subject:"\[Vserver\] Confused by routing"

[Vserver] Confused by routing

2005-05-21 Thread Gilles

Hello.


Here is the setup:

++
||   +-+
|  Host1 |   | |
|  192.168.107.10|   | Host2 (FW)  |
|  192.167.83.1  |   | 192.168.107.20  | 
|  192.168.79.1  |eth0.2 | 192.168.83.2|
||192.168.83.0   | 192.168.79.2|
||---| |  +---+
|  +--+  |   | | eth1 |   |
|  |  |  |eth0.3 | |--| Modem 
|> Internet
|  | Vs1  |  |192.168.79.0   | |  |   |
|  | 192.168.83.1 |  |---| |  +---+
|  |  |  |   | |
|  +--+  |eth0.4 | |
|  +--+  |192.168.107.0  | |
|  |  |  |---| |
|  | Vs2  |  |   | |
|  | 192.168.79.1 |  |   +-+
|  |  |  |
|  +--+  |
||
++


"eth0.2", "eth0.3", "eth0.4" are 3 VLANs (802.1q) on real ethernet 
interface "eth0".

VLAN works as expected: e.g.
  I can log in from Host1 to Host2 (192.168.107.20)
  I can log in from Host1 to Host2 (192.168.83.2)
  I can reach the Internet from Host1

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
192.168.83.00.0.0.0 255.255.255.0   U 0  00 eth0.2
192.168.79.00.0.0.0 255.255.255.0   U 0  00 eth0.3
192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 eth0.4
0.0.0.0 192.168.107.20  0.0.0.0 UG0  00 eth0.4


Then I start Vs1.

First, there is the following error:
ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument

Why (see also the new content of the routing table, below)?

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
192.168.83.00.0.0.0 255.255.255.0   U 0  00 eth0.2
192.168.79.00.0.0.0 255.255.255.0   U 0  00 eth0.3
192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 eth0.4
127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 eth0.2
0.0.0.0 192.168.107.20  0.0.0.0 UG0  00 eth0.4


I can log into Vs1 from Host1.
But from inside Vs1 I cannot reach neither Host2 nor the Internet.
I assume it is a matter of adding the right routing information... but I don't
know what it is  :-/

[Then, ideally, all VLANs should be routed through the firewall, i.e. 
communication
between Vs1 and Vs2 should be subject to the firewalling rules set up on Host2.
Is this possible?]

Can someone help me?

Thanks and best regards.
Gilles
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-21 Thread Gilles


Further information.

> 
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse Iface
> 192.168.83.00.0.0.0 255.255.255.0   U 0  00 eth0.2
> 192.168.79.00.0.0.0 255.255.255.0   U 0  00 eth0.3
> 192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 eth0.4
> 127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 eth0.2
> 0.0.0.0 192.168.107.20  0.0.0.0 UG0  00 eth0.4
> 
> 
> I can log into Vs1 from Host1.
> But from inside Vs1 I cannot reach neither Host2 nor the Internet.
> I assume it is a matter of adding the right routing information... but I don't
> know what it is  :-/
>

I added "network" and "gateway" lines in the "/etc/network/interfaces" file 
(Debian) for each of the VLAN interfaces.  And now I can, from Vs1, log into 
Host2, e.g. using 

  # ssh 192.168.83.2

I still can't connect to the outside, and also not to another address of Host2
e.g. with

  # ssh 192.168.107.20


This is the routing table on Host1:

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
192.168.83.00.0.0.0 255.255.255.0   U 0  00 eth0.2
192.168.79.00.0.0.0 255.255.255.0   U 0  00 eth0.3
192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 eth0.4
127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 eth0.2
0.0.0.0 192.168.107.20  0.0.0.0 UG0  00 eth0.4
0.0.0.0 192.168.79.20.0.0.0 UG0  00 eth0.3
0.0.0.0 192.168.83.20.0.0.0 UG0  00 eth0.2


And this is inside Vs1:

# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
192.168.83.00.0.0.0 255.255.255.0   U 0  00 eth0.2
192.168.79.00.0.0.0 255.255.255.0   U 0  00 *
192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 *
127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 eth0.2
0.0.0.0 0.0.0.0 0.0.0.0 UG0  00 *
0.0.0.0 0.0.0.0 0.0.0.0 UG0  00 *
0.0.0.0 192.168.83.20.0.0.0 UG0  00 eth0.2
 

What do those "*" mean, in the "Iface" column?
Is it OK to have several "default" routes.  Those are automatically created from
the "gateway" lines in file "/etc/network/interfaces")?



Gilles
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-21 Thread Herbert Poetzl

On Sun, May 22, 2005 at 12:04:37AM +0200, Gilles wrote:
> 
> Further information.
> 
> > 
> > # route -n
> > Kernel IP routing table
> > Destination Gateway Genmask Flags Metric RefUse 
> > Iface
> > 192.168.83.00.0.0.0 255.255.255.0   U 0  00 
> > eth0.2
> > 192.168.79.00.0.0.0 255.255.255.0   U 0  00 
> > eth0.3
> > 192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 
> > eth0.4
> > 127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 
> > eth0.2
> > 0.0.0.0 192.168.107.20  0.0.0.0 UG0  00 
> > eth0.4
> > 
> > 
> > I can log into Vs1 from Host1.
> > But from inside Vs1 I cannot reach neither Host2 nor the Internet.
> > I assume it is a matter of adding the right routing information... but I 
> > don't
> > know what it is  :-/
> >
> 
> I added "network" and "gateway" lines in the "/etc/network/interfaces" file 
> (Debian) for each of the VLAN interfaces.  And now I can, from Vs1, log into 
> Host2, e.g. using 
> 
>   # ssh 192.168.83.2
> 
> I still can't connect to the outside, and also not to another address of Host2
> e.g. with
> 
>   # ssh 192.168.107.20
> 
> 
> This is the routing table on Host1:
> 
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse Iface
> 192.168.83.00.0.0.0 255.255.255.0   U 0  00 eth0.2
> 192.168.79.00.0.0.0 255.255.255.0   U 0  00 eth0.3
> 192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 eth0.4
> 127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 eth0.2
> 0.0.0.0 192.168.107.20  0.0.0.0 UG0  00 eth0.4
> 0.0.0.0 192.168.79.20.0.0.0 UG0  00 eth0.3
> 0.0.0.0 192.168.83.20.0.0.0 UG0  00 eth0.2
> 
> 
> And this is inside Vs1:
> 
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse Iface
> 192.168.83.00.0.0.0 255.255.255.0   U 0  00 eth0.2
> 192.168.79.00.0.0.0 255.255.255.0   U 0  00 *
> 192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 *
> 127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 eth0.2
> 0.0.0.0 0.0.0.0 0.0.0.0 UG0  00 *
> 0.0.0.0 0.0.0.0 0.0.0.0 UG0  00 *
> 0.0.0.0 192.168.83.20.0.0.0 UG0  00 eth0.2
>  
> 
> What do those "*" mean, in the "Iface" column?

