Re: [Xen-users] Re: number of ips

To:	admin@xxxxxxxxxxx
Subject:	Re: [Xen-users] Re: number of ips
From:	Anand Gupta <xen.mails@xxxxxxxxx>
Date:	Fri, 17 Apr 2009 14:23:51 +0530
Cc:	xen-users@xxxxxxxxxxxxxxxxxxx
Delivery-date:	Fri, 17 Apr 2009 01:54:49 -0700
Dkim-signature:	v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=zT2TMqY7I2UKNr83oMqaGH4xe5U/8Onc8q6/z2PX7bU=; b=mbyzrIMCQmFUiHysOeIw6bhRMtWs7DYry28G1Q/3MmlD82qeICEM4faUHSXYXDIAHT w6micSCv8oi4Qn/N5HDGBhQrwABnnDrqh6zAcI+FnfwE0EuyQWGWG7tXBao46pdtptJd 3O5mDrQEW+tCwMLTWMEzN2ZoCc+c5x3kimHjg=
Domainkey-signature:	a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=MsZArR5GgfNy5PXb2cZrqXhfjWtEOEknVOO3Wh05gwdVcXEzcyH+wJItSJC8pUCXYf BJgKMG1EWIkycxgWcyU6klMFWir8pcWProAogneZi9Z3bv28IS9hUMAY8o6FrpmcMVmO VwN1HNODDwliOvB3KJaTvKjyc/8xqSI+NrrN8=
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to:	<6894a6470904170051y58b48487sd3e59de0c52a416d@xxxxxxxxxxxxxx>
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
References:	<20090410201941.GA1068@cmdln-laptop> <acb757c00904151057n65079b8p713f82508f46d868@xxxxxxxxxxxxxx> <acb757c00904151157h5d3bcbbdjfdc67a118be92164@xxxxxxxxxxxxxx> <6894a6470904151203g50950552ib9f9da3301e52b76@xxxxxxxxxxxxxx> <acb757c00904151223x4cd60372i1b360850e2c6f245@xxxxxxxxxxxxxx> <6894a6470904151416u7ca9381ehdc0d188c58e5994e@xxxxxxxxxxxxxx> <20090416085815.GA7146@xxxxxxxxxxxxxxxx> <6894a6470904160925u76a263ecie177283f3dd87141@xxxxxxxxxxxxxx> <acb757c00904161201v45ad2b9uc5bf112b95004fdd@xxxxxxxxxxxxxx> <6894a6470904170051y58b48487sd3e59de0c52a416d@xxxxxxxxxxxxxx>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx

Hi David,

As i mentioned the patch doesn't work with centos5.3+xen. Hence looking at the patch, i hand edited the file. The same was posted in an earlier mail send in this thread. Here it is again

diff -u vif-bridge vif-bridge-custom
--- vif-bridge 2009-04-14 23:35:08.000000000 -0400
+++ vif-bridge-custom 2009-04-15 00:01:08.000000000 -0400
@@ -57,15 +57,37 @@
   online)
setup_bridge_port "$vif"
add_to_bridge "$bridge" "$vif"
+ ebtables -N $vif
+ ebtables -P $vif DROP
+ ebtables -A INPUT -i $vif -j $vif
+ ebtables -A FORWARD -i $vif -j $vif
+ ebtables -A $vif -p ARP –arp-opcode 1 -j ACCEPT
+
+ if [ ! -z "$ip" ]
+ then
+ for oneip in $ip
+ do
+ ebtables -A $vif -p IPv4 –ip-src $oneip -j ACCEPT
+ ebtables -A $vif -p IPv4 –ip-dst $oneip -j ACCEPT
+ ebtables -A $vif -p ARP –arp-opcode 2 –arp-ip-src $oneip -j ACCEPT
+ done
+
+ ebtables -A $vif --log-prefix="arp-drop" --log-arp -j DROP
+
+ fi
   ;;

   offline)
   do_without_error brctl delif "$bridge" "$vif"
   do_without_error ifconfig "$vif" down
+ do_without_error ebtables -D INPUT -i $vif -j $vif
+ do_without_error ebtables -D FORWARD -i $vif -j $vif
+ do_without_error ebtables -F $vif
+ do_without_error ebtables -X $vif
   ;;
esac

-handle_iptable
+#handle_iptable

log debug "Successful vif-bridge $command for $vif, bridge $bridge."
if [ "$command" == "online" ]

When i try to start the domU, i just get an error message

Error: Device 0 (vif) could not be connected. /etc/xen/scripts/vif-bridge-custom failed; error detected.

Now i looked at all log files, can't seem to find any error.

2009/4/17 David <admin@xxxxxxxxxxx>

did you apply the patch?

After you start a DomU what does ebtables --list say?

2009/4/16 Anand Gupta <xen.mails@xxxxxxxxx>

So no solution for me to stop users from using any ip address inside their domU, if i use centos ? :(

2009/4/16 David <admin@xxxxxxxxxxx>

Ye i have a 64bit kernel and the 64 bit package. Switched to debian5 instead.

On Thu, Apr 16, 2009 at 9:58 AM, Rafał Kupka <rkupka+Listy.Xen@xxxxxxxxxxxxx> wrote:

On Wed, Apr 15, 2009 at 10:16:22PM +0100, David wrote:
Hello,

> [root@monaghan ~]# ebtables -N new
> The kernel doesn't support a certain ebtables extension, consider
> recompiling your kernel or insmod the extension.
> [root@monaghan ~]# dmesg | tail
> kernel msg: ebtables bug: please report to author: entries_size too small

I remember similar log entry with 32-bit ebtables on 64-bit kernel
architecture. Check kernel version with "uname -m" and install 64bit
ebtables rpm if it's x86_64.

Regards,
Kupson
--
Great software without the knowledge to run it is pretty useless.
(Linux Gazette #1)

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

--
regards,

Anand Gupta

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

--
regards,

Anand Gupta

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

WARNING - OLD ARCHIVES

xen-users

Re: [Xen-users] Re: number of ips