Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. Linux-HA>
  3. Dev
virtual interface
cja at gams
May 16, 2000, 7:49 AM
Post #1 of 7 (1949 views)
Permalink
Another problem I found is the following:
I tried to setup a ha-firewall. The two computers are connected via ether=
net =

(2 times, eth0 and eth1) and serial cable. Everything runs just as expect=
ed. =

Then I decided I wanted to have several virtual IP-adresses on my firewal=
l for =

things like portforwarding and so on. So I set up my haresource-file somt=
hing =

like:

fw1.domain 192.168.1.3 httpd =

fw1.domain 10.1.1.3
fw1.domain 192.168.1.10
fw1.domain 192.168.1.11
fw1.domain 192.168.1.12

fw1.domain has IP-address 192.168.1.1, fw2.domain 192.168.1.2, 192.168.1.=
3 is
the address to reach the firewall (and webserver, just for testing purpos=
es). =

So in addition to eth0:0 (192.168.1.3) I wanted to have a eth0:1 =

(192.168.1.10), eth0:2 and eth0:3.

During startup of heartbeat the programm findif is called to determine th=
e =

name of the next free virtual interface for an address to be set up. The =
calls =

for 192.168.1.3, .1.10, .1.11 and .1.12 are done almost at the same time.=
So =

when the interface for 192.168.1.12 is searched, eth0:0 for 192.168.1.3 i=
s not =

yet set up, so the program gives eth0:0 for 192.168.1.12. The effect is t=
hat =

there is only on virtual interface created in the end, with the IP-addres=
s =

192.168.1.12, (since to others are created a short time before and simply=
=

overwritten) which is not what I intended to do.

I have written a small (and dirty) fix for this problem, but it should =

probably be solved better than I did it for now.

I hope my descriptions are understandable,

Christoph

-- =

Christoph J=E4ger mailto:cja@gams.at
g.a.m.s. edv dienstleistungen gmbh +43 1 895 84 99-25
stiegergasse 15-17 ; 1150 Wien http://www.gams.at =
virtual interface [ In reply to ]
horms at vergenet
May 16, 2000, 9:29 AM
Post #2 of 7 (1938 views)
Permalink
On Tue, May 16, 2000 at 04:49:04PM +0200, Christoph Jäger wrote:
> Another problem I found is the following:
> I tried to setup a ha-firewall. The two computers are connected via ethernet
> (2 times, eth0 and eth1) and serial cable. Everything runs just as expected.
> Then I decided I wanted to have several virtual IP-adresses on my firewall for
> things like portforwarding and so on. So I set up my haresource-file somthing
> like:
>
> fw1.domain 192.168.1.3 httpd
> fw1.domain 10.1.1.3
> fw1.domain 192.168.1.10
> fw1.domain 192.168.1.11
> fw1.domain 192.168.1.12
>
> fw1.domain has IP-address 192.168.1.1, fw2.domain 192.168.1.2, 192.168.1.3 is
> the address to reach the firewall (and webserver, just for testing purposes).
> So in addition to eth0:0 (192.168.1.3) I wanted to have a eth0:1
> (192.168.1.10), eth0:2 and eth0:3.
>
> During startup of heartbeat the programm findif is called to determine the
> name of the next free virtual interface for an address to be set up. The calls
> for 192.168.1.3, .1.10, .1.11 and .1.12 are done almost at the same time. So
> when the interface for 192.168.1.12 is searched, eth0:0 for 192.168.1.3 is not
> yet set up, so the program gives eth0:0 for 192.168.1.12. The effect is that
> there is only on virtual interface created in the end, with the IP-address
> 192.168.1.12, (since to others are created a short time before and simply
> overwritten) which is not what I intended to do.

Ouch.

I am thinking that the best way to fix this problem is to have heartbeat or
possibly findif register interest in interfaces and reserve it for
near-future use. So, the first interface is requested and findif finds
that eth0:0 is free, and registers that. The next request that comes in
findif finds that eth0:0 is still free, but skips it. If course the
reservation should expire, so if after a minute or 2 findif is run again
and the interface is still unused, then the prior reservation is ignored.