it means that the interface used for that route isn't available
inside the vservers (i.e. no information could be retrieved)

> Is it OK to have several "default" routes.  

yes, it _is_ okay, as long as they are bound to a source address,
otherwise they do not make too much sense ...

see http://archives.linux-vserver.org/200311/0470.html
(solution a) was implemented and b) is still? planned but might
be superceeded by ngnet ...)

> Those are automatically created from
> the "gateway" lines in file "/etc/network/interfaces")?

which are simply false, you should, btw, let the tools create
those interfaces and focus on setting up the routing ...

might be interesting to add an /etc/vservers/*/interfaces/*/gateway
to the config and set up table based routing if compiled into
the kernel, etc ... (any volunteers?)

HTH,
Herbert

> Gilles
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-22 Thread Gilles

Hi.

> 
> > Is it OK to have several "default" routes.  
> 
> yes, it _is_ okay, as long as they are bound to a source address,
> otherwise they do not make too much sense ...
>

1. How do the "users" of the gateway know their source address?
2. Does the output of "route" show an indication of what is the source?
3. How to set the source for a default route?

> see http://archives.linux-vserver.org/200311/0470.html
> (solution a) was implemented and b) is still? planned but might
> be superceeded by ngnet ...)
>

First I removed the "network" and "gateway" entries in the "interfaces" file.
Then I put a "routing.sh" script in "/etc/vservers/phony/scripts/pre-start.d"
containing the following lines:

ip route add 192.168.83.0/24 dev eth0.2
ip route add default via 192.168.83.2 dev eth0.2
ip rule add from 192.168.83.0/24

Then:

# vserver phony start
ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument
RTNETLINK answers: File exists
RTNETLINK answers: File exists
RTNETLINK answers: Invalid argument


Failed to start vserver 'phony'

:-{

> > Those are automatically created from
> > the "gateway" lines in file "/etc/network/interfaces")?
> 
> which are simply false, you should, btw, let the tools create
> those interfaces and focus on setting up the routing ...
>

Could you expand somewhat on that?

4. Why false?
5. What tools are you talking about?
6. The interfaces must be set up on the host, no?
7. Also some routing must be set up on the host as I want Host1 to be
   able to reach Vs1 and Vs2 (which are Host1's guests) but routed
   through the firewall at Host2.  But maybe this isn't possible (one 
   of my questions in the original post)?

> might be interesting to add an /etc/vservers/*/interfaces/*/gateway
> to the config and set up table based routing if compiled into
> the kernel, etc ... (any volunteers?)
> 

So, currently, should this functionality be handled at the "scripts"
directory level (as I tried above)?


Thanks,
Gilles
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-24 Thread Dennis Roos

On Sun, 2005-05-22 at 11:25 +0200, Gilles wrote:
> Hi.
> 
> > 
> > > Is it OK to have several "default" routes.  
> > 
> > yes, it _is_ okay, as long as they are bound to a source address,
> > otherwise they do not make too much sense ...
> >
> 
> 1. How do the "users" of the gateway know their source address?
AFAIK it is the first interface that was created when starting the
vserver.

> 2. Does the output of "route" show an indication of what is the source?
Not necessarily ;)

> 3. How to set the source for a default route?
Using iproute2 you can use:
 ip rule add from ${MYNET}/${SVRPFX} table ${VLAN}

> > see http://archives.linux-vserver.org/200311/0470.html
> > (solution a) was implemented and b) is still? planned but might
> > be superceeded by ngnet ...)
> >
> 
> First I removed the "network" and "gateway" entries in the "interfaces" file.
> Then I put a "routing.sh" script in "/etc/vservers/phony/scripts/pre-start.d"
> containing the following lines:
> 
> ip route add 192.168.83.0/24 dev eth0.2
> ip route add default via 192.168.83.2 dev eth0.2
> ip rule add from 192.168.83.0/24
First of all, I have had issues when doing routing changes in the pre-start 
fase,
so I made a habbit of doing those changes in the post start fase and that solved
a lot of my problems.

> Then:
> 
> # vserver phony start
> ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument
> RTNETLINK answers: File exists
> RTNETLINK answers: File exists
> RTNETLINK answers: Invalid argument
>
> Failed to start vserver 'phony'
What version of util-vserver are you using ? I've had vlan issues with
0.30.195


> > might be interesting to add an /etc/vservers/*/interfaces/*/gateway
> > to the config and set up table based routing if compiled into
> > the kernel, etc ... (any volunteers?)
I sent a script not too long ago to the list that I am currently using.

It is a workaround for the limitations I found. However the script is
pretty much focused on my own environment, but shouldn't be too hard to
adapt to make generic.


___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-24 Thread Gilles

Hello.

> > 
> > 1. How do the "users" of the gateway know their source address?
> AFAIK it is the first interface that was created when starting the
> vserver.
>

Euh, I meant, how to set up things so that the programs (== "users")
which try to establish connections will work?
 
> > 2. Does the output of "route" show an indication of what is the source?
> Not necessarily ;)
>

So how can I "see" what address is the "source" (so that I know whether
that's the problem).

> > 3. How to set the source for a default route?
> Using iproute2 you can use:
>  ip rule add from ${MYNET}/${SVRPFX} table ${VLAN}
>

>From the "ip" docs, one of the error (see below: "RTNETLINK answers: Invalid
argument") comes from using the "rule" command, and seems related to a missing 
kernel feature (CONFIG_IP_MULTIPLE_TABLES).  But I can't find it in ".config";
has it changed name, or is it covered by another config option?

