, Xen (at least in Debian, check the xend-config.sxp & the network scripts it uses, most likely network-bridge & vif-bridge) adds the approriate iptables entrys to allow traffic to pass from the domains if you are operating purely on Xen config (if your iptables'' FORWARD policy is otherwise secure. Tho, generally it isn''t). vif-bridge script adds two rules to IPTables when new vif interface is brought up: -A FORWARD -s $IPOFDOMU/32 -m physdev --physdev-in $DOMUVIF -j ACCEPT #like IPOFDOMU=52.35.123.250 and DOMUVIF=vif6.0 -A FORWARD -p udp -m physdev --physdev-in $DOMUVIF -m udp --sport 68 --dport 67 -j ACCEPT #For DHCP traffic. Of course in your case this should be removed (or simply add rule top of the forward chain that blocks port 67 and 68 traffic). Bassicly what you first need to do is create a ruleset to FORWARD chain that permits anything from external interface and let Linux decide what to do with it. You could, of course, also check that they are destined to legitime IP addresses. After that is working, when domain is created, it should add the approriate rules automaticly. The last rule (or policy) should be DROP. Xen doesn''t handle adding IPs to the guest OS, so that is manual work on the guest OS (of course, there is many ways to automate that (like installing puppet agent on the guest domains and making Dom0 as puppetmaster)). -Eljas Alakulppi On Sat, 11 Apr 2009 13:52:57 +0300, Anand Gupta <xen.mails@gmail.com> wrote:> Hi Vu, > Ofcourse these users are all root users, each domU root user is > maintaining > their themselves. > > Can you recommend how to use iptables to achieve this ? The earlier > solutions i seem to have seen are all based on ebtables. > > On Sat, Apr 11, 2009 at 5:33 AM, Vu Pham <vu@sivell.com> wrote: > >> >> Vu Pham wrote: >> >>> >>> Anand Gupta wrote: >>> >>>> Hi Vu, >>>> >>>> Actually both. I am basically offering vps services. So its critical >>>> for my setup that users use only the ips i have assigned to their >>>> domU. They shouldn''t arbitrarily add ip series and start to use them. >>>> Further i have some domU''s where i have to add multiple ips for use >>>> inside them. >>>> >>> >>> Are the users just non-root users ? Or are you going to let them access >>> their domU as root accounts so they have systems with all permissions ? >>> >>> Non-root users cannot assign ip address, I believe. >>> >> >> I click Send to fast. If they are root users, you can set up iptables on >> dom0 to block them according to the IPs you assign to them. If they >> assign >> more, those IPs cannot get out. >> >> Vu >> >> >> >>> Vu >>> >>> >>>> >>>> On 4/11/09, Vu Pham <vu@sivell.com> wrote: >>>> >>>>> Anand Gupta wrote: >>>>> >>>>>> Hi Nick, >>>>>> >>>>>> Thanks for the reply. What if they are on different subnet ? And >>>>>> then >>>>>> what stops a user inside domU to add any ip in that series (as long >>>>>> as >>>>>> the ips are assigned and routable to the server) and start to use >>>>>> it ? >>>>>> >>>>>> On 4/11/09, Nick Anderson <nick@anders0n.net> wrote: >>>>>> >>>>>>> On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote: >>>>>>> >>>>>>>> Hmm... So if i have to assign lets say 6 ips to a domU, what is >>>>>>>> the >>>>>>>> best method to do so ? >>>>>>>> >>>>>>> Well if they are all on the same subnet and your using standard >>>>>>> bridging and using a linux domU you should be able to just bring >>>>>>> virtual interfaces. >>>>>>> >>>>>>> ifconfig eth0:0 192.168.1.2 >>>>>>> ifconfig eth0:1 192.168.1.3 >>>>>>> ifconfig eth0:1 192.168.1.4 >>>>>>> >>>>>>> >>>>>>> Hi Anand, >>>>> >>>>> I just want to understand more about your problem. Do you want to be >>>>> able to have many IPs on domU or do you worry about users trying to >>>>> add >>>>> too many IPs that can affect the system ? >>>>> >>>>> Thanks, >>>>> >>>>> Vu >>>>> >>>>> >>>>> >>>> >>>> >>> _______________________________________________ >>> Xen-users mailing list >>> Xen-users@lists.xensource.com >>> http://lists.xensource.com/xen-users >>> >>> > >-- Using Opera''s revolutionary e-mail client: http://www.opera.com/mail/ _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I tried to use the antispoof feature thinking it should do the trick. Modified /etc/xen/xend-config.sxp and modified it as follows: (network-script ''network-bridge antispoof=yes'') Restarted, xen, and then checked the iptables --list. I don''t see the DROP rules added. Here is iptables before start of domU **************************************************************************************************************** Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable Chain OUTPUT (policy ACCEPT) target prot opt source destination **************************************************************************************************************** Here it is after domU was started **************************************************************************************************************** Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere 192.168.122.0/24 state RELATED,ESTABLISHED ACCEPT all -- 192.168.122.0/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif6.0 Chain OUTPUT (policy ACCEPT) target prot opt source destination **************************************************************************************************************** The only difference between both the outputs is>ACCEPT all -- anywhere anywhere PHYSDEV match--physdev-in vif6.0 Any ideas why this is happening ? P.S. : If i am wrong in thinking that the above will resolve the problem of users binding ips of their domU and using them, please correct me. -- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Sat, Apr 11, 2009 at 5:55 PM, Anand Gupta <xen.mails@gmail.com> wrote:> Hi Fajar, > Right now i have 10 odd ips for a dom0, and in process more will be > allocated (perhaps from a different subnet). Now for starters i wish to > assign 4 ips on a domU, 5 on another. I just don''t want the users to try and > bind additional ips, unless they have been authorized to do so. > So you mean to say, i should create different bridges for each domU ? Can > you give more idea on how i can do so ?It seems I misunderstood your requirement. I thought that you work for an ISP (like I do) and have control over many blocks of IP addresses and are used to assigning them to clients (colocation clients, leased line, etc.) using CIDR (http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). If that were the case then the easiest way would be to treat domU like any other real server, and to treat dom0 like a switch with vlan support. Apparently that''s not the case :) If you only have a small number of IP addresses on the same subnet, and can''t really afford to lose some of them to do CIDR (for router, network, and broadcast address), then the link David sent about ebtables seems like your best bet. Regards, Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Like I said before, Xen doesn''t add DROP rules by default, only ACCEPT (so you need to set policy to DROP. Tho, it does seem like seting antispoof=on should take care of setting policy to DROP on at least Debian. Maybe your firewall script starts after Xen takes care of networking? I have never used Xen on CentOS, so I''m not too sure about it''s specific details). Regarding the fact that there is no IP specifed on the ACCEPT rule, what does your iptables commands in the vif script look like? Oh, and I assume you want to remove state match from the first rule (otherwise the virtual servers will not allow any new connections) & remove the second rule (allows all traffic orginating from 192.168.122.0/24. If there is no other match requirements, it will allow DomUs to spoof addresses from 192.168.122.0/24). The third FORWARD rule seems like everything gets ACCEPT''ed there. Also, please use iptables-save, iptables -L doesn''t include all of the details (like -i and -o). So, to wrap it up, the iptables-save should look something like: *filter ... :FORWARD DROP [0:0] ... -A FORWARD -d 192.168.122.0/24 -j ACCEPT #Tho, this allows spoofing between two DomUs. You could try adding -m physdev --physdev-in eth0 or whatever your external interface is ... And once you start, there should be one more rule on FORWARD chain -A FORWARD -s 192.168.122.5/32 -m physdev --physdev-in vif6.0 -j ACCEPT #or whatever the IP and vif happend to be -Eljas Alakulppi On Sat, 11 Apr 2009 14:47:45 +0300, Anand Gupta <xen.mails@gmail.com> wrote:> I tried to use the antispoof feature thinking it should do the trick. > Modified /etc/xen/xend-config.sxp and modified it as follows: > > (network-script ''network-bridge antispoof=yes'') > > Restarted, xen, and then checked the iptables --list. I don''t see the > DROP > rules added. > > Here is iptables before start of domU > > **************************************************************************************************************** > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp > dpt:domain > ACCEPT tcp -- anywhere anywhere tcp > dpt:domain > ACCEPT udp -- anywhere anywhere udp > dpt:bootps > ACCEPT tcp -- anywhere anywhere tcp > dpt:bootps > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere 192.168.122.0/24 state > RELATED,ESTABLISHED > ACCEPT all -- 192.168.122.0/24 anywhere > ACCEPT all -- anywhere anywhere > REJECT all -- anywhere anywhere reject-with > icmp-port-unreachable > REJECT all -- anywhere anywhere reject-with > icmp-port-unreachable > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > **************************************************************************************************************** > > Here it is after domU was started > > **************************************************************************************************************** > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp > dpt:domain > ACCEPT tcp -- anywhere anywhere tcp > dpt:domain > ACCEPT udp -- anywhere anywhere udp > dpt:bootps > ACCEPT tcp -- anywhere anywhere tcp > dpt:bootps > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere 192.168.122.0/24 state > RELATED,ESTABLISHED > ACCEPT all -- 192.168.122.0/24 anywhere > ACCEPT all -- anywhere anywhere > REJECT all -- anywhere anywhere reject-with > icmp-port-unreachable > REJECT all -- anywhere anywhere reject-with > icmp-port-unreachable > ACCEPT all -- anywhere anywhere PHYSDEV > match > --physdev-in vif6.0 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > **************************************************************************************************************** > > The only difference between both the outputs is > >> ACCEPT all -- anywhere anywhere PHYSDEV >> match > --physdev-in vif6.0 > > Any ideas why this is happening ? > > P.S. : If i am wrong in thinking that the above will resolve the problem > of > users binding ips of their domU and using them, please correct me. >-- Using Opera''s revolutionary e-mail client: http://www.opera.com/mail/ _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Eljas, My dom0 basically has 2 networks, eth0 - 172.20.x.x and eth1 - 192.168.122.x. Now presently the domU is bound on the bridge with eth0, and which where i am concerned right now. The same would be implemented in a scene with all real ips. I checked the firewall and there is no firewall enabled on dom0. Sorry but i am still confused on how and what you are proposing here. On Sat, Apr 11, 2009 at 6:34 PM, Eljas Alakulppi <Buzer@buzer.net> wrote:> Like I said before, Xen doesn''t add DROP rules by default, only ACCEPT (so > you need to set policy to DROP. Tho, it does seem like seting antispoof=on > should take care of setting policy to DROP on at least Debian. Maybe your > firewall script starts after Xen takes care of networking? I have never used > Xen on CentOS, so I''m not too sure about it''s specific details). > > Regarding the fact that there is no IP specifed on the ACCEPT rule, what > does your iptables commands in the vif script look like? > > Oh, and I assume you want to remove state match from the first rule > (otherwise the virtual servers will not allow any new connections) & remove > the second rule (allows all traffic orginating from 192.168.122.0/24. If > there is no other match requirements, it will allow DomUs to spoof addresses > from 192.168.122.0/24). The third FORWARD rule seems like everything gets > ACCEPT''ed there. Also, please use iptables-save, iptables -L doesn''t include > all of the details (like -i and -o). > > So, to wrap it up, the iptables-save should look something like: > *filter > ... > :FORWARD DROP [0:0] > ... > -A FORWARD -d 192.168.122.0/24 -j ACCEPT #Tho, this allows spoofing > between two DomUs. You could try adding -m physdev --physdev-in eth0 or > whatever your external interface is > ... > And once you start, there should be one more rule on FORWARD chain > -A FORWARD -s 192.168.122.5/32 -m physdev --physdev-in vif6.0 -j ACCEPT > #or whatever the IP and vif happend to be > > > -Eljas Alakulppi > > > On Sat, 11 Apr 2009 14:47:45 +0300, Anand Gupta <xen.mails@gmail.com> > wrote: > > I tried to use the antispoof feature thinking it should do the trick. >> Modified /etc/xen/xend-config.sxp and modified it as follows: >> >> (network-script ''network-bridge antispoof=yes'') >> >> Restarted, xen, and then checked the iptables --list. I don''t see the DROP >> rules added. >> >> Here is iptables before start of domU >> >> >> **************************************************************************************************************** >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> ACCEPT udp -- anywhere anywhere udp >> dpt:domain >> ACCEPT tcp -- anywhere anywhere tcp >> dpt:domain >> ACCEPT udp -- anywhere anywhere udp >> dpt:bootps >> ACCEPT tcp -- anywhere anywhere tcp >> dpt:bootps >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> ACCEPT all -- anywhere 192.168.122.0/24 state >> RELATED,ESTABLISHED >> ACCEPT all -- 192.168.122.0/24 anywhere >> ACCEPT all -- anywhere anywhere >> REJECT all -- anywhere anywhere reject-with >> icmp-port-unreachable >> REJECT all -- anywhere anywhere reject-with >> icmp-port-unreachable >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> **************************************************************************************************************** >> >> Here it is after domU was started >> >> >> **************************************************************************************************************** >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> ACCEPT udp -- anywhere anywhere udp >> dpt:domain >> ACCEPT tcp -- anywhere anywhere tcp >> dpt:domain >> ACCEPT udp -- anywhere anywhere udp >> dpt:bootps >> ACCEPT tcp -- anywhere anywhere tcp >> dpt:bootps >> >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> ACCEPT all -- anywhere 192.168.122.0/24 state >> RELATED,ESTABLISHED >> ACCEPT all -- 192.168.122.0/24 anywhere >> ACCEPT all -- anywhere anywhere >> REJECT all -- anywhere anywhere reject-with >> icmp-port-unreachable >> REJECT all -- anywhere anywhere reject-with >> icmp-port-unreachable >> ACCEPT all -- anywhere anywhere PHYSDEV match >> --physdev-in vif6.0 >> >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> **************************************************************************************************************** >> >> The only difference between both the outputs is >> >> ACCEPT all -- anywhere anywhere PHYSDEV >>> match >>> >> --physdev-in vif6.0 >> >> Any ideas why this is happening ? >> >> P.S. : If i am wrong in thinking that the above will resolve the problem >> of >> users binding ips of their domU and using them, please correct me. >> >> > > > -- > Using Opera''s revolutionary e-mail client: http://www.opera.com/mail/ >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Fajar, Yup true. I don''t have many ip blocks using which i can divide subnets etc. I have to deal with what i have. Will check the ebtables and see if i can get it to work. Thanks for all the help. On Sat, Apr 11, 2009 at 5:43 PM, Fajar A. Nugraha <fajar@fajar.net> wrote:> On Sat, Apr 11, 2009 at 5:55 PM, Anand Gupta <xen.mails@gmail.com> wrote: > > Hi Fajar, > > Right now i have 10 odd ips for a dom0, and in process more will be > > allocated (perhaps from a different subnet). Now for starters i wish to > > assign 4 ips on a domU, 5 on another. I just don''t want the users to try > and > > bind additional ips, unless they have been authorized to do so. > > So you mean to say, i should create different bridges for each domU ? Can > > you give more idea on how i can do so ? > > It seems I misunderstood your requirement. > I thought that you work for an ISP (like I do) and have control over > many blocks of IP addresses and are used to assigning them to clients > (colocation clients, leased line, etc.) using CIDR > (http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing). If that > were the case then the easiest way would be to treat domU like any > other real server, and to treat dom0 like a switch with vlan support. > Apparently that''s not the case :) > > If you only have a small number of IP addresses on the same subnet, > and can''t really afford to lose some of them to do CIDR (for router, > network, and broadcast address), then the link David sent about > ebtables seems like your best bet. > > Regards, > > Fajar > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Anand Gupta wrote:> Hi Eljas, > > My dom0 basically has 2 networks, eth0 - 172.20.x.x and eth1 - > 192.168.122.x. Now presently the domU is bound on the bridge with eth0, > and which where i am concerned right now. The same would be implemented > in a scene with all real ips. > > I checked the firewall and there is no firewall enabled on dom0. Sorry > but i am still confused on how and what you are proposing here.The firewall file should be /etc/sysconfig/iptables. To se sure the firewall is on when you start your system, use "chkconfig iptables on". If your firewall has not been started, you can start it manually by "service iptables start", assuming you have CentOS or RHEL for dom0. Vu> > On Sat, Apr 11, 2009 at 6:34 PM, Eljas Alakulppi <Buzer@buzer.net > <mailto:Buzer@buzer.net>> wrote: > > Like I said before, Xen doesn''t add DROP rules by default, only > ACCEPT (so you need to set policy to DROP. Tho, it does seem like > seting antispoof=on should take care of setting policy to DROP on at > least Debian. Maybe your firewall script starts after Xen takes care > of networking? I have never used Xen on CentOS, so I''m not too sure > about it''s specific details). > > Regarding the fact that there is no IP specifed on the ACCEPT rule, > what does your iptables commands in the vif script look like? > > Oh, and I assume you want to remove state match from the first rule > (otherwise the virtual servers will not allow any new connections) & > remove the second rule (allows all traffic orginating from > 192.168.122.0/24 <http://192.168.122.0/24>. If there is no other > match requirements, it will allow DomUs to spoof addresses from > 192.168.122.0/24 <http://192.168.122.0/24>). The third FORWARD rule > seems like everything gets ACCEPT''ed there. Also, please use > iptables-save, iptables -L doesn''t include all of the details (like > -i and -o). > > So, to wrap it up, the iptables-save should look something like: > *filter > ... > :FORWARD DROP [0:0] > ... > -A FORWARD -d 192.168.122.0/24 <http://192.168.122.0/24> -j ACCEPT > #Tho, this allows spoofing between two DomUs. You could try adding > -m physdev --physdev-in eth0 or whatever your external interface is > ... > And once you start, there should be one more rule on FORWARD chain > -A FORWARD -s 192.168.122.5/32 <http://192.168.122.5/32> -m physdev > --physdev-in vif6.0 -j ACCEPT #or whatever the IP and vif happend to be > > > -Eljas Alakulppi > > > On Sat, 11 Apr 2009 14:47:45 +0300, Anand Gupta <xen.mails@gmail.com > <mailto:xen.mails@gmail.com>> wrote: > > I tried to use the antispoof feature thinking it should do the > trick. > Modified /etc/xen/xend-config.sxp and modified it as follows: > > (network-script ''network-bridge antispoof=yes'') > > Restarted, xen, and then checked the iptables --list. I don''t > see the DROP > rules added. > > Here is iptables before start of domU > > **************************************************************************************************************** > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp > dpt:domain > ACCEPT tcp -- anywhere anywhere tcp > dpt:domain > ACCEPT udp -- anywhere anywhere udp > dpt:bootps > ACCEPT tcp -- anywhere anywhere tcp > dpt:bootps > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere 192.168.122.0/24 > <http://192.168.122.0/24> state > RELATED,ESTABLISHED > ACCEPT all -- 192.168.122.0/24 <http://192.168.122.0/24> > anywhere > ACCEPT all -- anywhere anywhere > REJECT all -- anywhere anywhere > reject-with > icmp-port-unreachable > REJECT all -- anywhere anywhere > reject-with > icmp-port-unreachable > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > **************************************************************************************************************** > > Here it is after domU was started > > **************************************************************************************************************** > Chain INPUT (policy ACCEPT) > target prot opt source destination > ACCEPT udp -- anywhere anywhere udp > dpt:domain > ACCEPT tcp -- anywhere anywhere tcp > dpt:domain > ACCEPT udp -- anywhere anywhere udp > dpt:bootps > ACCEPT tcp -- anywhere anywhere tcp > dpt:bootps > > Chain FORWARD (policy ACCEPT) > target prot opt source destination > ACCEPT all -- anywhere 192.168.122.0/24 > <http://192.168.122.0/24> state > RELATED,ESTABLISHED > ACCEPT all -- 192.168.122.0/24 <http://192.168.122.0/24> > anywhere > ACCEPT all -- anywhere anywhere > REJECT all -- anywhere anywhere > reject-with > icmp-port-unreachable > REJECT all -- anywhere anywhere > reject-with > icmp-port-unreachable > ACCEPT all -- anywhere anywhere > PHYSDEV match > --physdev-in vif6.0 > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > **************************************************************************************************************** > > The only difference between both the outputs is > > ACCEPT all -- anywhere anywhere > PHYSDEV match > > --physdev-in vif6.0 > > Any ideas why this is happening ? > > P.S. : If i am wrong in thinking that the above will resolve the > problem of > users binding ips of their domU and using them, please correct me. > > > > > -- > Using Opera''s revolutionary e-mail client: http://www.opera.com/mail/ > > > > > -- > regards, > > Anand Gupta > > > ------------------------------------------------------------------------ > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
I''m a little puzzled by this. My starting point is that I can sometimes use technology to protect against foolishness but it''s much harder to protect against malice. I believe that the xen 3 limit is 3 vifs per VM. So if you create all three, with one bridge mode with an asugned ip and thee two private networks, what can user do thru ignorance or malice to break this? 1. They can reconfigure their "real IP" do a diff value on the subnet and presumably well see an error on both devices that are trying to use the VM 2. What happens if they create virtual devices based on their "real" device? Can they bind these to different IPs on the subnet? Is there any reason to expect they would do this? Can you fire your users if they are malicious? This seems as much a human issue as a technical one. On Apr 11, 2009, at 3:21 PM, Vu Pham <vu@sivell.com> wrote:> Anand Gupta wrote: >> Hi Eljas, >> My dom0 basically has 2 networks, eth0 - 172.20.x.x and eth1 - 192.168.122 >> .x. Now presently the domU is bound on the bridge with eth0, and >> which where i am concerned right now. The same would be implemented >> in a scene with all real ips. >> I checked the firewall and there is no firewall enabled on dom0. >> Sorry but i am still confused on how and what you are proposing here. > > The firewall file should be /etc/sysconfig/iptables. To se sure the > firewall is on when you start your system, use "chkconfig iptables > on". > If your firewall has not been started, you can start it manually by > "service iptables start", assuming you have CentOS or RHEL for dom0. > > Vu > >> On Sat, Apr 11, 2009 at 6:34 PM, Eljas Alakulppi <Buzer@buzer.net <mailto:Buzer@buzer.net >> >> wrote: >> Like I said before, Xen doesn''t add DROP rules by default, only >> ACCEPT (so you need to set policy to DROP. Tho, it does seem like >> seting antispoof=on should take care of setting policy to DROP >> on at >> least Debian. Maybe your firewall script starts after Xen takes >> care >> of networking? I have never used Xen on CentOS, so I''m not too >> sure >> about it''s specific details). >> Regarding the fact that there is no IP specifed on the ACCEPT >> rule, >> what does your iptables commands in the vif script look like? >> Oh, and I assume you want to remove state match from the first >> rule >> (otherwise the virtual servers will not allow any new >> connections) & >> remove the second rule (allows all traffic orginating from >> 192.168.122.0/24 <http://192.168.122.0/24>. If there is no other >> match requirements, it will allow DomUs to spoof addresses from >> 192.168.122.0/24 <http://192.168.122.0/24>). The third FORWARD >> rule >> seems like everything gets ACCEPT''ed there. Also, please use >> iptables-save, iptables -L doesn''t include all of the details >> (like >> -i and -o). >> So, to wrap it up, the iptables-save should look something like: >> *filter >> ... >> :FORWARD DROP [0:0] >> ... >> -A FORWARD -d 192.168.122.0/24 <http://192.168.122.0/24> -j ACCEPT >> #Tho, this allows spoofing between two DomUs. You could try adding >> -m physdev --physdev-in eth0 or whatever your external interface >> is >> ... >> And once you start, there should be one more rule on FORWARD chain >> -A FORWARD -s 192.168.122.5/32 <http://192.168.122.5/32> -m >> physdev >> --physdev-in vif6.0 -j ACCEPT #or whatever the IP and vif >> happend to be >> -Eljas Alakulppi >> On Sat, 11 Apr 2009 14:47:45 +0300, Anand Gupta <xen.mails@gmail.com >> <mailto:xen.mails@gmail.com>> wrote: >> I tried to use the antispoof feature thinking it should do the >> trick. >> Modified /etc/xen/xend-config.sxp and modified it as follows: >> (network-script ''network-bridge antispoof=yes'') >> Restarted, xen, and then checked the iptables --list. I don''t >> see the DROP >> rules added. >> Here is iptables before start of domU >> >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> ******************************************************************* >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> ACCEPT udp -- anywhere anywhere >> udp >> dpt:domain >> ACCEPT tcp -- anywhere anywhere >> tcp >> dpt:domain >> ACCEPT udp -- anywhere anywhere >> udp >> dpt:bootps >> ACCEPT tcp -- anywhere anywhere >> tcp >> dpt:bootps >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> ACCEPT all -- anywhere 192.168.122.0/24 >> <http://192.168.122.0/24> state >> RELATED,ESTABLISHED >> ACCEPT all -- 192.168.122.0/24 <http:// >> 192.168.122.0/24> anywhere >> ACCEPT all -- anywhere anywhere >> REJECT all -- anywhere >> anywhere reject-with >> icmp-port-unreachable >> REJECT all -- anywhere >> anywhere reject-with >> icmp-port-unreachable >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> ******************************************************************* >> Here it is after domU was started >> >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> ******************************************************************* >> Chain INPUT (policy ACCEPT) >> target prot opt source destination >> ACCEPT udp -- anywhere anywhere >> udp >> dpt:domain >> ACCEPT tcp -- anywhere anywhere >> tcp >> dpt:domain >> ACCEPT udp -- anywhere anywhere >> udp >> dpt:bootps >> ACCEPT tcp -- anywhere anywhere >> tcp >> dpt:bootps >> Chain FORWARD (policy ACCEPT) >> target prot opt source destination >> ACCEPT all -- anywhere 192.168.122.0/24 >> <http://192.168.122.0/24> state >> RELATED,ESTABLISHED >> ACCEPT all -- 192.168.122.0/24 <http:// >> 192.168.122.0/24> anywhere >> ACCEPT all -- anywhere anywhere >> REJECT all -- anywhere >> anywhere reject-with >> icmp-port-unreachable >> REJECT all -- anywhere >> anywhere reject-with >> icmp-port-unreachable >> ACCEPT all -- anywhere >> anywhere PHYSDEV match >> --physdev-in vif6.0 >> Chain OUTPUT (policy ACCEPT) >> target prot opt source destination >> >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> *** >> ******************************************************************* >> The only difference between both the outputs is >> ACCEPT all -- anywhere >> anywhere PHYSDEV match >> --physdev-in vif6.0 >> Any ideas why this is happening ? >> P.S. : If i am wrong in thinking that the above will resolve >> the >> problem of >> users binding ips of their domU and using them, please >> correct me. >> -- Using Opera''s revolutionary e-mail client: http://www.opera.com/mail/ >> -- >> regards, >> Anand Gupta >> --- >> --------------------------------------------------------------------- >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Sun, Apr 12, 2009 at 2:34 AM, Peter Booth <peter_booth@mac.com> wrote:> I believe that the xen 3 limit is 3 vifs per VM.It used to be so. Not anymore. On RHEL 5.2 that limit was removed. I''m not sure about the "vanilla" xen though.> So if you create all three, > with one bridge mode with an asugned ip and thee two private networks, what > can user do thru ignorance or malice to break this?Anand''s situation is different from what you describe. All domUs are on the same network (same bridge), so on default setup it''s possible (for example) for one domU to assign IP address that was allocated to other domUs. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Vu, On Sun, Apr 12, 2009 at 12:51 AM, Vu Pham <vu@sivell.com> wrote:> Anand Gupta wrote: > >> Hi Eljas, >> >> My dom0 basically has 2 networks, eth0 - 172.20.x.x and eth1 - >> 192.168.122.x. Now presently the domU is bound on the bridge with eth0, and >> which where i am concerned right now. The same would be implemented in a >> scene with all real ips. >> >> I checked the firewall and there is no firewall enabled on dom0. Sorry but >> i am still confused on how and what you are proposing here. >> > > The firewall file should be /etc/sysconfig/iptables. To se sure the > firewall is on when you start your system, use "chkconfig iptables on". > If your firewall has not been started, you can start it manually by > "service iptables start", assuming you have CentOS or RHEL for dom0. >Thanks, but the service is already on. What i meant by saying firewall wasn''t on is that there are no default rules to accept/ drop anything. Sorry for the confusion. -- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Peter, On Sun, Apr 12, 2009 at 1:04 AM, Peter Booth <peter_booth@mac.com> wrote:> I''m a little puzzled by this. My starting point is that I can sometimes use > technology to protect against foolishness but it''s much harder to protect > against malice. > > I believe that the xen 3 limit is 3 vifs per VM. So if you create all > three, with one bridge mode with an asugned ip and thee two private > networks, what can user do thru ignorance or malice to break this? > 1. They can reconfigure their "real IP" do a diff value on the subnet and > presumably well see an error on both devices that are trying to use the VM > 2. What happens if they create virtual devices based on their "real" > device? Can they bind these to different IPs on the subnet? > > Is there any reason to expect they would do this? Can you fire your users > if they are malicious? This seems as much a human issue as a technical one. > >Not always you can fire them. Imagine a situation wherein you are the dom0 administrator and all your domU are customers who manage their own domU. Now you have assigned ips to them, and one of them tries to bind a different ip as against to what was assigned to it. I am just trying to find a way to stop that from happening. -- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Fajar, Is is possible for all practical purposes that we create different bridges for each domU ? An traffic for each of them go through their respective bridges ? If yes, can this be automated in some way ? Sorry if i sound stupid. P.S. : I am still waiting for the new centos5.3 machine to come in, where i wish to run the ebtables testing. On Sun, Apr 12, 2009 at 2:38 AM, Fajar A. Nugraha <fajar@fajar.net> wrote:> On Sun, Apr 12, 2009 at 2:34 AM, Peter Booth <peter_booth@mac.com> wrote: > > I believe that the xen 3 limit is 3 vifs per VM. > > It used to be so. Not anymore. > On RHEL 5.2 that limit was removed. I''m not sure about the "vanilla" xen > though. > > > So if you create all three, > > with one bridge mode with an asugned ip and thee two private networks, > what > > can user do thru ignorance or malice to break this? > > Anand''s situation is different from what you describe. All domUs are > on the same network (same bridge), so on default setup it''s possible > (for example) for one domU to assign IP address that was allocated to > other domUs. > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
> > Thanks, but the service is already on. What i meant by saying firewall > wasn''t on is that there are no default rules to accept/ drop anything. > Sorry for the confusion. >Hi Anand, The original firewall settings are based on what you select when you install the system. It may be empty, or it may just have some basic rules like allowing only shh and/or web ... and block everything else. You have to manually edit the rules according to what you need and save them. Vu _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Sun, Apr 12, 2009 at 6:08 AM, Anand Gupta <xen.mails@gmail.com> wrote:> Hi Fajar, > Is is possible for all practical purposes that we create different bridges > for each domU ? An traffic for each of them go through their respective > bridges ?It would only make sense to do so when domUs are on different subnets. _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Anand Gupta wrote:> Hi Fajar, > > Is is possible for all practical purposes that we create different > bridges for each domU ? An traffic for each of them go through their > respective bridges ? If yes, can this be automated in some way ? >What do you mean by "automated" ? On my test Xen server , I need to generate some virtual networks ( virbrX ) and some domUs on those networks, I use a bash script to generate the network xml files ( you can see the template from /etc/libvirt/qemu/networks/default.xml and http://libvirt.org/formatnetwork.html for their xml tags ). For domUs, I also use a bash script to generate their /etc/xen/ files and assign their network devices to the corresponding virbrX devices. I have a small problem that libvirtd always add NAT for my virtual networks even if I have mode="route" in the network xml file. Currently I have to remove those masquerate commands out of my iptables. Vu _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Now I see. It sounds like this really isn''t a Xen question - that its the familiar "duplicate IP address" error we get when a user manually sets an IP address that has been assigned by a DHCP server So here''s the thing. What makes this issue worth spending any time trying to fix? Sure, with sufficient creativity, we could engineer something that fixes this The effort is probably more than 10x the value Why not simply assume most people are reasonable and then deal with the exceptions as they arise? If, of course, you are a sysadmin in a Federal Prison it might be different ... Peter On Apr 11, 2009, at 7:05 PM, Anand Gupta wrote:> Hi Peter, > > On Sun, Apr 12, 2009 at 1:04 AM, Peter Booth <peter_booth@mac.com> > wrote: > I''m a little puzzled by this. My starting point is that I can > sometimes use technology to protect against foolishness but it''s > much harder to protect against malice. > > I believe that the xen 3 limit is 3 vifs per VM. So if you create > all three, with one bridge mode with an asugned ip and thee two > private networks, what can user do thru ignorance or malice to break > this? > 1. They can reconfigure their "real IP" do a diff value on the > subnet and presumably well see an error on both devices that are > trying to use the VM > 2. What happens if they create virtual devices based on their "real" > device? Can they bind these to different IPs on the subnet? > > Is there any reason to expect they would do this? Can you fire your > users if they are malicious? This seems as much a human issue as a > technical one. > > > Not always you can fire them. Imagine a situation wherein you are > the dom0 administrator and all your domU are customers who manage > their own domU. Now you have assigned ips to them, and one of them > tries to bind a different ip as against to what was assigned to it. > I am just trying to find a way to stop that from happening. > > -- > regards, > > Anand Gupta > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Vu, On Sun, Apr 12, 2009 at 6:05 AM, Vu Pham <vu@sivell.com> wrote:> >> Thanks, but the service is