Re: [Libvir] Patch for routed virtual networks

[Soren Hansen]

On Fri, Mar 28, 2008 at 08:40:19PM +, Daniel P. Berrange wrote:
 In theory I think it might be possible to avoid the need to configure
 the local LAN router, by messing with proxy_arp, but I've not got it
 to work so far. 

Unless I've misunderstood something, this won't work. If a machine on
the LAN tries to reach one of the virtual machines (which is on a
different subnet) it won't send out an ARP request for the IP in
question, but just stick the MAC address of the the gateway onto the
packet and let the gateway deal with it. AIUI proxy ARP is for when you
have a subnet that's physically separated in which case the bridge will
need to proxy the arp requests for hosts on the one side to hosts on the
other side (and vice versa, obviously).

-- 
Soren Hansen   | 
Virtualisation specialist  | Ubuntu Server Team
Canonical Ltd. | http://www.ubuntu.com/


signature.asc
Description: Digital signature
--
Libvir-list mailing list
Libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [Libvir] Patch for routed virtual networks

[Daniel P. Berrange]

On Tue, Mar 25, 2008 at 12:56:31PM +0100, Mads Chr. Olesen wrote:
 
 man, 24 03 2008 kl. 19:00 +, skrev Daniel P. Berrange:
  
  On Mon, Mar 24, 2008 at 10:52:41AM +0100, Mads Chr. Olesen wrote:
   Anything further I can do to help get this patch commited?
   
   I have been running with it, without problems across restarts, etc.,
  for
   a couple of weeks now.
  
  I still don't see where the routing rules are defined / take place
  with this setup. There must be rules somewhere specifying the routing
  for the subnet 78.47.YYY.YYY/30, but its not being done in your
  patchset AFAICT 
 
 Do you mean entries in the routing table, or?
 
 This is my routing table:
 
 $ route -n
 Kernel IP routing table
 Destination Gateway Genmask Flags Metric RefUse Iface
 78.47.YYY.YYY   0.0.0.0 255.255.255.248 U 0  00 
 virsubnetbr0
 85.10.XXX.0 0.0.0.0 255.255.255.224 U 0  00 eth0
 0.0.0.0 85.10.XXX.1 0.0.0.0 UG10000 eth0

Ok, so this takes care of letting the hsot correctly route guest traffic
off the box. The local LAN router still also needs to have routing table
setup to ensure other physical hosts can reach the guests. So, this patch
is sufficient in this regard  I've committed it to CVS.

In theory I think it might be possible to avoid the need to configure the
local LAN router, by messing with proxy_arp, but I've not got it to work
so far. 

Dan.
-- 
|: Red Hat, Engineering, Boston   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
Libvir-list mailing list
Libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [Libvir] Patch for routed virtual networks

[Mads Chr. Olesen]

man, 24 03 2008 kl. 19:00 +, skrev Daniel P. Berrange:
 
 On Mon, Mar 24, 2008 at 10:52:41AM +0100, Mads Chr. Olesen wrote:
  Anything further I can do to help get this patch commited?
  
  I have been running with it, without problems across restarts, etc.,
 for
  a couple of weeks now.
 
 I still don't see where the routing rules are defined / take place
 with this setup. There must be rules somewhere specifying the routing
 for the subnet 78.47.YYY.YYY/30, but its not being done in your
 patchset AFAICT 

Do you mean entries in the routing table, or?

This is my routing table:

$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
78.47.YYY.YYY   0.0.0.0 255.255.255.248 U 0  00 
virsubnetbr0
85.10.XXX.0 0.0.0.0 255.255.255.224 U 0  00 eth0
0.0.0.0 85.10.XXX.1 0.0.0.0 UG10000 eth0

The entry for virsubnetbr0 is setup automatically, by the definition in
the XML-file: 
ip address=78.47.YYY.YYY netmask=255.255.255.248 /

-- 
Mads Chr. Olesen [EMAIL PROTECTED]
shiyee.dk

--
Libvir-list mailing list
Libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [Libvir] Patch for routed virtual networks

[Mads Chr. Olesen]

Anything further I can do to help get this patch commited?