> > 
> > First I removed the "network" and "gateway" entries in the "interfaces" 
> > file.
> > Then I put a "routing.sh" script in 
> > "/etc/vservers/phony/scripts/pre-start.d"
> > containing the following lines:
> > 
> > ip route add 192.168.83.0/24 dev eth0.2
> > ip route add default via 192.168.83.2 dev eth0.2
> > ip rule add from 192.168.83.0/24
> First of all, I have had issues when doing routing changes in the pre-start 
> fase,
> so I made a habbit of doing those changes in the post start fase and that 
> solved
> a lot of my problems.
> 

So, I "mv pre-start.d post-start.d" and removed (for now) the third line in
"routing.sh" to avoid the failing "rule".  Then the vserver starts but the 
same networking errors remain:

-
ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument
RTNETLINK answers: File exists

An error occured after executing the vserver startup sequence. This
means that some processes may exist in the created context and the
manual execution of

  /usr/sbin/vserver '/etc/vservers/phony' stop

is recommended to fix this.
-

Inside the vserver:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
192.168.83.00.0.0.0 255.255.255.0   U 0  00 *
192.168.79.00.0.0.0 255.255.255.0   U 0  00 *
192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 *
0.0.0.0 0.0.0.0 0.0.0.0 UG0  00 *

So now, I can't even connect to/from Host1.


> > # vserver phony start
> > ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument
> > RTNETLINK answers: File exists
> > RTNETLINK answers: File exists
> > RTNETLINK answers: Invalid argument
> >
> > Failed to start vserver 'phony'
> What version of util-vserver are you using ? I've had vlan issues with
> 0.30.195
>

0.30.207-5

> 
> > > might be interesting to add an /etc/vservers/*/interfaces/*/gateway
> > > to the config and set up table based routing if compiled into
> > > the kernel, etc ... (any volunteers?)
> I sent a script not too long ago to the list that I am currently using.
>

I think I found it in the archive (with subject "Little Script !").


Thanks.
Gilles
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-24 Thread Dennis Roos

On Tue, 2005-05-24 at 12:12 +0200, Gilles wrote:
> Hello.
> 
> > > 
> > > 1. How do the "users" of the gateway know their source address?
> > AFAIK it is the first interface that was created when starting the
> > vserver.
> >
> 
> Euh, I meant, how to set up things so that the programs (== "users")
> which try to establish connections will work?
Well... As I said, it's an assumption based on experiences thus far, the
first interface created when starting the vserver is the source
interface for the vserver's users.
 
>  
> > > 2. Does the output of "route" show an indication of what is the source?
> > Not necessarily ;)
> So how can I "see" what address is the "source" (so that I know whether
> that's the problem).
As above, the first interface that is created when starting the vserver. You
can check this from the source host using a sniffer or another tool to
watch network traffic.

> > > 3. How to set the source for a default route?
> > Using iproute2 you can use:
> >  ip rule add from ${MYNET}/${SVRPFX} table ${VLAN}
> >
> 
> >From the "ip" docs, one of the error (see below: "RTNETLINK answers: Invalid
> argument") comes from using the "rule" command, and seems related to a 
> missing 
> kernel feature (CONFIG_IP_MULTIPLE_TABLES).  But I can't find it in ".config";
> has it changed name, or is it covered by another config option?
>From 2.6.11*:
CONFIG_IP_MULTIPLE_TABLES=y

Symbol: IP_MULTIPLE_TABLES [=y]
  │ Prompt: IP: policy routing
  │   Defined at net/ipv4/Kconfig:56
  │   Depends on: NET && IP_ADVANCED_ROUTER
  │   Location:
  │ -> Device Drivers
  │   -> Networking support
  │ -> Networking support (NET [=y])
  │   -> Networking options
  │ -> TCP/IP networking (INET [=y])
  │   -> IP: advanced router (IP_ADVANCED_ROUTER
[=y])  

> > > 
> > > First I removed the "network" and "gateway" entries in the "interfaces" 
> > > file.
> > > Then I put a "routing.sh" script in 
> > > "/etc/vservers/phony/scripts/pre-start.d"
> > > containing the following lines:
> > > 
> > > ip route add 192.168.83.0/24 dev eth0.2
> > > ip route add default via 192.168.83.2 dev eth0.2
> > > ip rule add from 192.168.83.0/24
> > First of all, I have had issues when doing routing changes in the pre-start 
> > fase,
> > so I made a habbit of doing those changes in the post start fase and that 
> > solved
> > a lot of my problems.
> > 
> 
> So, I "mv pre-start.d post-start.d" and removed (for now) the third line in
> "routing.sh" to avoid the failing "rule".  Then the vserver starts but the 
> same networking errors remain:
> 
> -
> ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument
> RTNETLINK answers: File exists
Oke, so the route already exists (verify with netstat -rn, before and
after starting the vserver)

> An error occured after executing the vserver startup sequence. This
> means that some processes may exist in the created context and the
> manual execution of
An easy workaround is:
route add ... 2>/dev/null
ERROR=$?
if [ ! -z $ERROR ]; then
  echo "Route modification returned $ERROR, check man route for details"
fi

Now the vserver will continue to start normally and finish without
errors, it will display the echo line if something did go wrong when
modifying the route.

>   /usr/sbin/vserver '/etc/vservers/phony' stop
> 
> is recommended to fix this.
> -
> 
> Inside the vserver:
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse Iface
> 192.168.83.00.0.0.0 255.255.255.0   U 0  00 *
> 192.168.79.00.0.0.0 255.255.255.0   U 0  00 *
> 192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 *
> 0.0.0.0 0.0.0.0 0.0.0.0 UG0  00 *
> 
> So now, I can't even connect to/from Host1.
Unfortunately, when an error occurs during the start sequence of the vserver,
the interface will _NOT_ be created, even worse - it is created at first - an
existing interface will be removed (the alias and it's IP configuration is
removed upon failure of the script).