I think that findif, as the broker for available interfaces, is probably
the best place for this. The reservations could be stored in
a file of some sort as long as proper locking semantics were used.

--
Horms
virtual interface [ In reply to ]
alanr at suse
May 16, 2000, 10:17 PM
Post #3 of 7 (1934 views)
Permalink
Horms wrote:
>
> On Tue, May 16, 2000 at 04:49:04PM +0200, Christoph Jäger wrote:
> > Another problem I found is the following:
> > I tried to setup a ha-firewall. The two computers are connected via ethernet
> > (2 times, eth0 and eth1) and serial cable. Everything runs just as expected.
> > Then I decided I wanted to have several virtual IP-adresses on my firewall for
> > things like portforwarding and so on. So I set up my haresource-file somthing
> > like:
> >
> > fw1.domain 192.168.1.3 httpd
> > fw1.domain 10.1.1.3
> > fw1.domain 192.168.1.10
> > fw1.domain 192.168.1.11
> > fw1.domain 192.168.1.12
> >
> > fw1.domain has IP-address 192.168.1.1, fw2.domain 192.168.1.2, 192.168.1.3 is
> > the address to reach the firewall (and webserver, just for testing purposes).
> > So in addition to eth0:0 (192.168.1.3) I wanted to have a eth0:1
> > (192.168.1.10), eth0:2 and eth0:3.
> >
> > During startup of heartbeat the programm findif is called to determine the
> > name of the next free virtual interface for an address to be set up. The calls
> > for 192.168.1.3, .1.10, .1.11 and .1.12 are done almost at the same time. So
> > when the interface for 192.168.1.12 is searched, eth0:0 for 192.168.1.3 is not
> > yet set up, so the program gives eth0:0 for 192.168.1.12. The effect is that
> > there is only on virtual interface created in the end, with the IP-address
> > 192.168.1.12, (since to others are created a short time before and simply
> > overwritten) which is not what I intended to do.
>
> Ouch.
>
> I am thinking that the best way to fix this problem is to have heartbeat or
> possibly findif register interest in interfaces and reserve it for
> near-future use. So, the first interface is requested and findif finds
> that eth0:0 is free, and registers that. The next request that comes in
> findif finds that eth0:0 is still free, but skips it. If course the
> reservation should expire, so if after a minute or 2 findif is run again
> and the interface is still unused, then the prior reservation is ignored.
>
> I think that findif, as the broker for available interfaces, is probably
> the best place for this. The reservations could be stored in
> a file of some sort as long as proper locking semantics were used.

Or, maybe more simply, look to see if the aliases get established. If
they don't, then try again...

-- Alan Robertson
alanr@suse.com
virtual interface [ In reply to ]
alanr at suse
May 16, 2000, 10:27 PM
Post #4 of 7 (1939 views)
Permalink
"Christoph Jäger" wrote:
>
> Another problem I found is the following:
> I tried to setup a ha-firewall. The two computers are connected via ethernet
> (2 times, eth0 and eth1) and serial cable. Everything runs just as expected.
> Then I decided I wanted to have several virtual IP-adresses on my firewall for
> things like portforwarding and so on. So I set up my haresource-file somthing
> like:
>
> fw1.domain 192.168.1.3 httpd
> fw1.domain 10.1.1.3
> fw1.domain 192.168.1.10
> fw1.domain 192.168.1.11
> fw1.domain 192.168.1.12
>
> fw1.domain has IP-address 192.168.1.1, fw2.domain 192.168.1.2, 192.168.1.3 is
> the address to reach the firewall (and webserver, just for testing purposes).
> So in addition to eth0:0 (192.168.1.3) I wanted to have a eth0:1
> (192.168.1.10), eth0:2 and eth0:3.

