Re: [Xen-users] Re: number of ips

[Anand Gupta <xen.mails@xxxxxxxxx>]

Hi David,

You are absolutely right. I realized the same thing, after talking with branko, who wrote the article at http://toic.org/2008/09/22/preventing-ip-conflicts-in-xen/. He helped me to redo the vif-bridge-custom again with no mistakes.

Its working perfectly now.

Attached is the actual working vif-bridge script. I hope it helps others as well. Branko will be posting a new diff on his website, which will work with centos5.3 as well.

2009/4/17 David <admin@xxxxxxxxxxx>

You have cut+paste errors,

--arp-opcode not –arp-opcode

--ip-src not –ip-src

2009/4/17 Anand Gupta <xen.mails@xxxxxxxxx>

Hi David,

As i mentioned the patch doesn't work with centos5.3+xen. Hence looking at the patch, i hand edited the file. The same was posted in an earlier mail send in this thread. Here it is again

diff -u vif-bridge vif-bridge-custom 

--- vif-bridge 2009-04-14 23:35:08.000000000 -0400

+++ vif-bridge-custom 2009-04-15 00:01:08.000000000 -0400

@@ -57,15 +57,37 @@

     online)

  setup_bridge_port "$vif"

  add_to_bridge "$bridge" "$vif"

+ ebtables -N $vif

+ ebtables -P $vif DROP

+ ebtables -A INPUT -i $vif -j $vif

+ ebtables -A FORWARD -i $vif -j $vif

+ ebtables -A $vif -p ARP –arp-opcode 1 -j ACCEPT

+

+ if [ ! -z "$ip" ]

+ then

+ for oneip in $ip

+ do

+ ebtables -A $vif -p IPv4 –ip-src $oneip -j ACCEPT

+ ebtables -A $vif -p IPv4 –ip-dst $oneip -j ACCEPT

+ ebtables -A $vif -p ARP –arp-opcode 2 –arp-ip-src $oneip -j ACCEPT

+ done

+

+ ebtables -A $vif --log-prefix="arp-drop" --log-arp -j DROP

+

+ fi

         ;;

 

     offline)

         do_without_error brctl delif "$bridge" "$vif"

         do_without_error ifconfig "$vif" down

+ do_without_error ebtables -D INPUT -i $vif -j $vif

+ do_without_error ebtables -D FORWARD -i $vif -j $vif

+ do_without_error ebtables -F $vif

+ do_without_error ebtables -X $vif

         ;;

 esac

 

-handle_iptable

+#handle_iptable

 

 log debug "Successful vif-bridge $command for $vif, bridge $bridge."

 if [ "$command" == "online" ]

When i try to start the domU, i just get an error message

Error: Device 0 (vif) could not be connected. /etc/xen/scripts/vif-bridge-custom failed; error detected.

Now i looked at all log files, can't seem to find any error.

2009/4/17 David <admin@xxxxxxxxxxx>

did you apply the patch?

After you start a DomU what does ebtables --list  say?

2009/4/16 Anand Gupta <xen.mails@xxxxxxxxx>

So no solution for me to stop users from using any ip address inside their domU, if i use centos ? :(

2009/4/16 David <admin@xxxxxxxxxxx>

Ye i have a 64bit kernel and the 64 bit package. Switched to debian5 instead.

On Thu, Apr 16, 2009 at 9:58 AM, Rafał Kupka <rkupka+Listy.Xen@xxxxxxxxxxxxx> wrote:

On Wed, Apr 15, 2009 at 10:16:22PM +0100, David wrote:
Hello,

> [root@monaghan ~]# ebtables -N new
> The kernel doesn't support a certain ebtables extension, consider
> recompiling your kernel or insmod the extension.
> [root@monaghan ~]# dmesg | tail
> kernel msg: ebtables bug: please report to author: entries_size too small

I remember similar log entry with 32-bit ebtables on 64-bit kernel
architecture. Check kernel version with "uname -m" and install 64bit
ebtables rpm if it's x86_64.

Regards,
Kupson
--
Great software without the knowledge to run it is pretty useless.
(Linux Gazette #1)

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

--
regards,

Anand Gupta

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

--
regards,

Anand Gupta

--
regards,

Anand Gupta

Attachment: vif-bridge
Description: Binary data

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users