You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@cloudstack.apache.org by Fariborz Navidan <md...@gmail.com> on 2019/12/03 17:18:08 UTC
Re: Enabling promiscuous mode and forged transmits
Any idea on this?
On Sat, Nov 30, 2019 at 1:15 AM Fariborz Navidan <md...@gmail.com>
wrote:
> I just ran "virsh nwfilter-list" following table shows multicast and mac
> and arp spoofing is not allowed. I guess this is why each IP is constrained
> with it's vnet MAC address and does not allow floating IP addresses.
>
> [root@fr-kvm1 ~]# virsh nwfilter-list
> UUID Name
> ------------------------------------------------------------------
> 906f8af9-317a-47be-8568-83d83fda3187 allow-arp
> 6a3bee5a-272c-4f9c-ba89-7661529740a2 allow-dhcp
> 74efaf38-e4ce-4550-a79f-b9df5eec74bf allow-dhcp-server
> 011fc636-4f6c-48cc-a4dd-efe962c9cc8e allow-incoming-ipv4
> 30ca1846-10ae-4e1e-bf55-a54371d69d8b allow-ipv4
> 529466c5-0a94-4908-a0b2-c13c3b3bbc82 clean-traffic
> 7a5c405e-3b9c-4ac7-a330-67a18a1a4701 clean-traffic-gateway
> c7e311be-715b-4d77-9b31-f1f4504abb1f no-arp-ip-spoofing
> c6a902a9-b9fa-45c1-9e04-1889f20f1d30 no-arp-mac-spoofing
> fce5536f-a2d2-4360-a2c9-b697b4cc2054 no-arp-spoofing
> ced96d59-f7d5-4393-853d-9b11ed7afda8 no-ip-multicast
> d77ac888-14ff-485a-8093-7be87a2ba46b no-ip-spoofing
> a1f14101-78c3-4fad-ba1e-f54e30ba48ae no-mac-broadcast
> 37b3dfcf-de29-48ad-8826-1e3621c728a3 no-mac-spoofing
> c16752f2-8f0c-401f-9275-f5e6d5b9de01 no-other-l2-traffic
> 3b44715b-b542-4aea-97c2-9dd6c5f2ea44 no-other-rarp-traffic
> c93e46c2-5a32-40b7-acd9-47872a01b312 qemu-announce-self
> a30e079a-fe7d-4efb-ae8e-d822f4135180 qemu-announce-self-rarp
>
>
> On Wed, Nov 27, 2019 at 3:18 PM Fariborz Navidan <md...@gmail.com>
> wrote:
>
>> Any idea?
>>
>> On Tue, Nov 26, 2019 at 6:12 PM Fariborz Navidan <md...@gmail.com>
>> wrote:
>>
>>> Hello,
>>>
>>> I want to be able to use a single secondary IP on two or more VMs but
>>> secondary IPs only work on the VM it belongs to it. For this work, I guess
>>> promiscuous mode and/or forged transmits should be enabled on the network.
>>> For this I have modified the DB table network_offering_details and then
>>> restarted the network but it still does not work.
>>>
>>> When I reserve an IP on a VM and set it on the guest using command "ip
>>> addr ad ...", it is reachable and works fine but if I delete the ip from
>>> that guest and add it to another guest which secondary IP was not reserved
>>> for, it is not reachable using this IP. It means looks like MAC addresses
>>> are somehow bound to NIC MAC address.
>>>
>>> I should notice tat I am running an advanced zone and shared network.and
>>> security groups are enabled. Default egress policy is "Allow" and all
>>> tcp/udp/icmp ingress traffic is allowed in the security groups.
>>>
>>> But I am still not able to make a shared IP floating.
>>>
>>> Please guide me through the right way.
>>>
>>> Thanks
>>>
>>
Re: Enabling promiscuous mode and forged transmits
Posted by Nux! <nu...@li.nux.ro>.
Try virsh nwfilter-edit no-other-l2-traffic and set it to accept, see if
it solves your problem. Might have to restart the VM or libvirtd.