I have been running with it, without problems across restarts, etc., for
a couple of weeks now.

man, 10 03 2008 kl. 22:09 +0100, skrev Mads Chr. Olesen:
 søn, 09 03 2008 kl. 21:09 +, skrev Daniel P. Berrange:
  On Sat, Mar 08, 2008 at 04:33:32PM +0100, Mads Chr. Olesen wrote:
   I have added a route dev=ethX / stanza (dev is optional),
 completely
   equivalent to the forward / stanza.
  
  This is still forwarding of traffic, so I think we should just use
 the
  existing  forward/ element and have an extra attribute to
 indiciate
  the type of forwarding, eg
  
 forward/  (defaults to mode=nat for
 compat)
 forward mode=nat/
 forward mode=route/
 forward mode=nat dev=ethX/
 forward mode=route dev=ethX/
 
 Sure, makes sense - an updated patch is attached.
 
  I'm a little unclear on how this actually works. You add iptables
 rules to
  allow traffic in/out, but you're not adding any routing table
 entries, nor
  turning on proxy_arp, so I don't see how this will actually work in
 practice.
  
  Are you assuming the admin has already added suitable routing rules
  turned
  on proxy arp ?
 
 Well, in my case (dedicated server, hetzner.de) this is all that is
 needed. My physical interface has IP 85.10.XXX.XXX, and then I have a
 secondary IP range which gets routed at that interface, IP range
 78.47.YYY.YYY/30. I then setup my virtual interface with an IP in that
 range, by setting 
 ip address=78.47.YYY.YYY netmask=255.255.255.248 /
 
 Thus, to get packets routed at the virtual machines, it just needs to
 be
 allowed by iptables, and /proc/sys/net/ipv4/ip_forward needs to be set
 to 1.
 
 Other setups obviously might need more work.

-- 
Mads Chr. Olesen [EMAIL PROTECTED]
shiyee.dk

--
Libvir-list mailing list
Libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

Re: [Libvir] Patch for routed virtual networks

[Daniel P. Berrange]

On Sat, Mar 08, 2008 at 04:33:32PM +0100, Mads Chr. Olesen wrote:
 Greetings!
 
 The attached patch adds support for having routed virtual networks, in
 addition to the masquerading setup possible with the forward /
 stanza.
 
 I have added a route dev=ethX / stanza (dev is optional), completely
 equivalent to the forward / stanza.

This is still forwarding of traffic, so I think we should just use the
existing  forward/ element and have an extra attribute to indiciate
the type of forwarding, eg

   forward/  (defaults to mode=nat for compat)
   forward mode=nat/
   forward mode=route/
   forward mode=nat dev=ethX/
   forward mode=route dev=ethX/

 Summary of changes:
  * Added route / stanza to XML parsing/creation
  * Refactored qemudAddIptablesRules to allow for the routed network type
  * In iptables.c: 
 * Renamed iptables(.*)ForwardAllowIn to
 iptables(.*)ForwardAllowRelatedIn, to better reflect their function
 * Added iptables(.*)ForwardAllowIn functions, that do not require
 traffic to be related
 
 Comments are very much appreciated :-)

I'm a little unclear on how this actually works. You add iptables rules to
allow traffic in/out, but you're not adding any routing table entries, nor
turning on proxy_arp, so I don't see how this will actually work in practice.

Are you assuming the admin has already added suitable routing rules  turned
on proxy arp ?

Regards,
Dan.
-- 
|: Red Hat, Engineering, Boston   -o-   http://people.redhat.com/berrange/ :|
|: http://libvirt.org  -o-  http://virt-manager.org  -o-  http://ovirt.org :|
|: http://autobuild.org   -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505  -o-  F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|

--
Libvir-list mailing list
Libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list

[Libvir] Patch for routed virtual networks

[Mads Chr. Olesen]

Greetings!

The attached patch adds support for having routed virtual networks, in
addition to the masquerading setup possible with the forward /
stanza.

I have added a route dev=ethX / stanza (dev is optional), completely
equivalent to the forward / stanza.