Congratulations!! You have discovered a bug ;-( Until it is fixed, I
would suggest you work around the problem by making a single resource
group out of the list, instead of 5 resource groups.

fw1.domain1 192.168.1.3 10.1.1.3 192.168.1.10 192.168.1.11
192.168.1.12 httpd


Thanks for the bug report!

-- Alan Robertson
alanr@suse.com
virtual interface [ In reply to ]
cja at gams
May 17, 2000, 2:22 AM
Post #5 of 7 (1952 views)
Permalink
> Congratulations!! You have discovered a bug ;-( Until it is fixed, I
> would suggest you work around the problem by making a single resource
> group out of the list, instead of 5 resource groups.
> =

> fw1.domain1 192.168.1.3 10.1.1.3 192.168.1.10 192.168.1.11
> 192.168.1.12 httpd

My workaround for now is: I modified /etc/ha.d/resource.d/IPaddr to also =

accept arguments like 192.168.1.3/eth0:0 or 192.168.1.10/eth0:17 so I can=
=

specify the virtual interface to use for every address. I know it's not a=
good =

solution, but it works for me.
Maybe you should consider making it possible to specify the virtual inter=
face =

to use for a certain ip-address, so you can either let the program decide=
or =

you set it yourself. I don't know if this is really necessary, but it cou=
ld =

simplify writing certain firewall rules.

Christoph
-- =

Christoph J=E4ger mailto:cja@gams.at
g.a.m.s. edv dienstleistungen gmbh +43 1 895 84 99-25
stiegergasse 15-17 ; 1150 Wien http://www.gams.at =
virtual interface [ In reply to ]
alanr at suse
May 17, 2000, 6:42 AM
Post #6 of 7 (1949 views)
Permalink
"Christoph Jäger" wrote:
>
> > Congratulations!! You have discovered a bug ;-( Until it is fixed, I
> > would suggest you work around the problem by making a single resource
> > group out of the list, instead of 5 resource groups.
> >
> > fw1.domain1 192.168.1.3 10.1.1.3 192.168.1.10 192.168.1.11
> > 192.168.1.12 httpd
>
> My workaround for now is: I modified /etc/ha.d/resource.d/IPaddr to also
> accept arguments like 192.168.1.3/eth0:0 or 192.168.1.10/eth0:17 so I can
> specify the virtual interface to use for every address. I know it's not a good
> solution, but it works for me.
> Maybe you should consider making it possible to specify the virtual interface
> to use for a certain ip-address, so you can either let the program decide or
> you set it yourself. I don't know if this is really necessary, but it could
> simplify writing certain firewall rules.

OH!!!

It certainly would, wouldn't it. It sounds like a needed feature.

-- Alan Robertson
alanr@suse.com
virtual interface [ In reply to ]
lmb at suse
May 17, 2000, 11:47 AM
Post #7 of 7 (1945 views)
Permalink
On 2000-05-17T11:22:34,
Christoph Jäger <cja@gams.at> said:

> My workaround for now is: I modified /etc/ha.d/resource.d/IPaddr to also
> accept arguments like 192.168.1.3/eth0:0 or 192.168.1.10/eth0:17 so I can
> specify the virtual interface to use for every address. I know it's not a
> good solution, but it works for me.

"virtual interfaces" don't exist in the kernel, the name is merely a label in
the kernel tables for an additional address bound to a physical interface. (If
you ever typed "ip addr list", you'll see what I mean)

IPaddr could be greatly simplified if it knew about that, and I have been
meaning to do that for a long time already - but that would require a 2.2
kernel and iproute2 installed...

> Maybe you should consider making it possible to specify the virtual interface
> to use for a certain ip-address, so you can either let the program decide or
> you set it yourself. I don't know if this is really necessary, but it could
> simplify writing certain firewall rules.

In 2.2, you can't firewall on a "virtual interface" anyway, since they don't
exist.

Sincerely,
Lars Marowsky-Brée <lmb@suse.de>
Development HA

--
Perfection is our goal, excellence will be tolerated. -- J. Yahl

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal