This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


Re: [Xen-users] Re: number of ips

To: admin@xxxxxxxxxxx
Subject: Re: [Xen-users] Re: number of ips
From: Anand Gupta <xen.mails@xxxxxxxxx>
Date: Fri, 17 Apr 2009 22:52:41 +0530
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date: Fri, 17 Apr 2009 10:23:36 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=spSaEgpqqeV/KZW+uU1NB50Af+s8fnJRvX2yB+6RWgk=; b=Z4g0dj25bJjgZmuhDO/dNHrhKO6I3n2dd0UABQ1fzpIjZjJ9kavq7N02sF9NyZ+ulH 04fE/t59Oau21ltlfdk7rqZMq+Fx+4V61QadKv2JwaS4OoAb/0+mXCflJMickM8JLVrA RMBT1Zud/omNOjx34zW+PmGVDu3yuTu/SjRn0=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=jNvgPx9aBPC+yCkcX99WQpil7SworLX3ITahwOhpKW8qISj0kxtxIXXDi3EqjWvnlh hOMGOpqHdz2HaW4V/xGr46Cxj9wYELvm52x6wbMrxO8tUVbSL+gpUDZ5sSXwZ8h3B4c6 I7JCwC0nvjqaSMQ40CN1MZiFu29XidTa6x6IM=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <6894a6470904170240rb4d631dt27f540e63ad1bf3a@xxxxxxxxxxxxxx>
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References: <20090410201941.GA1068@cmdln-laptop> <6894a6470904151203g50950552ib9f9da3301e52b76@xxxxxxxxxxxxxx> <acb757c00904151223x4cd60372i1b360850e2c6f245@xxxxxxxxxxxxxx> <6894a6470904151416u7ca9381ehdc0d188c58e5994e@xxxxxxxxxxxxxx> <20090416085815.GA7146@xxxxxxxxxxxxxxxx> <6894a6470904160925u76a263ecie177283f3dd87141@xxxxxxxxxxxxxx> <acb757c00904161201v45ad2b9uc5bf112b95004fdd@xxxxxxxxxxxxxx> <6894a6470904170051y58b48487sd3e59de0c52a416d@xxxxxxxxxxxxxx> <acb757c00904170153i73274e0cve9ca7334db5d61eb@xxxxxxxxxxxxxx> <6894a6470904170240rb4d631dt27f540e63ad1bf3a@xxxxxxxxxxxxxx>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi David,

You are absolutely right. I realized the same thing, after talking with branko, who wrote the article at http://toic.org/2008/09/22/preventing-ip-conflicts-in-xen/. He helped me to redo the vif-bridge-custom again with no mistakes.

Its working perfectly now.

Attached is the actual working vif-bridge script. I hope it helps others as well. Branko will be posting a new diff on his website, which will work with centos5.3 as well.

2009/4/17 David <admin@xxxxxxxxxxx>
You have cut+paste errors,

--arp-opcode not –arp-opcode

ip-src not –ip-src

2009/4/17 Anand Gupta <xen.mails@xxxxxxxxx>

Hi David,

As i mentioned the patch doesn't work with centos5.3+xen. Hence looking at the patch, i hand edited the file. The same was posted in an earlier mail send in this thread. Here it is again

diff -u vif-bridge vif-bridge-custom 
--- vif-bridge 2009-04-14 23:35:08.000000000 -0400
+++ vif-bridge-custom 2009-04-15 00:01:08.000000000 -0400
@@ -57,15 +57,37 @@
  setup_bridge_port "$vif"
  add_to_bridge "$bridge" "$vif"
+ ebtables -N $vif
+ ebtables -P $vif DROP
+ ebtables -A INPUT -i $vif -j $vif
+ ebtables -A FORWARD -i $vif -j $vif
+ ebtables -A $vif -p ARP –arp-opcode 1 -j ACCEPT
+ if [ ! -z "$ip" ]
+ then
+ for oneip in $ip
+ do
+ ebtables -A $vif -p IPv4 –ip-src $oneip -j ACCEPT
+ ebtables -A $vif -p IPv4 –ip-dst $oneip -j ACCEPT
+ ebtables -A $vif -p ARP –arp-opcode 2 –arp-ip-src $oneip -j ACCEPT
+ done
+ ebtables -A $vif --log-prefix="arp-drop" --log-arp -j DROP
+ fi
         do_without_error brctl delif "$bridge" "$vif"
         do_without_error ifconfig "$vif" down
+ do_without_error ebtables -D INPUT -i $vif -j $vif
+ do_without_error ebtables -D FORWARD -i $vif -j $vif
+ do_without_error ebtables -F $vif
+ do_without_error ebtables -X $vif
 log debug "Successful vif-bridge $command for $vif, bridge $bridge."
 if [ "$command" == "online" ]

When i try to start the domU, i just get an error message

Error: Device 0 (vif) could not be connected. /etc/xen/scripts/vif-bridge-custom failed; error detected.

Now i looked at all log files, can't seem to find any error.

2009/4/17 David <admin@xxxxxxxxxxx>

did you apply the patch?

After you start a DomU what does ebtables --list  say?

2009/4/16 Anand Gupta <xen.mails@xxxxxxxxx>

So no solution for me to stop users from using any ip address inside their domU, if i use centos ? :(

2009/4/16 David <admin@xxxxxxxxxxx>

Ye i have a 64bit kernel and the 64 bit package. Switched to debian5 instead.

On Thu, Apr 16, 2009 at 9:58 AM, Rafał Kupka <rkupka+Listy.Xen@xxxxxxxxxxxxx> wrote:
On Wed, Apr 15, 2009 at 10:16:22PM +0100, David wrote:

> [root@monaghan ~]# ebtables -N new
> The kernel doesn't support a certain ebtables extension, consider
> recompiling your kernel or insmod the extension.
> [root@monaghan ~]# dmesg | tail
> kernel msg: ebtables bug: please report to author: entries_size too small

I remember similar log entry with 32-bit ebtables on 64-bit kernel
architecture. Check kernel version with "uname -m" and install 64bit
ebtables rpm if it's x86_64.

Great software without the knowledge to run it is pretty useless.
(Linux Gazette #1)

Xen-users mailing list

Xen-users mailing list


Anand Gupta

Xen-users mailing list


Anand Gupta


Anand Gupta

Attachment: vif-bridge
Description: Binary data

Xen-users mailing list