already on. What i meant by saying firewall >> wasn''t on is that there are no default rules to accept/ drop anything. Sorry >> for the confusion. >> >> > Hi Anand, > > The original firewall settings are based on what you select when you > install the system. It may be empty, or it may just have some basic rules > like allowing only shh and/or web ... and block everything else. > > You have to manually edit the rules according to what you need and save > them. > > Vu >Yes, thanks i know that. In my case its empty, since i choose not to block anything to start with. I am guessing as pointed by Eljas, i should change the default policy as DROP in FORWARD chain, and see if it helps. -- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Fajar, On Sun, Apr 12, 2009 at 6:17 AM, Fajar A. Nugraha <fajar@fajar.net> wrote:> On Sun, Apr 12, 2009 at 6:08 AM, Anand Gupta <xen.mails@gmail.com> wrote: > > Hi Fajar, > > Is is possible for all practical purposes that we create different > bridges > > for each domU ? An traffic for each of them go through their respective > > bridges ? > > It would only make sense to do so when domUs are on different subnets. > >Hmm... well in my case they are not in different subnets, so i guess i would just leave it. Thanks for the help. -- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Vu, On Sun, Apr 12, 2009 at 7:22 AM, Vu Pham <vu@sivell.com> wrote:> > Anand Gupta wrote: > >> Hi Fajar, >> >> Is is possible for all practical purposes that we create different bridges >> for each domU ? An traffic for each of them go through their respective >> bridges ? If yes, can this be automated in some way ? >> >> > What do you mean by "automated" ? > > On my test Xen server , I need to generate some virtual networks ( virbrX ) > and some domUs on those networks, I use a bash script to generate the > network xml files ( you can see the template from > /etc/libvirt/qemu/networks/default.xml and > http://libvirt.org/formatnetwork.html for their xml tags ). For domUs, I > also use a bash script to generate their /etc/xen/ files and assign their > network devices to the corresponding virbrX devices. > > I have a small problem that libvirtd always add NAT for my virtual networks > even if I have mode="route" in the network xml file. Currently I have to > remove those masquerate commands out of my iptables. > > Vu >What you do with the bash script is exactly what i meant by saying "automated" ;) The only thing left to test would be the ebtables patch, which i am gonna do so and post results in this thread. Hope it will help someone else who is looking for the same solution. -- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Dear Peter, Thanks for the excellent solution to the problem. Appreciate it. On Sun, Apr 12, 2009 at 7:43 AM, Peter Booth <peter_booth@mac.com> wrote:> Now I see. It sounds like this really isn''t a Xen question - that its the > familiar "duplicate IP address" error we get when a user manually sets an IP > address that has been assigned by a DHCP server > So here''s the thing. What makes this issue worth spending *any* time > trying to fix? > > Sure, with sufficient creativity, we could engineer something that fixes > this > The effort is probably more than 10x the value > > Why not simply assume most people are reasonable and then deal with the > exceptions as they arise? > > If, of course, you are a sysadmin in a Federal Prison it might be different > ... >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Tried to apply this patch. Fresh install centos5.3, xen 3.0.3-80 I get this error. missing header for unified diff at line 3 of patch patching file vif-bridge patch: **** malformed patch at line 4: online) Any ideas on how to fix this ? On Sat, Apr 11, 2009 at 4:36 AM, David <admin@dmarkey.com> wrote:> http://toic.org/2008/09/22/preventing-ip-conflicts-in-xen/ > > If i''m reading this correctly, this is what you want. > > > > On Sat, Apr 11, 2009 at 12:02 AM, Anand Gupta <xen.mails@gmail.com> wrote: > >> Hi Peter, >> >> Here is what i want to achieve. >> >> 1. I want to assign multiple ips to a domU. These ips can be in >> different subnet. >> 2. I want to be able to stop users from arbitrarily binding ips inside >> their domU, and start using them. >> >> Using bridge/ routing mode is not an issue, whatever resolves the >> problem, i am ready to use that. >> >> On 4/11/09, Peter Booth <peter_booth@mac.com> wrote: >> > What is it that you''re wanting to achieve? You can use bridging for >> > one IP and, say, a private network for another if that makes more >> > sense. I''ve used this approach when using a VM as a QA version of a >> > JMS server when the production server had seven NICs >> > >> > >> > >> > On Apr 10, 2009, at 5:28 PM, Anand Gupta <xen.mails@gmail.com> wrote: >> > >> >> Hi Nick, >> >> >> >> Thanks for the reply. What if they are on different subnet ? And then >> >> what stops a user inside domU to add any ip in that series (as long as >> >> the ips are assigned and routable to the server) and start to use it ? >> >> >> >> On 4/11/09, Nick Anderson <nick@anders0n.net> wrote: >> >>> On Sat, Apr 11, 2009 at 01:35:48AM +0530, Anand Gupta wrote: >> >>>> Hmm... So if i have to assign lets say 6 ips to a domU, what is the >> >>>> best method to do so ? >> >>> Well if they are all on the same subnet and your using standard >> >>> bridging and using a linux domU you should be able to just bring >> >>> virtual interfaces. >> >>> >> >>> ifconfig eth0:0 192.168.1.2 >> >>> ifconfig eth0:1 192.168.1.3 >> >>> ifconfig eth0:1 192.168.1.4 >> >>> >> >>> >> >>> -- >> >>> Nick Anderson <nick@anders0n.net> >> >>> http://www.cmdln.org >> >>> >> >>> >> >> >> >> >> >> -- >> >> regards, >> >> >> >> Anand Gupta >> >> >> >> _______________________________________________ >> >> Xen-users mailing list >> >> Xen-users@lists.xensource.com >> >> http://lists.xensource.com/xen-users >> > >> >> >> -- >> regards, >> >> Anand Gupta >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> > >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Made the changes by hand on vif-bridge, changed xend-config to use the new vif-bridge-custom script, and bang :( The domU won''t start now. Error: Device 0 (vif) could not be connected. /etc/xen/scripts/vif-bridge-custom failed; error detected. Here is the diff diff -u vif-bridge vif-bridge-custom> > --- vif-bridge 2009-04-14 23:35:08.000000000 -0400 > > +++ vif-bridge-custom 2009-04-15 00:01:08.000000000 -0400 > > @@ -57,15 +57,37 @@ > > online) > > setup_bridge_port "$vif" > > add_to_bridge "$bridge" "$vif" > > + ebtables -N $vif > > + ebtables -P $vif DROP > > + ebtables -A INPUT -i $vif -j $vif > > + ebtables -A FORWARD -i $vif -j $vif > > + ebtables -A $vif -p ARP –arp-opcode 1 -j ACCEPT > > + > > + if [ ! -z "$ip" ] > > + then > > + for oneip in $ip > > + do > > + ebtables -A $vif -p IPv4 –ip-src $oneip -j ACCEPT > > + ebtables -A $vif -p IPv4 –ip-dst $oneip -j ACCEPT > > + ebtables -A $vif -p ARP –arp-opcode 2 –arp-ip-src $oneip -j ACCEPT > > + done > > + > > + ebtables -A $vif --log-prefix="arp-drop" --log-arp -j DROP > > + > > + fi > > ;; > > > > offline) > > do_without_error brctl delif "$bridge" "$vif" > > do_without_error ifconfig "$vif" down > > + do_without_error ebtables -D INPUT -i $vif -j $vif > > + do_without_error ebtables -D FORWARD -i $vif -j $vif > > + do_without_error ebtables -F $vif > > + do_without_error ebtables -X $vif > > ;; > > esac > > > > -handle_iptable > > +#handle_iptable > > > > log debug "Successful vif-bridge $command for $vif, bridge $bridge." > > if [ "$command" == "online" ] > >Will appreciate any help on this. On Wed, Apr 15, 2009 at 11:27 PM, Anand Gupta <xen.mails@gmail.com> wrote:> Tried to apply this patch. Fresh install centos5.3, xen 3.0.3-80 > I get this error. > > missing header for unified diff at line 3 of patch > patching file vif-bridge > patch: **** malformed patch at line 4: online) > > Any ideas on how to fix this ? >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