> 
> > > # vserver phony start
> > > ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument
> > > RTNETLINK answers: File exists
> > > RTNETLINK answers: File exists
> > > RTNETLINK answers: Invalid argument
> > >
> > > Failed to start vserver 'phony'
> > What version of util-vserver are you using ? I've had vlan issues with
> > 0.30.195
> >
> 
> 0.30.207-5
> 
> > 
> > > > might be interesting to add an /etc/vservers/*/interfaces/*/gateway
> > > > to the config and set up table based routing if compiled into
> > > > the kernel, etc ... (any volunteers?)
> > I sent a script not too long ago to the list that I am currently using.
> >
> 
> I think I found it in the archive (with subject "Little Script !").
That is the old one... I modified it for the new configuration and thought
I sent it to the list, but have not yet done s

Re: [Vserver] Confused by routing

2005-05-24 Thread Herbert Poetzl

On Tue, May 24, 2005 at 01:58:18PM +0200, Dennis Roos wrote:
> On Tue, 2005-05-24 at 12:12 +0200, Gilles wrote:
> > Hello.
> > 
> > > > 
> > > > 1. How do the "users" of the gateway know their source address?
> > > AFAIK it is the first interface that was created when starting the
> > > vserver.
> > >
> > 
> > Euh, I meant, how to set up things so that the programs (== "users")
> > which try to establish connections will work?
> Well... As I said, it's an assumption based on experiences thus far, the
> first interface created when starting the vserver is the source
> interface for the vserver's users.

yes and no, to be precise, it's the first _IP_ specified
to chbind which is used as the source address ...

[rest zapped]

best,
Herbert

___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-24 Thread Gilles


> 
> > > > 3. How to set the source for a default route?
> > > Using iproute2 you can use:
> > >  ip rule add from ${MYNET}/${SVRPFX} table ${VLAN}
> > >

Yes, as is explained in
  http://archives.linux-vserver.org/200311/0470.html

[I'll still have to read the docs in order to understand the "rule"s.]

> > 
> > >From the "ip" docs, one of the error (see below: "RTNETLINK answers: 
> > >Invalid
> > argument") comes from using the "rule" command, and seems related to a 
> > missing 
> > kernel feature (CONFIG_IP_MULTIPLE_TABLES).  But I can't find it in 
> > ".config";
> > has it changed name, or is it covered by another config option?
> >From 2.6.11*:
> CONFIG_IP_MULTIPLE_TABLES=y
> 
> Symbol: IP_MULTIPLE_TABLES [=y]
>   │ Prompt: IP: policy routing
>   │   Defined at net/ipv4/Kconfig:56
>   │   Depends on: NET && IP_ADVANCED_ROUTER
>   │   Location:
>   │ -> Device Drivers
>   │   -> Networking support
>   │ -> Networking support (NET [=y])
>   │   -> Networking options
>   │ -> TCP/IP networking (INET [=y])
>   │   -> IP: advanced router (IP_ADVANCED_ROUTER
> [=y])  
> 

I was missing that one, as Herbert had just told me.

> > > > 
> > > > First I removed the "network" and "gateway" entries in the "interfaces" 
> > > > file.
> > > > Then I put a "routing.sh" script in 
> > > > "/etc/vservers/phony/scripts/pre-start.d"
> > > > containing the following lines:
> > > > 
> > > > ip route add 192.168.83.0/24 dev eth0.2
> > > > ip route add default via 192.168.83.2 dev eth0.2
> > > > ip rule add from 192.168.83.0/24
> > > First of all, I have had issues when doing routing changes in the 
> > > pre-start fase,
> > > so I made a habbit of doing those changes in the post start fase and that 
> > > solved
> > > a lot of my problems.
> > > 
 
It seems more coherent to set it in "pre-start" (if possible): probably better 
not
to have a running vserver without a sensible routing (?).

Now, with a new kernel (advanced router with multiple tables...):

Inside Vs1:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
192.168.83.00.0.0.0 255.255.255.0   U 0  00 eth0.2
192.168.79.00.0.0.0 255.255.255.0   U 0  00 *
192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 *
127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 eth0.2
127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 *
0.0.0.0 0.0.0.0 0.0.0.0 UG0  00 *

Inside Vs2:
# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric RefUse Iface
192.168.83.00.0.0.0 255.255.255.0   U 0  00 *
192.168.79.00.0.0.0 255.255.255.0   U 0  00 eth0.3
192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 *
127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 *
127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 eth0.3
0.0.0.0 0.0.0.0 0.0.0.0 UG0  00 *

And both have access to the Internet.

[Excerpt of] "/etc/network/interfaces" on Host1:
-
# VLAN (Private)
auto eth0.2
iface eth0.2 inet static
address 192.168.83.1
netmask 255.255.255.0
mtu 1496

# VLAN (DMZ)
auto eth0.3
iface eth0.3 inet static
address 192.168.79.1
netmask 255.255.255.0
mtu 1496
-

And similarly on Host2 (except for the addresses, to be replaced by 
"192.168.83.2"
and "192.168.79.2", respectively).
[The mtu setting seems important (as noted on the VLAN docs) here: All other 
things
equal, I had some strange "Temporary name resolution failure" and other ssh 
hangs,
which disappeared after lowering the mtu.]


The routing is set up in "/etc/vserver//scripts/pre-start.d/".
For "eth0.2", I have a file called "priv_routing.sh" with:
-
ip route add 192.168.83.0/24 dev eth0.2 table 102
ip route add default via 192.168.83.2 dev eth0.2 table 102
ip rule add from 192.168.83.0/24 table 102
-

And for "eth0.3", a file called "dmz_routing":
-
ip route add 192.168.79.0/24 dev eth0.3 table 103
ip route add default via 192.168.79.2 dev eth0.3 table 103
ip rule add from 192.168.79.0/24 table 103
-


Yet... this error remains, at vserver startup:
ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument

What about it?


