Re: [libvirt] [PATCH] network: bridge: Don't start network if it collides with host routing
You need to be very careful not to hit a valid use case here. RFC3069 provides for a mechanism whereby a supernet/subnet system is setup to allow better use of available IPv4 address space. This is becoming of increasing concern as IPv4 space exhausts. To implement this you turn on Proxy ARP on a host and inject /32 routes advertised from other hosts into the routing table. The network on the current host has a wide subnet mask (for example 10.0.0.0/8), so that the host responds to ARPs for VM guests that are actually on a completely different host. So you could have the situation where you have routes picked up via a dynamic routing protocol (say OSPF) on a host that are inside the range for the defined network in libvirt. Failing to start the network in that case would be incorrect. -- Neil Wilson -- Neil Wilson
On Mon, May 24, 2010 at 12:52:40PM +0100, Neil Wilson wrote:
You need to be very careful not to hit a valid use case here.
RFC3069 provides for a mechanism whereby a supernet/subnet system is setup to allow better use of available IPv4 address space. This is becoming of increasing concern as IPv4 space exhausts.
To implement this you turn on Proxy ARP on a host and inject /32 routes advertised from other hosts into the routing table. The network on the current host has a wide subnet mask (for example 10.0.0.0/8), so that the host responds to ARPs for VM guests that are actually on a completely different host.
The current network code only supports NAT, or a separate routed subnet & thus currently require a non-clashing subnet. Proxy ARP is a future RFE, so not a problem wrt this patchset currently. Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
On 24 May 2010 13:00, Daniel P. Berrange <berrange@redhat.com> wrote:
The current network code only supports NAT, or a separate routed subnet & thus currently require a non-clashing subnet. Proxy ARP is a future RFE, so not a problem wrt this patchset currently.
So you shouldn't attempt to use libvirt network for larger scale environments? -- Neil Wilson
On Mon, May 24, 2010 at 01:08:05PM +0100, Neil Wilson wrote:
On 24 May 2010 13:00, Daniel P. Berrange <berrange@redhat.com> wrote:
The current network code only supports NAT, or a separate routed subnet & thus currently require a non-clashing subnet. Proxy ARP is a future RFE, so not a problem wrt this patchset currently.
So you shouldn't attempt to use libvirt network for larger scale environments?
I didn't say that ! Both the NAT mode and routed mode are usable in many deployments, regardless of scale. We simply don't yet have support for Proxy ARP, but we would like to add this in the future. Realistically though, the vast majority of deployments use bridging, so lack of proxy arp isn't a huge showstopper. The admin can also easily create a bridge without any NICs enslaved, set proxy arp for that, and then tell libvirt to attach guests to that. Regards, Daniel -- |: Red Hat, Engineering, London -o- http://people.redhat.com/berrange/ :| |: http://libvirt.org -o- http://virt-manager.org -o- http://deltacloud.org :| |: http://autobuild.org -o- http://search.cpan.org/~danberr/ :| |: GnuPG: 7D3B9505 -o- F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 :|
participants (2)
-
Daniel P. Berrange -
Neil Wilson