i think ebtables on centos is broken(5.2 anyway), look out for messages in dmesg On Wed, Apr 15, 2009 at 7:57 PM, Anand Gupta <xen.mails@gmail.com> wrote:> Made the changes by hand on vif-bridge, changed xend-config to use the new > vif-bridge-custom script, and bang :( The domU won''t start now. > Error: Device 0 (vif) could not be connected. > /etc/xen/scripts/vif-bridge-custom failed; error detected. > > Here is the diff > > diff -u vif-bridge vif-bridge-custom >> >> --- vif-bridge 2009-04-14 23:35:08.000000000 -0400 >> >> +++ vif-bridge-custom 2009-04-15 00:01:08.000000000 -0400 >> >> @@ -57,15 +57,37 @@ >> >> online) >> >> setup_bridge_port "$vif" >> >> add_to_bridge "$bridge" "$vif" >> >> + ebtables -N $vif >> >> + ebtables -P $vif DROP >> >> + ebtables -A INPUT -i $vif -j $vif >> >> + ebtables -A FORWARD -i $vif -j $vif >> >> + ebtables -A $vif -p ARP –arp-opcode 1 -j ACCEPT >> >> + >> >> + if [ ! -z "$ip" ] >> >> + then >> >> + for oneip in $ip >> >> + do >> >> + ebtables -A $vif -p IPv4 –ip-src $oneip -j ACCEPT >> >> + ebtables -A $vif -p IPv4 –ip-dst $oneip -j ACCEPT >> >> + ebtables -A $vif -p ARP –arp-opcode 2 –arp-ip-src $oneip -j ACCEPT >> >> + done >> >> + >> >> + ebtables -A $vif --log-prefix="arp-drop" --log-arp -j DROP >> >> + >> >> + fi >> >> ;; >> >> >> >> offline) >> >> do_without_error brctl delif "$bridge" "$vif" >> >> do_without_error ifconfig "$vif" down >> >> + do_without_error ebtables -D INPUT -i $vif -j $vif >> >> + do_without_error ebtables -D FORWARD -i $vif -j $vif >> >> + do_without_error ebtables -F $vif >> >> + do_without_error ebtables -X $vif >> >> ;; >> >> esac >> >> >> >> -handle_iptable >> >> +#handle_iptable >> >> >> >> log debug "Successful vif-bridge $command for $vif, bridge $bridge." >> >> if [ "$command" == "online" ] >> >> > Will appreciate any help on this. > > > On Wed, Apr 15, 2009 at 11:27 PM, Anand Gupta <xen.mails@gmail.com> wrote: > >> Tried to apply this patch. Fresh install centos5.3, xen 3.0.3-80 >> I get this error. >> >> missing header for unified diff at line 3 of patch >> patching file vif-bridge >> patch: **** malformed patch at line 4: online) >> >> Any ideas on how to fix this ? >> > > > > -- > regards, > > Anand Gupta >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi David, Thanks for the quick reply. I took the rpm from Would you recommend to compile it ? Here is the dmesg output when i try to start a domU. device vif1.0 entered promiscuous mode ADDRCONF(NETDEV_UP): vif1.0: link is not ready Ebtables v2.0 registered xenbr1: port 3(vif1.0) entering disabled state device vif1.0 left promiscuous mode xenbr1: port 3(vif1.0) entering disabled state Does this make any sense ? Thanks for the help. On Thu, Apr 16, 2009 at 12:33 AM, David <admin@dmarkey.com> wrote:> i think ebtables on centos is broken(5.2 anyway), look out for messages > in dmesg > > > On Wed, Apr 15, 2009 at 7:57 PM, Anand Gupta <xen.mails@gmail.com> wrote: > >> Made the changes by hand on vif-bridge, changed xend-config to use the new >> vif-bridge-custom script, and bang :( The domU won''t start now. >> Error: Device 0 (vif) could not be connected. >> /etc/xen/scripts/vif-bridge-custom failed; error detected. >> >> Here is the diff >> >> diff -u vif-bridge vif-bridge-custom >>> >>> --- vif-bridge 2009-04-14 23:35:08.000000000 -0400 >>> >>> +++ vif-bridge-custom 2009-04-15 00:01:08.000000000 -0400 >>> >>> @@ -57,15 +57,37 @@ >>> >>> online) >>> >>> setup_bridge_port "$vif" >>> >>> add_to_bridge "$bridge" "$vif" >>> >>> + ebtables -N $vif >>> >>> + ebtables -P $vif DROP >>> >>> + ebtables -A INPUT -i $vif -j $vif >>> >>> + ebtables -A FORWARD -i $vif -j $vif >>> >>> + ebtables -A $vif -p ARP –arp-opcode 1 -j ACCEPT >>> >>> + >>> >>> + if [ ! -z "$ip" ] >>> >>> + then >>> >>> + for oneip in $ip >>> >>> + do >>> >>> + ebtables -A $vif -p IPv4 –ip-src $oneip -j ACCEPT >>> >>> + ebtables -A $vif -p IPv4 –ip-dst $oneip -j ACCEPT >>> >>> + ebtables -A $vif -p ARP –arp-opcode 2 –arp-ip-src $oneip -j ACCEPT >>> >>> + done >>> >>> + >>> >>> + ebtables -A $vif --log-prefix="arp-drop" --log-arp -j DROP >>> >>> + >>> >>> + fi >>> >>> ;; >>> >>> >>> >>> offline) >>> >>> do_without_error brctl delif "$bridge" "$vif" >>> >>> do_without_error ifconfig "$vif" down >>> >>> + do_without_error ebtables -D INPUT -i $vif -j $vif >>> >>> + do_without_error ebtables -D FORWARD -i $vif -j $vif >>> >>> + do_without_error ebtables -F $vif >>> >>> + do_without_error ebtables -X $vif >>> >>> ;; >>> >>> esac >>> >>> >>> >>> -handle_iptable >>> >>> +#handle_iptable >>> >>> >>> >>> log debug "Successful vif-bridge $command for $vif, bridge $bridge." >>> >>> if [ "$command" == "online" ] >>> >>> >> Will appreciate any help on this. >> >> >> On Wed, Apr 15, 2009 at 11:27 PM, Anand Gupta <xen.mails@gmail.com>wrote: >> >>> Tried to apply this patch. Fresh install centos5.3, xen 3.0.3-80 >>> I get this error. >>> >>> missing header for unified diff at line 3 of patch >>> patching file vif-bridge >>> patch: **** malformed patch at line 4: online) >>> >>> Any ideas on how to fix this ? >>> >> >> >> >> -- >> regards, >> >> Anand Gupta >> > >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
[root@monaghan ~]# ebtables -N new The kernel doesn''t support a certain ebtables extension, consider recompiling your kernel or insmod the extension. [root@monaghan ~]# dmesg | tail kernel msg: ebtables bug: please report to author: entries_size too small these are the symtoms i have on 5.2 On Wed, Apr 15, 2009 at 8:23 PM, Anand Gupta <xen.mails@gmail.com> wrote:> Hi David, > Thanks for the quick reply. > > I took the rpm from Would you recommend to compile it ? > > Here is the dmesg output when i try to start a domU. > > device vif1.0 entered promiscuous mode > ADDRCONF(NETDEV_UP): vif1.0: link is not ready > Ebtables v2.0 registered > xenbr1: port 3(vif1.0) entering disabled state > device vif1.0 left promiscuous mode > xenbr1: port 3(vif1.0) entering disabled state > > Does this make any sense ? > > Thanks for the help. > > > On Thu, Apr 16, 2009 at 12:33 AM, David <admin@dmarkey.com> wrote: > >> i think ebtables on centos is broken(5.2 anyway), look out for messages >> in dmesg >> >> >> On Wed, Apr 15, 2009 at 7:57 PM, Anand Gupta <xen.mails@gmail.com> wrote: >> >>> Made the changes by hand on vif-bridge, changed xend-config to use the >>> new vif-bridge-custom script, and bang :( The domU won''t start now. >>> Error: Device 0 (vif) could not be connected. >>> /etc/xen/scripts/vif-bridge-custom failed; error detected. >>> >>> Here is the diff >>> >>> diff -u vif-bridge vif-bridge-custom >>>> >>>> --- vif-bridge 2009-04-14 23:35:08.000000000 -0400 >>>> >>>> +++ vif-bridge-custom 2009-04-15 00:01:08.000000000 -0400 >>>> >>>> @@ -57,15 +57,37 @@ >>>> >>>> online) >>>> >>>> setup_bridge_port "$vif" >>>> >>>> add_to_bridge "$bridge" "$vif" >>>> >>>> + ebtables -N $vif >>>> >>>> + ebtables -P $vif DROP >>>> >>>> + ebtables -A INPUT -i $vif -j $vif >>>> >>>> + ebtables -A FORWARD -i $vif -j $vif >>>> >>>> + ebtables -A $vif -p ARP –arp-opcode 1 -j ACCEPT >>>> >>>> + >>>> >>>> + if [ ! -z "$ip" ] >>>> >>>> + then >>>> >>>> + for oneip in $ip >>>> >>>> + do >>>> >>>> + ebtables -A $vif -p IPv4 –ip-src $oneip -j ACCEPT >>>> >>>> + ebtables -A $vif -p IPv4 –ip-dst $oneip -j ACCEPT >>>> >>>> + ebtables -A $vif -p ARP –arp-opcode 2 –arp-ip-src $oneip -j ACCEPT >>>> >>>> + done >>>> >>>> + >>>> >>>> + ebtables -A $vif --log-prefix="arp-drop" --log-arp -j DROP >>>> >>>> + >>>> >>>> + fi >>>> >>>> ;; >>>> >>>> >>>> >>>> offline) >>>> >>>> do_without_error brctl delif "$bridge" "$vif" >>>> >>>> do_without_error ifconfig "$vif" down >>>> >>>> + do_without_error ebtables -D INPUT -i $vif -j $vif >>>> >>>> + do_without_error ebtables -D FORWARD -i $vif -j $vif >>>> >>>> + do_without_error ebtables -F $vif >>>> >>>> + do_without_error ebtables -X $vif >>>> >>>> ;; >>>> >>>> esac >>>> >>>> >>>> >>>> -handle_iptable >>>> >>>> +#handle_iptable >>>> >>>> >>>> >>>> log debug "Successful vif-bridge $command for $vif, bridge $bridge." >>>> >>>> if [ "$command" == "online" ] >>>> >>>> >>> Will appreciate any help on this. >>> >>> >>> On Wed, Apr 15, 2009 at 11:27 PM, Anand Gupta <xen.mails@gmail.com>wrote: >>> >>>> Tried to apply this patch. Fresh install centos5.3, xen 3.0.3-80 >>>> I get this error. >>>> >>>> missing header for unified diff at line 3 of patch >>>> patching file vif-bridge >>>> patch: **** malformed patch at line 4: online) >>>> >>>> Any ideas on how to fix this ? >>>> >>> >>> >>> >>> -- >>> regards, >>> >>> Anand Gupta >>> >> >> > > > -- > regards, > > Anand Gupta >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi David, Strange, i don''t seem to get that error on centos5.3. [root@ananta ~]# uname -r 2.6.18-128.1.6.el5.centos.plusxen [root@ananta ~]# ebtables -N new [root@ananta ~]# dmesg | tail xenbr1: port 3(vif7.0) entering forwarding state xenbr1: port 3(vif7.0) entering disabled state device vif7.0 left promiscuous mode xenbr1: port 3(vif7.0) entering disabled state device vif8.0 entered promiscuous mode ADDRCONF(NETDEV_UP): vif8.0: link is not ready blkback: ring-ref 8, event-channel 6, protocol 1 (x86_32-abi) ADDRCONF(NETDEV_CHANGE): vif8.0: link becomes ready xenbr1: topology change detected, propagating xenbr1: port 3(vif8.0) entering forwarding state The vif messages are from the domU startup and stops i have been doing (i reverted back the ebtables patch in vif-bridge so i can atleast configure few of the domU''s until this ebtables problem is resolved). P.S. : As you see i have the centosplus kernel installed, maybe the problem is fixed in that ? On Thu, Apr 16, 2009 at 2:46 AM, David <admin@dmarkey.com> wrote:> > [root@monaghan ~]# ebtables -N new > The kernel doesn''t support a certain ebtables extension, consider > recompiling your kernel or insmod the extension. > [root@monaghan ~]# dmesg | tail > kernel msg: ebtables bug: please report to author: entries_size too small > > > these are the symtoms i have on 5.2 > > > > > On Wed, Apr 15, 2009 at 8:23 PM, Anand Gupta <xen.mails@gmail.com> wrote: > >> Hi David, >> Thanks for the quick reply. >> >> I took the rpm from Would you recommend to compile it ? >> >> Here is the dmesg output when i try to start a domU. >> >> device vif1.0 entered promiscuous mode >> ADDRCONF(NETDEV_UP): vif1.0: link is not ready >> Ebtables v2.0 registered >> xenbr1: port 3(vif1.0) entering disabled state >> device vif1.0 left promiscuous mode >> xenbr1: port 3(vif1.0) entering disabled state >> >> Does this make any sense ? >> >> Thanks for the help. >> >> >> On Thu, Apr 16, 2009 at 12:33 AM, David <admin@dmarkey.com> wrote: >> >>> i think