Best regards,
Gilles
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-25 Thread Herbert Poetzl

On Wed, May 25, 2005 at 01:32:12AM +0200, Gilles wrote:
> 
> > 
> > > > > 3. How to set the source for a default route?
> > > > Using iproute2 you can use:
> > > >  ip rule add from ${MYNET}/${SVRPFX} table ${VLAN}
> > > >
> 
> Yes, as is explained in
>   http://archives.linux-vserver.org/200311/0470.html
> 
> [I'll still have to read the docs in order to understand the "rule"s.]
> 
> > > 
> > > >From the "ip" docs, one of the error (see below: "RTNETLINK answers: 
> > > >Invalid
> > > argument") comes from using the "rule" command, and seems related to a 
> > > missing 
> > > kernel feature (CONFIG_IP_MULTIPLE_TABLES).  But I can't find it in 
> > > ".config";
> > > has it changed name, or is it covered by another config option?
> > >From 2.6.11*:
> > CONFIG_IP_MULTIPLE_TABLES=y
> > 
> > Symbol: IP_MULTIPLE_TABLES [=y]
> >   ??? Prompt: IP: policy routing
> >   ???   Defined at net/ipv4/Kconfig:56
> >   ???   Depends on: NET && IP_ADVANCED_ROUTER
> >   ???   Location:
> >   ??? -> Device Drivers
> >   ???   -> Networking support
> >   ??? -> Networking support (NET [=y])
> >   ???   -> Networking options
> >   ??? -> TCP/IP networking (INET [=y])
> >   ???   -> IP: advanced router (IP_ADVANCED_ROUTER
> > [=y])  
> > 
> 
> I was missing that one, as Herbert had just told me.
> 
> > > > > 
> > > > > First I removed the "network" and "gateway" entries in the 
> > > > > "interfaces" file.
> > > > > Then I put a "routing.sh" script in 
> > > > > "/etc/vservers/phony/scripts/pre-start.d"
> > > > > containing the following lines:
> > > > > 
> > > > > ip route add 192.168.83.0/24 dev eth0.2
> > > > > ip route add default via 192.168.83.2 dev eth0.2
> > > > > ip rule add from 192.168.83.0/24
> > > > First of all, I have had issues when doing routing changes in the 
> > > > pre-start fase,
> > > > so I made a habbit of doing those changes in the post start fase and 
> > > > that solved
> > > > a lot of my problems.
> > > > 
>  
> It seems more coherent to set it in "pre-start" (if possible): probably 
> better not
> to have a running vserver without a sensible routing (?).
> 
> Now, with a new kernel (advanced router with multiple tables...):
> 
> Inside Vs1:
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse Iface
> 192.168.83.00.0.0.0 255.255.255.0   U 0  00 eth0.2
> 192.168.79.00.0.0.0 255.255.255.0   U 0  00 *
> 192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 *
> 127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 eth0.2
> 127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 *
> 0.0.0.0 0.0.0.0 0.0.0.0 UG0  00 *
> 
> Inside Vs2:
> # route -n
> Kernel IP routing table
> Destination Gateway Genmask Flags Metric RefUse Iface
> 192.168.83.00.0.0.0 255.255.255.0   U 0  00 *
> 192.168.79.00.0.0.0 255.255.255.0   U 0  00 eth0.3
> 192.168.107.0   0.0.0.0 255.255.255.0   U 0  00 *
> 127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 *
> 127.0.0.0   0.0.0.0 255.0.0.0   U 0  00 eth0.3
> 0.0.0.0 0.0.0.0 0.0.0.0 UG0  00 *
> 
> And both have access to the Internet.
> 
> [Excerpt of] "/etc/network/interfaces" on Host1:
> -
> # VLAN (Private)
> auto eth0.2
> iface eth0.2 inet static
> address 192.168.83.1
> netmask 255.255.255.0
> mtu 1496
> 
> # VLAN (DMZ)
> auto eth0.3
> iface eth0.3 inet static
> address 192.168.79.1
> netmask 255.255.255.0
> mtu 1496
> -
> 
> And similarly on Host2 (except for the addresses, to be replaced by 
> "192.168.83.2"
> and "192.168.79.2", respectively).
> [The mtu setting seems important (as noted on the VLAN docs) here: All other 
> things
> equal, I had some strange "Temporary name resolution failure" and other ssh 
> hangs,
> which disappeared after lowering the mtu.]
> 
> 
> The routing is set up in "/etc/vserver//scripts/pre-start.d/".
> For "eth0.2", I have a file called "priv_routing.sh" with:
> -
> ip route add 192.168.83.0/24 dev eth0.2 table 102
> ip route add default via 192.168.83.2 dev eth0.2 table 102
> ip rule add from 192.168.83.0/24 table 102
> -
> 
> And for "eth0.3", a file called "dmz_routing":
> -
> ip route add 192.168.79.0/24 dev eth0.3 table 103
> ip route add default via 192.168.79.2 dev eth0.3 table 103
> ip rule add from 192.168.79.0/24 table 103
> -
> 
> 
> Yet... this error remains, at vserver startup:
> ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument
> 
> What about it?

well, we don't know your vserver config yet, but I'd
guess it's just a little wrong (i.e. it states to 'create'
the alias/ip for that interfac

Re: [Vserver] Confused by routing

2005-05-25 Thread Gilles

Hi.

> > 
> > Yet... this error remains, at vserver startup:
> > ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument
> > 
> > What about it?
> 
> well, we don't know your vserver config yet, but I'd
> guess it's just a little wrong (i.e. it states to 'create'
> the alias/ip for that interface which already exists)
> 
> but without config, that's hard to tell ...
>

# cd /etc/vservers/phony/interfaces/
# cat dev
eth0.2

# cat 0/ip
192.168.83.100

# cat 0/prefix
24



Gilles
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-25 Thread Herbert Poetzl

On Wed, May 25, 2005 at 10:46:42AM +0200, Gilles wrote:
> Hi.
> 
> > > 
> > > Yet... this error remains, at vserver startup:
> > > ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument
> > > 
> > > What about it?
> > 
> > well, we don't know your vserver config yet, but I'd
> > guess it's just a little wrong (i.e. it states to 'create'
> > the alias/ip for that interface which already exists)
> > 
> > but without config, that's hard to tell ...
> >
> 
> # cd /etc/vservers/phony/interfaces/
> # cat dev
> eth0.2

remove that one and touch nodev if you have
the interface already set up (which I assume,
as you do the routing stuff, no?)