---
Sent from the Delta quadrant using Borg technology!
On 2019-12-03 17:18, Fariborz Navidan wrote:
> Any idea on this?
>
> On Sat, Nov 30, 2019 at 1:15 AM Fariborz Navidan
> <md...@gmail.com>
> wrote:
>
>> I just ran "virsh nwfilter-list" following table shows multicast and
>> mac
>> and arp spoofing is not allowed. I guess this is why each IP is
>> constrained
>> with it's vnet MAC address and does not allow floating IP addresses.
>>
>> [root@fr-kvm1 ~]# virsh nwfilter-list
>> UUID Name
>> ------------------------------------------------------------------
>> 906f8af9-317a-47be-8568-83d83fda3187 allow-arp
>> 6a3bee5a-272c-4f9c-ba89-7661529740a2 allow-dhcp
>> 74efaf38-e4ce-4550-a79f-b9df5eec74bf allow-dhcp-server
>> 011fc636-4f6c-48cc-a4dd-efe962c9cc8e allow-incoming-ipv4
>> 30ca1846-10ae-4e1e-bf55-a54371d69d8b allow-ipv4
>> 529466c5-0a94-4908-a0b2-c13c3b3bbc82 clean-traffic
>> 7a5c405e-3b9c-4ac7-a330-67a18a1a4701 clean-traffic-gateway
>> c7e311be-715b-4d77-9b31-f1f4504abb1f no-arp-ip-spoofing
>> c6a902a9-b9fa-45c1-9e04-1889f20f1d30 no-arp-mac-spoofing
>> fce5536f-a2d2-4360-a2c9-b697b4cc2054 no-arp-spoofing
>> ced96d59-f7d5-4393-853d-9b11ed7afda8 no-ip-multicast
>> d77ac888-14ff-485a-8093-7be87a2ba46b no-ip-spoofing
>> a1f14101-78c3-4fad-ba1e-f54e30ba48ae no-mac-broadcast
>> 37b3dfcf-de29-48ad-8826-1e3621c728a3 no-mac-spoofing
>> c16752f2-8f0c-401f-9275-f5e6d5b9de01 no-other-l2-traffic
>> 3b44715b-b542-4aea-97c2-9dd6c5f2ea44 no-other-rarp-traffic
>> c93e46c2-5a32-40b7-acd9-47872a01b312 qemu-announce-self
>> a30e079a-fe7d-4efb-ae8e-d822f4135180 qemu-announce-self-rarp
>>
>>
>> On Wed, Nov 27, 2019 at 3:18 PM Fariborz Navidan
>> <md...@gmail.com>
>> wrote:
>>
>>> Any idea?
>>>
>>> On Tue, Nov 26, 2019 at 6:12 PM Fariborz Navidan
>>> <md...@gmail.com>
>>> wrote:
>>>
>>>> Hello,
>>>>
>>>> I want to be able to use a single secondary IP on two or more VMs
>>>> but
>>>> secondary IPs only work on the VM it belongs to it. For this work, I
>>>> guess
>>>> promiscuous mode and/or forged transmits should be enabled on the
>>>> network.
>>>> For this I have modified the DB table network_offering_details and
>>>> then
>>>> restarted the network but it still does not work.
>>>>
>>>> When I reserve an IP on a VM and set it on the guest using command
>>>> "ip
>>>> addr ad ...", it is reachable and works fine but if I delete the ip
>>>> from
>>>> that guest and add it to another guest which secondary IP was not
>>>> reserved
>>>> for, it is not reachable using this IP. It means looks like MAC
>>>> addresses
>>>> are somehow bound to NIC MAC address.
>>>>
>>>> I should notice tat I am running an advanced zone and shared
>>>> network.and
>>>> security groups are enabled. Default egress policy is "Allow" and
>>>> all
>>>> tcp/udp/icmp ingress traffic is allowed in the security groups.
>>>>
>>>> But I am still not able to make a shared IP floating.
>>>>
>>>> Please guide me through the right way.
>>>>
>>>> Thanks
>>>>
>>>