ebtables on centos is broken(5.2 anyway), look out for messages >>> in dmesg >>> >>> >>> On Wed, Apr 15, 2009 at 7:57 PM, Anand Gupta <xen.mails@gmail.com>wrote: >>> >>>> Made the changes by hand on vif-bridge, changed xend-config to use the >>>> new vif-bridge-custom script, and bang :( The domU won''t start now. >>>> Error: Device 0 (vif) could not be connected. >>>> /etc/xen/scripts/vif-bridge-custom failed; error detected. >>>> >>>> Here is the diff >>>> >>>> diff -u vif-bridge vif-bridge-custom >>>>> >>>>> --- vif-bridge 2009-04-14 23:35:08.000000000 -0400 >>>>> >>>>> +++ vif-bridge-custom 2009-04-15 00:01:08.000000000 -0400 >>>>> >>>>> @@ -57,15 +57,37 @@ >>>>> >>>>> online) >>>>> >>>>> setup_bridge_port "$vif" >>>>> >>>>> add_to_bridge "$bridge" "$vif" >>>>> >>>>> + ebtables -N $vif >>>>> >>>>> + ebtables -P $vif DROP >>>>> >>>>> + ebtables -A INPUT -i $vif -j $vif >>>>> >>>>> + ebtables -A FORWARD -i $vif -j $vif >>>>> >>>>> + ebtables -A $vif -p ARP –arp-opcode 1 -j ACCEPT >>>>> >>>>> + >>>>> >>>>> + if [ ! -z "$ip" ] >>>>> >>>>> + then >>>>> >>>>> + for oneip in $ip >>>>> >>>>> + do >>>>> >>>>> + ebtables -A $vif -p IPv4 –ip-src $oneip -j ACCEPT >>>>> >>>>> + ebtables -A $vif -p IPv4 –ip-dst $oneip -j ACCEPT >>>>> >>>>> + ebtables -A $vif -p ARP –arp-opcode 2 –arp-ip-src $oneip -j ACCEPT >>>>> >>>>> + done >>>>> >>>>> + >>>>> >>>>> + ebtables -A $vif --log-prefix="arp-drop" --log-arp -j DROP >>>>> >>>>> + >>>>> >>>>> + fi >>>>> >>>>> ;; >>>>> >>>>> >>>>> >>>>> offline) >>>>> >>>>> do_without_error brctl delif "$bridge" "$vif" >>>>> >>>>> do_without_error ifconfig "$vif" down >>>>> >>>>> + do_without_error ebtables -D INPUT -i $vif -j $vif >>>>> >>>>> + do_without_error ebtables -D FORWARD -i $vif -j $vif >>>>> >>>>> + do_without_error ebtables -F $vif >>>>> >>>>> + do_without_error ebtables -X $vif >>>>> >>>>> ;; >>>>> >>>>> esac >>>>> >>>>> >>>>> >>>>> -handle_iptable >>>>> >>>>> +#handle_iptable >>>>> >>>>> >>>>> >>>>> log debug "Successful vif-bridge $command for $vif, bridge $bridge." >>>>> >>>>> if [ "$command" == "online" ] >>>>> >>>>> >>>> Will appreciate any help on this. >>>> >>>> >>>> On Wed, Apr 15, 2009 at 11:27 PM, Anand Gupta <xen.mails@gmail.com>wrote: >>>> >>>>> Tried to apply this patch. Fresh install centos5.3, xen 3.0.3-80 >>>>> I get this error. >>>>> >>>>> missing header for unified diff at line 3 of patch >>>>> patching file vif-bridge >>>>> patch: **** malformed patch at line 4: online) >>>>> >>>>> Any ideas on how to fix this ? >>>>> >>>> >>>> >>>> >>>> -- >>>> regards, >>>> >>>> Anand Gupta >>>> >>> >>> >> >> >> -- >> regards, >> >> Anand Gupta >> > >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Wed, Apr 15, 2009 at 10:16:22PM +0100, David wrote: Hello,> [root@monaghan ~]# ebtables -N new > The kernel doesn''t support a certain ebtables extension, consider > recompiling your kernel or insmod the extension. > [root@monaghan ~]# dmesg | tail > kernel msg: ebtables bug: please report to author: entries_size too smallI remember similar log entry with 32-bit ebtables on 64-bit kernel architecture. Check kernel version with "uname -m" and install 64bit ebtables rpm if it''s x86_64. Regards, Kupson -- Great software without the knowledge to run it is pretty useless. (Linux Gazette #1) _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Ye i have a 64bit kernel and the 64 bit package. Switched to debian5 instead. On Thu, Apr 16, 2009 at 9:58 AM, Rafał Kupka <rkupka+Listy.Xen@pronet.com.pl<rkupka%2BListy.Xen@pronet.com.pl>> wrote:> On Wed, Apr 15, 2009 at 10:16:22PM +0100, David wrote: > Hello, > > > [root@monaghan ~]# ebtables -N new > > The kernel doesn''t support a certain ebtables extension, consider > > recompiling your kernel or insmod the extension. > > [root@monaghan ~]# dmesg | tail > > kernel msg: ebtables bug: please report to author: entries_size too small > > I remember similar log entry with 32-bit ebtables on 64-bit kernel > architecture. Check kernel version with "uname -m" and install 64bit > ebtables rpm if it''s x86_64. > > Regards, > Kupson > -- > Great software without the knowledge to run it is pretty useless. > (Linux Gazette #1) > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
So no solution for me to stop users from using any ip address inside their domU, if i use centos ? :( 2009/4/16 David <admin@dmarkey.com>> Ye i have a 64bit kernel and the 64 bit package. Switched to debian5 > instead. > > > > > On Thu, Apr 16, 2009 at 9:58 AM, Rafał Kupka < > rkupka+Listy.Xen@pronet.com.pl <rkupka%2BListy.Xen@pronet.com.pl>> wrote: > >> On Wed, Apr 15, 2009 at 10:16:22PM +0100, David wrote: >> Hello, >> >> > [root@monaghan ~]# ebtables -N new >> > The kernel doesn''t support a certain ebtables extension, consider >> > recompiling your kernel or insmod the extension. >> > [root@monaghan ~]# dmesg | tail >> > kernel msg: ebtables bug: please report to author: entries_size too >> small >> >> I remember similar log entry with 32-bit ebtables on 64-bit kernel >> architecture. Check kernel version with "uname -m" and install 64bit >> ebtables rpm if it''s x86_64. >> >> Regards, >> Kupson >> -- >> Great software without the knowledge to run it is pretty useless. >> (Linux Gazette #1) >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
did you apply the patch? After you start a DomU what does ebtables --list say? 2009/4/16 Anand Gupta <xen.mails@gmail.com>> So no solution for me to stop users from using any ip address inside their > domU, if i use centos ? :( > > 2009/4/16 David <admin@dmarkey.com> > > Ye i have a 64bit kernel and the 64 bit package. Switched to debian5 >> instead. >> >> >> >> >> On Thu, Apr 16, 2009 at 9:58 AM, Rafał Kupka < >> rkupka+Listy.Xen@pronet.com.pl <rkupka%2BListy.Xen@pronet.com.pl>> wrote: >> >>> On Wed, Apr 15, 2009 at 10:16:22PM +0100, David wrote: >>> Hello, >>> >>> > [root@monaghan ~]# ebtables -N new >>> > The kernel doesn''t support a certain ebtables extension, consider >>> > recompiling your kernel or insmod the extension. >>> > [root@monaghan ~]# dmesg | tail >>> > kernel msg: ebtables bug: please report to author: entries_size too >>> small >>> >>> I remember similar log entry with 32-bit ebtables on 64-bit kernel >>> architecture. Check kernel version with "uname -m" and install 64bit >>> ebtables rpm if it''s x86_64. >>> >>> Regards, >>> Kupson >>> -- >>> Great software without the knowledge to run it is pretty useless. >>> (Linux Gazette #1) >>> >>> _______________________________________________ >>> Xen-users mailing list >>> Xen-users@lists.xensource.com >>> http://lists.xensource.com/xen-users >>> >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> > > > > -- > regards, > > Anand Gupta > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi David, As i mentioned the patch doesn''t work with centos5.3+xen. Hence looking at the patch, i hand edited the file. The same was posted in an earlier mail send in this thread. Here it is again diff -u vif-bridge vif-bridge-custom> > --- vif-bridge 2009-04-14 23:35:08.000000000 -0400 > > +++ vif-bridge-custom 2009-04-15 00:01:08.000000000 -0400 > > @@ -57,15 +57,37 @@ > > online) > > setup_bridge_port "$vif" > > add_to_bridge "$bridge" "$vif" > > + ebtables -N $vif > > + ebtables -P $vif DROP > > + ebtables -A INPUT -i $vif -j $vif > > + ebtables -A FORWARD -i $vif -j $vif > > + ebtables -A $vif -p ARP -arp-opcode 1 -j ACCEPT > > + > > + if [ ! -z "$ip" ] > > + then > > + for oneip in $ip > > + do > > + ebtables -A $vif -p IPv4 -ip-src $oneip -j ACCEPT > > + ebtables -A $vif -p IPv4 -ip-dst $oneip -j ACCEPT > > + ebtables -A $vif -p ARP -arp-opcode 2 -arp-ip-src $oneip -j ACCEPT > > + done > > + > > + ebtables -A $vif --log-prefix="arp-drop" --log-arp -j DROP > > + > > + fi > > ;; > > > > offline) > > do_without_error brctl delif "$bridge" "$vif" > > do_without_error ifconfig "$vif" down > > + do_without_error ebtables -D INPUT -i $vif -j $vif > > + do_without_error ebtables -D FORWARD -i $vif -j $vif > > + do_without_error ebtables -F $vif > > + do_without_error ebtables -X $vif > > ;; > > esac > > > > -handle_iptable > > +#handle_iptable > > > > log debug "Successful vif-bridge $command for $vif, bridge $bridge." > > if [ "$command" == "online" ] > >When i try to start the domU, i just get an error message Error: Device 0 (vif) could not be connected. /etc/xen/scripts/vif-bridge-custom failed; error detected. Now i looked at all log files, can''t seem to find any error. 2009/4/17 David <admin@dmarkey.com>> did you apply the patch? > > After you start a DomU what does ebtables --list say? > > 2009/4/16 Anand Gupta <xen.mails@gmail.com> > > So no solution for me to stop users from using any ip address inside their >> domU, if i use centos ? :( >> >> 2009/4/16 David <admin@dmarkey.com> >> >> Ye i have a 64bit kernel and the 64 bit package. Switched to debian5 >>> instead. >>> >>> >>> >>> >>> On Thu, Apr 16, 2009 at 9:58 AM, Rafał Kupka < >>> rkupka+Listy.Xen@pronet.com.pl <rkupka%2BListy.Xen@pronet.com.pl>>wrote: >>> >>>> On Wed, Apr 15, 2009 at 10:16:22PM +0100, David wrote: >>>> Hello, >>>> >>>> > [root@monaghan ~]# ebtables -N new >>>> > The kernel doesn''t support a certain ebtables extension, consider >>>> > recompiling your kernel or insmod the extension. >>>> > [root@monaghan ~]# dmesg | tail >>>> > kernel msg: ebtables bug: please report to author: entries_size too >>>> small >>>> >>>> I remember similar log entry with 32-bit ebtables on 64-bit kernel >>>> architecture. Check kernel version with "uname -m" and install 64bit >>>> ebtables rpm if it''s x86_64. >>>> >>>> Regards, >>>> Kupson >>>> -- >>>> Great software without the knowledge to run it is pretty useless. >>>> (Linux Gazette #1) >>>> >>>> _______________________________________________ >>>> Xen-users mailing list >>>> Xen-users@lists.xensource.com >>>> http://lists.xensource.com/xen-users >>>> >>> >>> >>> _______________________________________________ >>> Xen-users mailing list >>> Xen-users@lists.xensource.com >>> http://lists.xensource.com/xen-users >>> >> >> >> >> -- >> regards, >> >> Anand Gupta >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users >> > >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