> # cat 0/ip
> 192.168.83.100
> 
> # cat 0/prefix
> 24
> 
> 
> 
> Gilles
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-25 Thread Gilles


> > 
> > # cd /etc/vservers/phony/interfaces/
> > # cat dev
> > eth0.2
> 
> remove that one and touch nodev if you have
> the interface already set up (which I assume,
> as you do the routing stuff, no?)
>

# ls -l
total 0
drwxr-xr-x  2 root root 96 May  7 18:37 0
-rw-r--r--  1 root root  0 May 25 11:46 nodev
 
# vserver phony start
No device specified for '/etc/vservers/phony/interfaces/0'


Failed to start vserver 'phony'


:-?
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-25 Thread Herbert Poetzl

On Wed, May 25, 2005 at 11:50:13AM +0200, Gilles wrote:
> 
> > > 
> > > # cd /etc/vservers/phony/interfaces/
> > > # cat dev
> > > eth0.2
> > 
> > remove that one and touch nodev if you have
> > the interface already set up (which I assume,
> > as you do the routing stuff, no?)
> >
> 
> # ls -l
> total 0
> drwxr-xr-x  2 root root 96 May  7 18:37 0
> -rw-r--r--  1 root root  0 May 25 11:46 nodev
>  
> # vserver phony start
> No device specified for '/etc/vservers/phony/interfaces/0'

/etc/vservers/phony/interfaces/0/{nodev,ip,...}

see flower page for details ...

best,
Herbert

> Failed to start vserver 'phony'
> 
> 
> :-?
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-25 Thread Gilles


(1)
> 
> /etc/vservers/phony/interfaces/0/{nodev,ip,...}
>

Yes, sorry!

But when I do that:

# ls -l /etc/vservers/phony/interfaces/0/
total 8
-rw-r--r--  1 root root 15 May  7 18:37 ip
-rw-r--r--  1 root root  0 May 25 11:46 nodev
-rw-r--r--  1 root root  3 May  7 18:37 prefix

I can't connect to the vserver anymore:

# ssh [EMAIL PROTECTED]
ssh: connect to host phony port 22: No route to host


I tried to put a dev file in the 0th interface directory:

# ls -l /etc/vservers/phony/interfaces/0/
total 12
-rw-r--r--  1 root root  7 May 25 13:54 dev
-rw-r--r--  1 root root 15 May  7 18:37 ip
-rw-r--r--  1 root root  3 May  7 18:37 prefix

Then I can connect, but the error is back also:
ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument


(2)
I noticed another problem:

When I start a second vserver on the same subnet (192.168.83.0/24),
I get a supplementary error message:
ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument
RTNETLINK answers: File exists



Best regards,
Gilles
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-25 Thread Herbert Poetzl

On Wed, May 25, 2005 at 02:09:36PM +0200, Gilles wrote:
> 
> (1)
> > 
> > /etc/vservers/phony/interfaces/0/{nodev,ip,...}
> >
> 
> Yes, sorry!
> 
> But when I do that:
> 
> # ls -l /etc/vservers/phony/interfaces/0/
> total 8
> -rw-r--r--  1 root root 15 May  7 18:37 ip
> -rw-r--r--  1 root root  0 May 25 11:46 nodev
> -rw-r--r--  1 root root  3 May  7 18:37 prefix
> 
> I can't connect to the vserver anymore:
> 
> # ssh [EMAIL PROTECTED]
> ssh: connect to host phony port 22: No route to host
> 
> 
> I tried to put a dev file in the 0th interface directory:
> 
> # ls -l /etc/vservers/phony/interfaces/0/
> total 12
> -rw-r--r--  1 root root  7 May 25 13:54 dev
> -rw-r--r--  1 root root 15 May  7 18:37 ip
> -rw-r--r--  1 root root  3 May  7 18:37 prefix
> 
> Then I can connect, but the error is back also:
> ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument
> 
> 
> (2)
> I noticed another problem:
> 
> When I start a second vserver on the same subnet (192.168.83.0/24),
> I get a supplementary error message:
> ERROR: trying to add VLAN #2 to IF -:eth0:-  error: Invalid argument
> RTNETLINK answers: File exists

please file a detailed bug report to savannah
(util-vserver) but try to get 'simple' examples

TIA,
Herbert

> Best regards,
> Gilles
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-27 Thread Herbert Poetzl


Hi Gilles!

here is an example setup how to accomplish your 'funny'
routing scenario ... enjoy!



 +-+
 | |
 |   Host 1|
 | |+---+
 |   192.168.0.1/24||   |
 | ||   Host2 (FW)  |
 |   172.16.0.2/16 ||   |
 |   172.17.0.2/16 ||   192.168.0.2/24  |
 | ||   |
 | +-+ ||   172.16.0.2/16   |
 | | | |eth0.2  |   172.17.0.2/16   |
 | | Guest 1 | |172.16.0.0/16   |   |
 | | +--+   |
 | | 172.16.0.1/16   | || ` |
 | | | || ¦ |
 | +-+ || ¦ |
 | || ¦ rules   |
 | +-+ || ¦ |
 | | | |eth0.3  | ¦ |
 | | Guest 2 | |172.17.0.0/16   | , |
 | | +--+   |
 | | 172.17.0.1/16   | ||   |
 | | | |+---+
 | +-+ |
 | |
 +-+


Tested as two QEMU instances connected via a simple
bridging setup on the real machine ...

