[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen host guest bridging transparency issue

I am using multiple public IP addresses through the bridge.  I am using ebtables as my firewall.  xenbr1 is my internal LAN  People from the outside should not be passing anything through my internal private network. It is used strictly for server to server communication.

I found my problem in the ARP settings.  If I turn off the arp off for p6p1 and pass a few arp commands via sysctl it does the trick.

I am not sure what combination of commands are optimum but for now it works.

Thanks for your input on this.  It is hard to describe a problem let alone diagnose it with limited information.  I wish there was more documentation on how to work around issues like this.  

Once I have a better handle on it, I will blog it. ;)



PS. I am re-sending this message because I have a bad habit of not doing the reply all button.


> Adam Goryachev <mailinglists@xxxxxxxxxxxxxxxxxxxxxx> wrote:
>> What interface is p6p1 ? Seems to be a strange name for a network
>> interface, these are normally eth0 or similar by default...
> Welcome to the world according to Poettering (yes, he of SystemD 'fame').
> Apparently it's far far too complicated to change Udev rules if an
> interface is changed, instead we have to suffer interface names based on
> physical location - so some of them can be quite long, and just moving an
> interface (eg to a different slot or USB socket) will change it's
> identity.
> I suspect some people have never worked on servers - where interface names
> appear in many places (manual network config, firewall, scripts such as
> link state and/or traffic monitoring, ...
>> My guess, the dom0 is doing NAT on the incoming traffic, and sending it
>> over xenbr1 or something like that...
> That would be my guess as well.
> One other thing for the OP - use of the network script to configure the
> bridges is deprecated. Current advice is (and has been for quite some
> time) to set network-script to "dummy" and configured the bridges in the
> host OS. Debian, and it's derivatives, has had native support for bridge
> configuration in /etc/network/interfaces for some time now. You just need
> a stanza like :
> auto ethext
> iface ethext inet static
> bridge_ports pethext
> address a.b.c.d
> netmask
> gateway a.b.c.z
> bridge_stp off
> bridge_waitport 0
> bridge_fd 0
> (note - I use Udev rules to rename the physical interfaces to things
> meaningful like "pethext" for the outside interface and so on)
> This stanza will bring up a bridge named ethext, bind the interface
> pethext to it, and configure the specified address to the bridge. The last
> three lines disable STP and set the forwarding time to 0 - so there's no
> delay between adding an interface or bringing up a link and traffic
> flowing through it.
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxx
> http://lists.xen.org/xen-users

Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.