Summary of changes:
 * Added route / stanza to XML parsing/creation
 * Refactored qemudAddIptablesRules to allow for the routed network type
 * In iptables.c: 
* Renamed iptables(.*)ForwardAllowIn to
iptables(.*)ForwardAllowRelatedIn, to better reflect their function
* Added iptables(.*)ForwardAllowIn functions, that do not require
traffic to be related

Comments are very much appreciated :-)

-- 
Mads Chr. Olesen [EMAIL PROTECTED]
shiyee.dk
? routed-virtual-net.cvs.patch
? src/.qemu_conf.c.swp
? src/.qemu_driver.c.swp
Index: docs/network.rng
===
RCS file: /data/cvs/libvirt/docs/network.rng,v
retrieving revision 1.1
diff -u -r1.1 network.rng
--- docs/network.rng	24 Jul 2007 09:19:40 -	1.1
+++ docs/network.rng	8 Mar 2008 15:24:56 -
@@ -58,4 +58,11 @@
   optionalattribute name=devtext//attribute/optional
 /element
   /optional
+  optional
+!-- The device through which the bridge is to be routed --
+element name=route
+  optionalattribute name=devtext//attribute/optional
+/element
+  /optional
+
 /element
Index: src/iptables.c
===
RCS file: /data/cvs/libvirt/src/iptables.c,v
retrieving revision 1.23
diff -u -r1.23 iptables.c
--- src/iptables.c	27 Feb 2008 10:37:19 -	1.23
+++ src/iptables.c	8 Mar 2008 15:25:00 -
@@ -793,7 +793,7 @@
  * and associated with an existing connection
  */
 static int
-iptablesForwardAllowIn(iptablesContext *ctx,
+iptablesForwardAllowRelatedIn(iptablesContext *ctx,
const char *network,
const char *iface,
const char *physdev,
@@ -822,6 +822,77 @@
 }
 
 /**
+ * iptablesAddForwardAllowRelatedIn:
+ * @ctx: pointer to the IP table context
+ * @network: the source network name
+ * @iface: the output interface name
+ * @physdev: the physical input device or NULL
+ *
+ * Add rules to the IP table context to allow the traffic for the
+ * network @network on @physdev device to be forwarded to
+ * interface @iface, if it is part of an existing connection.
+ *
+ * Returns 0 in case of success or an error code otherwise
+ */
+int
+iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
+  const char *network,
+  const char *iface,
+  const char *physdev)
+{
+return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, ADD);
+}
+
+/**
+ * iptablesRemoveForwardAllowRelatedIn:
+ * @ctx: pointer to the IP table context
+ * @network: the source network name
+ * @iface: the output interface name
+ * @physdev: the physical input device or NULL
+ *
+ * Remove rules from the IP table context hence forbidding the traffic for
+ * network @network on @physdev device to be forwarded to
+ * interface @iface, if it is part of an existing connection.
+ *
+ * Returns 0 in case of success or an error code otherwise
+ */
+int
+iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
+ const char *network,
+ const char *iface,
+ const char *physdev)
+{
+return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, REMOVE);
+}
+
+/* Allow all traffic destined to the bridge, with a valid network address
+ */
+static int
+iptablesForwardAllowIn(iptablesContext *ctx,
+   const char *network,
+   const char *iface,
+   const char *physdev,
+   int action)
+{
+if (physdev  physdev[0]) {
+return iptablesAddRemoveRule(ctx-forward_filter,
+ action,
+ --destination, network,
+ --in-interface, physdev,
+ --out-interface, iface,
+ --jump, ACCEPT,
+ NULL);
+} else {
+return iptablesAddRemoveRule(ctx-forward_filter,
+ action,
+ --destination, network,
+ --out-interface, iface,
+ --jump, ACCEPT,
+ NULL);
+}
+}
+
+/**
  * iptablesAddForwardAllowIn:
  * @ctx: pointer to the IP table context
  * @network: the source network name
Index: src/qemu_conf.c
===
RCS file: /data/cvs/libvirt/src/qemu_conf.c,v
retrieving revision 1.41
diff -u -r1.41 qemu_conf.c
--- src/qemu_conf.c	3 Mar 2008 18:11:16 -	1.41
+++ 

Re: [Libvir] Patch for routed virtual networks

[Mads Chr. Olesen]

lør, 08 03 2008 kl. 16:33 +0100, skrev Mads Chr. Olesen:
 The attached patch adds support for having routed virtual networks, in
 addition to the masquerading setup possible with the forward /
 stanza.

Just found a small error, now it actually compiles.