Bridge on Real:
===

 ifconfig tun0 0.0.0.0 up
 ifconfig tun1 0.0.0.0 up

 brctl addbr br0
 brctl addif br0 tun0
 brctl addif br0 tun1


Host 1 Setup:
=

 /* basic network setup for QEMU */
 ifconfig lo 127.0.0.1
 ifconfig eth0 hw ether 00:00:00:00:00:01
 ifconfig eth0 192.168.0.1

 /* create VLAN taggings */
 vconfig add eth0 2
 vconfig add eth0 3
 
 /* configure interfaces */
 ifconfig eth0.2 172.16.0.1
 ifconfig eth0.3 172.17.0.1

Host 2 Setup:
=

 /* basic network setup for QEMU */
 ifconfig lo 127.0.0.1
 ifconfig eth0 hw ether 00:00:00:00:00:02
 ifconfig eth0 192.168.0.2

 /* create VLAN taggings */
 vconfig add eth0 2
 vconfig add eth0 3

 /* configure interfaces */
 ifconfig eth0.2 172.16.0.2 
 ifconfig eth0.3 172.17.0.2


Host 1 Magic:
=

 /* default gw for Guest 1 */
 ip rule add from 172.16.0.1 table 16
 ip route add default via 172.16.0.2 table 16
 ip route del 172.16.0.0/16

 /* default gw for Guest 2 */
 ip rule add from 172.17.0.1 table 17
 ip route add default via 172.17.0.2 table 17
 ip route del 172.17.0.0/16
 
 /* nat to avoid local table */ 
 iptables -t nat -A OUTPUT -d 172.17.0.1 -j DNAT --to 172.17.1.1
 iptables -t nat -A OUTPUT -d 172.16.0.1 -j DNAT --to 172.16.1.1

Host 2 Magic:
=

 /* enable forwarding */
 echo 1 >/proc/sys/net/ipv4/ip_forward

 /* nat between 172.16.1.1 and 172.16.0.1 */
 iptables -t nat -A PREROUTING -d 172.16.1.1 -j DNAT --to 172.16.0.1
 iptables -t nat -A POSTROUTING -s 172.16.0.1 -j SNAT --to 172.16.1.1

 /* nat between 172.17.1.1 and 172.17.0.1 */
 iptables -t nat -A PREROUTING -d 172.17.1.1 -j DNAT --to 172.17.0.1
 iptables -t nat -A POSTROUTING -s 172.17.0.1 -j SNAT --to 172.17.1.1


___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-27 Thread Herbert Poetzl

On Fri, May 27, 2005 at 12:24:12PM +0200, Herbert Poetzl wrote:
> 
> Hi Gilles!
> 
> here is an example setup how to accomplish your 'funny'
> routing scenario ... enjoy!
> 
> 
> 
>  +-+
>  | |
>  |   Host 1|
>  | |+---+
>  |   192.168.0.1/24||   |
>  | ||   Host2 (FW)  |
>  |   172.16.0.2/16 ||   |
>  |   172.17.0.2/16 ||   192.168.0.2/24  |
>  | ||   |
>  | +-+ ||   172.16.0.2/16   |
>  | | | |eth0.2  |   172.17.0.2/16   |
>  | | Guest 1 | |172.16.0.0/16   |   |
>  | | +--+   |
>  | | 172.16.0.1/16   | || ` |
>  | | | || ¦ |
>  | +-+ || ¦ |
>  | || ¦ rules   |
>  | +-+ || ¦ |
>  | | | |eth0.3  | ¦ |
>  | | Guest 2 | |172.17.0.0/16   | , |
>  | | +--+   |
>  | | 172.17.0.1/16   | ||   |
>  | | | |+---+
>  | +-+ |
>  | |
>  +-+
> 
> 
> Tested as two QEMU instances connected via a simple
> bridging setup on the real machine ...
> 
> Bridge on Real:
> ===
> 
>  ifconfig tun0 0.0.0.0 up
>  ifconfig tun1 0.0.0.0 up
> 
>  brctl addbr br0
>  brctl addif br0 tun0
>  brctl addif br0 tun1
> 
> 
> Host 1 Setup:
> =
> 
>  /* basic network setup for QEMU */
>  ifconfig lo 127.0.0.1
>  ifconfig eth0 hw ether 00:00:00:00:00:01
>  ifconfig eth0 192.168.0.1
> 
>  /* create VLAN taggings */
>  vconfig add eth0 2
>  vconfig add eth0 3
>  
>  /* configure interfaces */
>  ifconfig eth0.2 172.16.0.1
>  ifconfig eth0.3 172.17.0.1
> 
> Host 2 Setup:
> =
> 
>  /* basic network setup for QEMU */
>  ifconfig lo 127.0.0.1
>  ifconfig eth0 hw ether 00:00:00:00:00:02
>  ifconfig eth0 192.168.0.2
> 
>  /* create VLAN taggings */
>  vconfig add eth0 2
>  vconfig add eth0 3
> 
>  /* configure interfaces */
>  ifconfig eth0.2 172.16.0.2 
>  ifconfig eth0.3 172.17.0.2
> 
> 
> Host 1 Magic:
> =
> 
>  /* default gw for Guest 1 */
>  ip rule add from 172.16.0.1 table 16
>  ip route add default via 172.16.0.2 table 16
>  ip route del 172.16.0.0/16
> 
>  /* default gw for Guest 2 */
>  ip rule add from 172.17.0.1 table 17
>  ip route add default via 172.17.0.2 table 17
>  ip route del 172.17.0.0/16
>  
>  /* nat to avoid local table */ 
>  iptables -t nat -A OUTPUT -d 172.17.0.1 -j DNAT --to 172.17.1.1
>  iptables -t nat -A OUTPUT -d 172.16.0.1 -j DNAT --to 172.16.1.1

if you want to see the 'correct' IPs on Host 1 too,
just add the following rules:

 iptables -t nat -A POSTROUTING -s 172.17.1.1 -j SNAT --to 172.17.0.1
 iptables -t nat -A POSTROUTING -s 172.16.1.1 -j SNAT --to 172.16.0.1

(somehow I didn't care though)

> 
> Host 2 Magic:
> =
> 
>  /* enable forwarding */
>  echo 1 >/proc/sys/net/ipv4/ip_forward
> 
>  /* nat between 172.16.1.1 and 172.16.0.1 */
>  iptables -t nat -A PREROUTING -d 172.16.1.1 -j DNAT --to 172.16.0.1
>  iptables -t nat -A POSTROUTING -s 172.16.0.1 -j SNAT --to 172.16.1.1
> 
>  /* nat between 172.17.1.1 and 172.17.0.1 */
>  iptables -t nat -A PREROUTING -d 172.17.1.1 -j DNAT --to 172.17.0.1
>  iptables -t nat -A POSTROUTING -s 172.17.0.1 -j SNAT --to 172.17.1.1
> 
> 
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-27 Thread Gilles


Hi Herbert,

Thanks a lot for this complete example.
I'll muse on it (may take some time!).

