[virt-tools-list] iptables rate limiting for bridged connection (kvm created bridge)
Daniel P. Berrange
berrange at redhat.com
Wed Oct 27 17:31:50 UTC 2010
On Wed, Oct 27, 2010 at 11:21:01AM -0600, Phil Meyer wrote:
> On 10/27/2010 09:20 AM, Tapas Mishra wrote:
> >I have a KVM host set up with 4 VMs running on top of it (the server
> >has 4 lan cards and only one is currently active)
> >in ifconfig -a
> >I see vnet0,vnet1,vnet2,vnet2
> >
> >1) What are these vnet0,vnet1,vnet2,vnet2 which I see I used
> >kvm and virt-manager to create a bridged setup.
> >virt-manager created four interfaces all in same bridge or one bridge
> >as vmnet1 and rest VMs are using this.
> >
> >2) When limiting rate of incoming connections what should I specify
> >interface in place of eth0 following rule definitely will not work
> >
> >-A INPUT -i eth0 -p tcp -m tcp --dport 22 -m state --state NEW -m
> >recent --update --seconds 90 --hitcount 5 --name DEFAULT --rsource -j
> >DROP
>
> Create bridges for the other interfaces and simply assign them to VMs.
>
> When dealing with bridges it important to remember that the
> /etc/sysconfig/network-scripts/ifcfg-* files are executed in
> alphabetical order.
>
> That means that br0 will try to come up before eth0 which can break
> things. :)
That isn't quite correct actually.
The /etc/init.d/network script will make multiple passes over
the ifcfg-* files. The first time around it will bring up
phsyical interfaces, and the scond time it will process
bridge interfaces. Within each pass, things are alphabetical.
So you don't need to worry about alphabetical ordering of
physical NICs vs bridge interfaces.
> For bridges that want to add an already working interface, the bridge
> needs to be created after the interface comes up.
>
> We usually create ifcfg-zbr0 with br0 defined inside it. That way eth0
> comes up and then gets added to the new bridge br0.
>
> Like this:
>
> # cat ifcfg-zbr0
> DEVICE=br0
> ONBOOT=yes
> TYPE=BRIDGE
> BOOTPROTO=none
I think this probably explains why it didn't work - you need
to have TYPE=Bridge, rather than TYPE=BRIDGE,because the
network initscript is case sensitive when processing the
TYPE field in ifcfg-XXX files.
Regards,
Daniel
--
|: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :|
|: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :|
|: http://autobuild.org -o- http://search.cpan.org/~danberr/ :|
|: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
More information about the virt-tools-list
mailing list