-- 
Mads Chr. Olesen [EMAIL PROTECTED]
shiyee.dk
? routed-virtual-net.cvs.patch
? src/.qemu_conf.c.swp
? src/.qemu_driver.c.swp
Index: docs/network.rng
===
RCS file: /data/cvs/libvirt/docs/network.rng,v
retrieving revision 1.1
diff -u -r1.1 network.rng
--- docs/network.rng	24 Jul 2007 09:19:40 -	1.1
+++ docs/network.rng	8 Mar 2008 18:59:13 -
@@ -58,4 +58,11 @@
   optionalattribute name=devtext//attribute/optional
 /element
   /optional
+  optional
+!-- The device through which the bridge is to be routed --
+element name=route
+  optionalattribute name=devtext//attribute/optional
+/element
+  /optional
+
 /element
Index: src/iptables.c
===
RCS file: /data/cvs/libvirt/src/iptables.c,v
retrieving revision 1.23
diff -u -r1.23 iptables.c
--- src/iptables.c	27 Feb 2008 10:37:19 -	1.23
+++ src/iptables.c	8 Mar 2008 18:59:43 -
@@ -793,7 +793,7 @@
  * and associated with an existing connection
  */
 static int
-iptablesForwardAllowIn(iptablesContext *ctx,
+iptablesForwardAllowRelatedIn(iptablesContext *ctx,
const char *network,
const char *iface,
const char *physdev,
@@ -822,6 +822,77 @@
 }
 
 /**
+ * iptablesAddForwardAllowRelatedIn:
+ * @ctx: pointer to the IP table context
+ * @network: the source network name
+ * @iface: the output interface name
+ * @physdev: the physical input device or NULL
+ *
+ * Add rules to the IP table context to allow the traffic for the
+ * network @network on @physdev device to be forwarded to
+ * interface @iface, if it is part of an existing connection.
+ *
+ * Returns 0 in case of success or an error code otherwise
+ */
+int
+iptablesAddForwardAllowRelatedIn(iptablesContext *ctx,
+  const char *network,
+  const char *iface,
+  const char *physdev)
+{
+return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, ADD);
+}
+
+/**
+ * iptablesRemoveForwardAllowRelatedIn:
+ * @ctx: pointer to the IP table context
+ * @network: the source network name
+ * @iface: the output interface name
+ * @physdev: the physical input device or NULL
+ *
+ * Remove rules from the IP table context hence forbidding the traffic for
+ * network @network on @physdev device to be forwarded to
+ * interface @iface, if it is part of an existing connection.
+ *
+ * Returns 0 in case of success or an error code otherwise
+ */
+int
+iptablesRemoveForwardAllowRelatedIn(iptablesContext *ctx,
+ const char *network,
+ const char *iface,
+ const char *physdev)
+{
+return iptablesForwardAllowRelatedIn(ctx, network, iface, physdev, REMOVE);
+}
+
+/* Allow all traffic destined to the bridge, with a valid network address
+ */
+static int
+iptablesForwardAllowIn(iptablesContext *ctx,
+   const char *network,
+   const char *iface,
+   const char *physdev,
+   int action)
+{
+if (physdev  physdev[0]) {
+return iptablesAddRemoveRule(ctx-forward_filter,
+ action,
+ --destination, network,
+ --in-interface, physdev,
+ --out-interface, iface,
+ --jump, ACCEPT,
+ NULL);
+} else {
+return iptablesAddRemoveRule(ctx-forward_filter,
+ action,
+ --destination, network,
+ --out-interface, iface,
+ --jump, ACCEPT,
+ NULL);
+}
+}
+
+/**
  * iptablesAddForwardAllowIn:
  * @ctx: pointer to the IP table context
  * @network: the source network name
Index: src/qemu_conf.c
===
RCS file: /data/cvs/libvirt/src/qemu_conf.c,v
retrieving revision 1.41
diff -u -r1.41 qemu_conf.c
--- src/qemu_conf.c	3 Mar 2008 18:11:16 -	1.41
+++ src/qemu_conf.c	8 Mar 2008 18:59:51 -
@@ -2472,6 +2472,41 @@
 }
 xmlXPathFreeObject(obj);
 
+/* IPv4 routing setup */
+obj = xmlXPathEval(BAD_CAST count(/network/route)  0, ctxt);
+if ((obj != NULL)  (obj-type == XPATH_BOOLEAN) 
+obj-boolval) {
+if (!def-ipAddress[0] ||
+!def-netmask[0] ||
+def-forward) {
+qemudReportError(conn,