Two small questions, to be sure:

1. Everything is setup on the Host(s), nothing on the guest
   (i.e. in the "pre-start.d" et al. directories)?
2. Vserver and QEMU setups are the same wrt connecting to the
   Host and outer world?


Best,
Gilles
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-05-28 Thread Herbert Poetzl

On Fri, May 27, 2005 at 02:26:58PM +0200, Gilles wrote:
> 
> Hi Herbert,
> 
> Thanks a lot for this complete example.
> I'll muse on it (may take some time!).
> 
> Two small questions, to be sure:
> 
> 1. Everything is setup on the Host(s), nothing on the guest
>(i.e. in the "pre-start.d" et al. directories)?

the example isn't even vserver related ...

> 2. Vserver and QEMU setups are the same wrt connecting to the
>Host and outer world?

no, qemu has a virtual network which results in
a tun/tap device being set up, but that is compareable
to your 'real host' setup (with the bridge active)

best,
Herbert

> Best,
> Gilles
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-06-03 Thread Gilles

Hello.

> > 
> > here is an example setup how to accomplish your 'funny'
> > routing scenario ... enjoy!
> > 

I'm on the right track, finally.
 
> > 
> > Tested as two QEMU instances connected via a simple
> > bridging setup on the real machine ...
> > 

Referring to your example, traffic between 2 vservers on Host 1
is now routed through Host 2.

While turning some knobs ;-) I could single out a few problems.

(1)
I had been trying to figure out what was the purpose of the 
"ip route del ..." invocation in "Host 1 Magic", and arrived
to the conclusion that it shouldn't be there at all!
Indeed, here, these commands (or some side-effect of it?) removes
my "eth0.2" and "eth0.3" interfaces, which has the unfortunate 
consequence that "ip route add default via ..." results in a
"Network Unreachable" error.

> > 
> > Host 1 Magic:
> > =
> > 
> >  /* default gw for Guest 1 */
> >  ip rule add from 172.16.0.1 table 16
> >  ip route add default via 172.16.0.2 table 16
> >  ip route del 172.16.0.0/16
 ^^
 I removed that one.
> > 
> >  /* default gw for Guest 2 */
> >  ip rule add from 172.17.0.1 table 17
> >  ip route add default via 172.17.0.2 table 17
> >  ip route del 172.17.0.0/16
 ^^
 And that one.

Can you confirm that it should be so?
The rest is perfect :-) [But see (2).]

(2)
I wanted to modify it to have something more flexible but all my attempts
resulted in errors.  For instance, I tried to replace the "default" argument
by a specific network/host address, but always got an "Invalid argument" from
RTNETLINK.
The purpose is now to have traffic from Host 1 to vservers routed through the
usual "direct" (lo) route.  So the question is:  Is it possible to limit the
effect of the "indirect" route to selected networks?

(3)
I couldn't make your example work while following your advice about suppressing

  /etc/vservers/*/interfaces/dev and
  /etc/vservers/*/interfaces/0/prefix

and adding

  /etc/vservers/*/interfaces/0/nodev

Attempts to do so resulted in no interface being visible within the guest, and
no connectivity.

With the usual setup (with the "interfaces/dev" file being present), it works
as expected but then there is always that

  ERROR: trying to add VLAN #3 to IF -:eth0:-  error: Invalid argument

at vserver startup.


Thanks for your patience and best regards,
Gilles
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

Re: [Vserver] Confused by routing

2005-06-04 Thread Gilles


Some more infos about that point.

> 
> (2)
> [...]
> The purpose is now to have traffic from Host 1 to vservers routed through the
> usual "direct" (lo) route.  So the question is:  Is it possible to limit the
> effect of the "indirect" route to selected networks?
> 

Without the "funny" routing rules in place, this is what "ip addr ls" outputs:

34: eth0.2:  mtu 1496 qdisc noqueue
link/ether 00:50:ba:31:61:68 brd ff:ff:ff:ff:ff:ff
inet 172.83.0.1/16 brd 172.83.255.255 scope global eth0.2
35: eth0.3:  mtu 1496 qdisc noqueue
link/ether 00:50:ba:31:61:68 brd ff:ff:ff:ff:ff:ff
inet 172.79.0.1/16 brd 172.79.255.255 scope global eth0.3

With the routing (and vservers "172.79.0.11" and "172.83.0.100" running):

34: eth0.2:  mtu 1496 qdisc noqueue
link/ether 00:50:ba:31:61:68 brd ff:ff:ff:ff:ff:ff
inet 127.0.0.1/8 brd 127.255.255.255 scope host eth0.2
inet 172.83.0.1/16 brd 172.83.255.255 scope global eth0.2
inet 172.83.0.100/16 brd 172.83.255.255 scope global secondary eth0.2
35: eth0.3:  mtu 1496 qdisc noqueue
link/ether 00:50:ba:31:61:68 brd ff:ff:ff:ff:ff:ff
inet 127.0.0.1/8 brd 127.255.255.255 scope host eth0.3
inet 172.79.0.1/16 brd 172.79.255.255 scope global eth0.3
inet 172.79.0.11/16 brd 172.79.255.255 scope global secondary eth0.3

And, in this situation, attempting to "ssh 172.79.0.11" from Host 1 results
in the firewall blocking the connection:

Jun  4 14:44:30 lestat kernel: Shorewall:FORWARD:REJECT:IN=eth0.3 OUT=eth0.3 
SRC=172.79.0.11 DST=172.79.0.11 LEN=60 TOS=0x10 PREC=0x00 TTL=63 ID=65379 DF 
PROTO=TCP SPT=33264 DPT=22 WINDOW=32767 RES=0x00 SYN URGP=0

So, Host 1 (having address "172.83.0.1/16" associated to "eth0.2") and vservers
are not treated the same, as I can connect to Guest 2 ("172.79.0.11") from 
Guest 1 
("172.83.0.100").
Also, it seems strange that the firewall sees the request coming from and going 
to
the same interface and address.


Best regards,
Gilles
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

[Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

Re: [Vserver] Confused by routing

22 matches

Site Navigation

Mail list logo

Footer information