You have cut+paste errors, --arp-opcode not -arp-opcode --ip-src not -ip-src 2009/4/17 Anand Gupta <xen.mails@gmail.com>> Hi David, > As i mentioned the patch doesn''t work with centos5.3+xen. Hence looking at > the patch, i hand edited the file. The same was posted in an earlier mail > send in this thread. Here it is again > > > diff -u vif-bridge vif-bridge-custom >> >> --- vif-bridge 2009-04-14 23:35:08.000000000 -0400 >> >> +++ vif-bridge-custom 2009-04-15 00:01:08.000000000 -0400 >> >> @@ -57,15 +57,37 @@ >> >> online) >> >> setup_bridge_port "$vif" >> >> add_to_bridge "$bridge" "$vif" >> >> + ebtables -N $vif >> >> + ebtables -P $vif DROP >> >> + ebtables -A INPUT -i $vif -j $vif >> >> + ebtables -A FORWARD -i $vif -j $vif >> >> + ebtables -A $vif -p ARP -arp-opcode 1 -j ACCEPT >> >> + >> >> + if [ ! -z "$ip" ] >> >> + then >> >> + for oneip in $ip >> >> + do >> >> + ebtables -A $vif -p IPv4 -ip-src $oneip -j ACCEPT >> >> + ebtables -A $vif -p IPv4 -ip-dst $oneip -j ACCEPT >> >> + ebtables -A $vif -p ARP -arp-opcode 2 -arp-ip-src $oneip -j ACCEPT >> >> + done >> >> + >> >> + ebtables -A $vif --log-prefix="arp-drop" --log-arp -j DROP >> >> + >> >> + fi >> >> ;; >> >> >> >> offline) >> >> do_without_error brctl delif "$bridge" "$vif" >> >> do_without_error ifconfig "$vif" down >> >> + do_without_error ebtables -D INPUT -i $vif -j $vif >> >> + do_without_error ebtables -D FORWARD -i $vif -j $vif >> >> + do_without_error ebtables -F $vif >> >> + do_without_error ebtables -X $vif >> >> ;; >> >> esac >> >> >> >> -handle_iptable >> >> +#handle_iptable >> >> >> >> log debug "Successful vif-bridge $command for $vif, bridge $bridge." >> >> if [ "$command" == "online" ] >> >> > When i try to start the domU, i just get an error message > > Error: Device 0 (vif) could not be connected. > /etc/xen/scripts/vif-bridge-custom failed; error detected. > > Now i looked at all log files, can''t seem to find any error. > > 2009/4/17 David <admin@dmarkey.com> > > did you apply the patch? >> >> After you start a DomU what does ebtables --list say? >> >> 2009/4/16 Anand Gupta <xen.mails@gmail.com> >> >> So no solution for me to stop users from using any ip address inside their >>> domU, if i use centos ? :( >>> >>> 2009/4/16 David <admin@dmarkey.com> >>> >>> Ye i have a 64bit kernel and the 64 bit package. Switched to debian5 >>>> instead. >>>> >>>> >>>> >>>> >>>> On Thu, Apr 16, 2009 at 9:58 AM, Rafał Kupka < >>>> rkupka+Listy.Xen@pronet.com.pl <rkupka%2BListy.Xen@pronet.com.pl>>wrote: >>>> >>>>> On Wed, Apr 15, 2009 at 10:16:22PM +0100, David wrote: >>>>> Hello, >>>>> >>>>> > [root@monaghan ~]# ebtables -N new >>>>> > The kernel doesn''t support a certain ebtables extension, consider >>>>> > recompiling your kernel or insmod the extension. >>>>> > [root@monaghan ~]# dmesg | tail >>>>> > kernel msg: ebtables bug: please report to author: entries_size too >>>>> small >>>>> >>>>> I remember similar log entry with 32-bit ebtables on 64-bit kernel >>>>> architecture. Check kernel version with "uname -m" and install 64bit >>>>> ebtables rpm if it''s x86_64. >>>>> >>>>> Regards, >>>>> Kupson >>>>> -- >>>>> Great software without the knowledge to run it is pretty useless. >>>>> (Linux Gazette #1) >>>>> >>>>> _______________________________________________ >>>>> Xen-users mailing list >>>>> Xen-users@lists.xensource.com >>>>> http://lists.xensource.com/xen-users >>>>> >>>> >>>> >>>> _______________________________________________ >>>> Xen-users mailing list >>>> Xen-users@lists.xensource.com >>>> http://lists.xensource.com/xen-users >>>> >>> >>> >>> >>> -- >>> regards, >>> >>> Anand Gupta >>> >>> _______________________________________________ >>> Xen-users mailing list >>> Xen-users@lists.xensource.com >>> http://lists.xensource.com/xen-users >>> >> >> > > > -- > regards, > > Anand Gupta >_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi David, You are absolutely right. I realized the same thing, after talking with branko, who wrote the article at http://toic.org/2008/09/22/preventing-ip-conflicts-in-xen/. He helped me to redo the vif-bridge-custom again with no mistakes. Its working perfectly now. Attached is the actual working vif-bridge script. I hope it helps others as well. Branko will be posting a new diff on his website, which will work with centos5.3 as well. 2009/4/17 David <admin@dmarkey.com>> You have cut+paste errors, > > --arp-opcode not -arp-opcode > > --ip-src not -ip-src > > > 2009/4/17 Anand Gupta <xen.mails@gmail.com> > > Hi David, >> As i mentioned the patch doesn''t work with centos5.3+xen. Hence looking at >> the patch, i hand edited the file. The same was posted in an earlier mail >> send in this thread. Here it is again >> >> >> diff -u vif-bridge vif-bridge-custom >>> >>> --- vif-bridge 2009-04-14 23:35:08.000000000 -0400 >>> >>> +++ vif-bridge-custom 2009-04-15 00:01:08.000000000 -0400 >>> >>> @@ -57,15 +57,37 @@ >>> >>> online) >>> >>> setup_bridge_port "$vif" >>> >>> add_to_bridge "$bridge" "$vif" >>> >>> + ebtables -N $vif >>> >>> + ebtables -P $vif DROP >>> >>> + ebtables -A INPUT -i $vif -j $vif >>> >>> + ebtables -A FORWARD -i $vif -j $vif >>> >>> + ebtables -A $vif -p ARP -arp-opcode 1 -j ACCEPT >>> >>> + >>> >>> + if [ ! -z "$ip" ] >>> >>> + then >>> >>> + for oneip in $ip >>> >>> + do >>> >>> + ebtables -A $vif -p IPv4 -ip-src $oneip -j ACCEPT >>> >>> + ebtables -A $vif -p IPv4 -ip-dst $oneip -j ACCEPT >>> >>> + ebtables -A $vif -p ARP -arp-opcode 2 -arp-ip-src $oneip -j ACCEPT >>> >>> + done >>> >>> + >>> >>> + ebtables -A $vif --log-prefix="arp-drop" --log-arp -j DROP >>> >>> + >>> >>> + fi >>> >>> ;; >>> >>> >>> >>> offline) >>> >>> do_without_error brctl delif "$bridge" "$vif" >>> >>> do_without_error ifconfig "$vif" down >>> >>> + do_without_error ebtables -D INPUT -i $vif -j $vif >>> >>> + do_without_error ebtables -D FORWARD -i $vif -j $vif >>> >>> + do_without_error ebtables -F $vif >>> >>> + do_without_error ebtables -X $vif >>> >>> ;; >>> >>> esac >>> >>> >>> >>> -handle_iptable >>> >>> +#handle_iptable >>> >>> >>> >>> log debug "Successful vif-bridge $command for $vif, bridge $bridge." >>> >>> if [ "$command" == "online" ] >>> >>> >> When i try to start the domU, i just get an error message >> >> Error: Device 0 (vif) could not be connected. >> /etc/xen/scripts/vif-bridge-custom failed; error detected. >> >> Now i looked at all log files, can''t seem to find any error. >> >> 2009/4/17 David <admin@dmarkey.com> >> >> did you apply the patch? >>> >>> After you start a DomU what does ebtables --list say? >>> >>> 2009/4/16 Anand Gupta <xen.mails@gmail.com> >>> >>> So no solution for me to stop users from using any ip address inside >>>> their domU, if i use centos ? :( >>>> >>>> 2009/4/16 David <admin@dmarkey.com> >>>> >>>> Ye i have a 64bit kernel and the 64 bit package. Switched to debian5 >>>>> instead. >>>>> >>>>> >>>>> >>>>> >>>>> On Thu, Apr 16, 2009 at 9:58 AM, Rafał Kupka < >>>>> rkupka+Listy.Xen@pronet.com.pl <rkupka%2BListy.Xen@pronet.com.pl>>wrote: >>>>> >>>>>> On Wed, Apr 15, 2009 at 10:16:22PM +0100, David wrote: >>>>>> Hello, >>>>>> >>>>>> > [root@monaghan ~]# ebtables -N new >>>>>> > The kernel doesn''t support a certain ebtables extension, consider >>>>>> > recompiling your kernel or insmod the extension. >>>>>> > [root@monaghan ~]# dmesg | tail >>>>>> > kernel msg: ebtables bug: please report to author: entries_size too >>>>>> small >>>>>> >>>>>> I remember similar log entry with 32-bit ebtables on 64-bit kernel >>>>>> architecture. Check kernel version with "uname -m" and install 64bit >>>>>> ebtables rpm if it''s x86_64. >>>>>> >>>>>> Regards, >>>>>> Kupson >>>>>> -- >>>>>> Great software without the knowledge to run it is pretty useless. >>>>>> (Linux Gazette #1) >>>>>> >>>>>> _______________________________________________ >>>>>> Xen-users mailing list >>>>>> Xen-users@lists.xensource.com >>>>>> http://lists.xensource.com/xen-users >>>>>> >>>>> >>>>> >>>>> _______________________________________________ >>>>> Xen-users mailing list >>>>> Xen-users@lists.xensource.com >>>>> http://lists.xensource.com/xen-users >>>>> >>>> >>>> >>>> >>>> -- >>>> regards, >>>> >>>> Anand Gupta >>>> >>>> _______________________________________________ >>>> Xen-users mailing list >>>> Xen-users@lists.xensource.com >>>> http://lists.xensource.com/xen-users >>>> >>> >>> >> >> >> -- >> regards, >> >> Anand Gupta >> > >-- regards, Anand Gupta _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users