[Date Prev][Date Next] [Thread Prev][Thread Next]
Re: [libvirt] [PATCH] v2:Support for adding a static route to a bridge
- From: Gene Czarcinski <gene czarc net>
- To: libvir-list redhat com
- Subject: Re: [libvirt] [PATCH] v2:Support for adding a static route to a bridge
- Date: Tue, 09 Apr 2013 16:28:50 -0400
On 04/04/2013 12:08 PM, Laine Stump wrote:
On 04/03/2013 04:02 PM, Gene Czarcinski wrote:
On 04/02/2013 03:31 PM, Laine Stump wrote:
On 03/15/2013 02:10 PM, Gene Czarcinski wrote:
This patch adds support for adding a static route for
a network. The "via" specifies the gateway's IP
address. Both IPv4 and IPv6 static routes are
supported although it is expected that this
functionality will have more use with IPv6.
(First I want to make sure I correctly understand what you're wanting to
do, so I'm going to try and explain it in my own words...)
>From reading your earlier messages, my understanding is that the aim of
this patch is to automatically setup a route to a virtual network whose
bridge device has no IP address assigned, and is therefore reachable
only via one of the guests, is this correct?
In other words, let's say that I have the following two networks defined
(using IPv4 and all static IPs for brevity, but the entire discussion is
equally applicable to IPv6):
<ip address='192.168.200.1' prefix='24'/>
and you have a guestDirect that has two interfaces:
<interface type='network'> <!-- 192.168.200.2/24 -->
<interface type='network'> <!-- 192.168.201.1/24 -->
and another guestIndirect that has only one interface:
<interface type='network'> <!-- 192.168.201.2/24 -->
Additionally, the default route on guestDirect points to 192.168.200.1,
and the default route on guestIndirect points to 192.168.201.1.
(Presumably you don't want to simply add an IP address to
netHiddenFromHost because (while it would solve your routing problems)
it would violate some security policy you've built into your network
topology - namely that all traffic to and from netHiddenFromHost *must*
go through guestDirect.)
Traffic outbound from guestIndirect would have no problem reaching its
destination - it would go across netHiddenFromHost to guestDirect
(192.168.201.1), which would know to forward it to the host
(192.168.200.1) via netVisibleToHost, and the host presumably knows how
to get to anywhere. The problem comes when trying to route the
*response* destined for 192.168.201.2 (guestIndirect) - the outside
world may know that those packets have to be sent to the host, but the
host doesn't have a route for 192.168.201.0/24 - only guestDirect does.
So, the solution is to add a route on the *host* that points traffic
destined for 192.168.201.0/24 to guestDirect, a.k.a. 192.168.200.2.
Since there's no place in /etc/sysconfig/network-scripts/route-* to put
static routes with destinations that are only reachable through a
transient interface such as the bridge devices created by libvirt, the
obvious solution is to cause libvirt to add such a route, and the way
you propose to do that is to add an <ip> element in the network named
Am I understanding the issue so far?
I believe you do understand.
OK, I am back from virt-manager.
You were correct to be confused. At first, I thought your suggestions
for <route> were just cosmetic but then I realized that, in general, an
<ip> definition resulted in a specific ".1" or ":1" device address would
be assigned to an interface (bridge). The net address looked similar
but there would be no device address assigned to the interface/bridge
but there would be an entry for a (static) route.
Except that it's obvious from your response that I misunderstood your
patch, and thought that you were trying to make the route to an
otherwise unreachable network a part of the unreachable network's config
:-) (my defense is that the dual usage of the <ip> element to define a
route confused me)
While the backend will continue to be more or less the same and
instantiate the static route, the "front" end will add a new element:
<route>. I intend to keep "via" for specifying the gateway rather than
using "gateway.". This makes it consistent with the ip-route command.
So, to add a static would, the text would look like:
<route address='<IPv4-network-addr>' prefix='24'
<route family='ipv6' address='<IPv6-net-addr>' prefix='64'
More work: I will need to go back and "fix" the virt-manager code.
Based on my now corrected understanding that the route is added to the
config of the network which is directly connected to the gateway (rather
than the network *beyond* the gateway), I have two comments/requests:
1) I think a separate <route> element is a better idea than trying to
make <ip> dual purpose. Aside from confusing simple-minded people like
me, when things are intertwined like that it has the potential to lead
to an ambiguous situation further down the road. Also, using a separate
<route> element is closer to the system config files as well as more
similar to the xml used by the virInterface APIs (aka netcf).
Right on ... see above.
OK, how about having it both ways. If we can have both mask and prefix,
why not both via and gateway. I know gateway has some history attached
to it but the new /sbin/ip uses via. I am just trying to keep a line of
text being as close to not exceeding 80 characters as practical.
Correct me if I am wrong but all of this is suppose to be free-form and
this should be valid:
2) Although /sbin/ip uses the term "via", I do think that "gateway"
would be the preferred term, since that's been in use for many years
with the (admittedly now deprecated) /sbin/route command, as well as
what is used in the system ifcfg-* and route-* files.
<route ip='ipv6' address='fd00:dead:beef:472::1' prefix='64'
Of course, when it gets written back out by code it will all be on a
How about one of you other folks chiming in on this. gateway? ... via?
... anybody (besides the two of us) care??
This is going to take some research, etc. to do so, yes, lets do this
"later" as a separate patch and use what we know works for now (kludgy
as it is).
3) I would prefer to eliminate use of /sbin/ip and do this directly via
netlink/libnl. I would be willing to have this done in a separate patch
that also re-wrote virNetDev(Set|Clear)IPAddress.
At least we are now in agreement as to what the end-point is ;)
[Date Prev][Date Next] [Thread Prev][Thread Next]