On 8/16/21 4:57 AM, Meeus Kris wrote:
> Hi Michael,
> Thanks for your reply, below you can find the requested settings. It seems that the installation added a virtual bridge.
>
> I've tried to disable the virtual bridge; cleared iptables and checked again, without success. Ref listed settings at the end.
A virtual bridge can work. I use this configuration on my laptop.
Although I explicitly allow all traffic between host and guests.
I suspect the libvirt created firewall rules are causing your difficulties.
I don't use libvirt myself, and so can't give you a simple solution.
> -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
> -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
As quick an experiment, you could try removing these two REJECT rules.
Firewalling CA is complicated by the handoff from UDP search to TCP connection,
which Linux 'conntrack' doesn't know about. PVA is even more complicated
because some servers (pvAccessCPP) send search responses from a random port,
so Linux 'conntrack' can't even associate search requests and replies.
https://libvirt.org/firewall.html
https://wiki.libvirt.org/page/Networking
> Initial settings
> ============
> ifconfig:
> +++++++
> enp22s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.0.20 netmask 255.255.255.0 broadcast 192.168.0.255
> inet6 fe80::240:9eff:fe05:a4ba prefixlen 64 scopeid 0x20<link>
> ether 00:40:9e:05:a4:ba txqueuelen 1000 (Ethernet)
> RX packets 2434 bytes 253208 (247.2 KiB)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 680 bytes 94609 (92.3 KiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> device memory 0xdf700000-df77ffff
>
> enp23s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> ether 00:40:9e:05:a4:bb txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> device memory 0xdf600000-df67ffff
>
> enp24s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> ether 00:40:9e:05:a4:bc txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> device memory 0xdf500000-df57ffff
>
> enp25s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
> ether 00:40:9e:05:a4:bd txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> device memory 0xdf400000-df47ffff
>
> ens9f0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
> ether 00:40:9e:05:a4:b8 txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> ens9f1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
> ether 00:40:9e:05:a4:b9 txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
> inet 127.0.0.1 netmask 255.0.0.0
> inet6 ::1 prefixlen 128 scopeid 0x10<host>
> loop txqueuelen 1000 (Local Loopback)
> RX packets 3650 bytes 226700 (221.3 KiB)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 3650 bytes 226700 (221.3 KiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> virbr0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
> inet 192.168.122.1 netmask 255.255.255.0 broadcast 192.168.122.255
> ether 52:54:00:93:f0:06 txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> iptables:
> ------------
> # Generated by iptables-save v1.8.4 on Mon Aug 16 13:11:30 2021
> *filter
> :INPUT ACCEPT [3148:270105]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2259:160553]
> :LIBVIRT_INP - [0:0]
> :LIBVIRT_OUT - [0:0]
> :LIBVIRT_FWO - [0:0]
> :LIBVIRT_FWI - [0:0]
> :LIBVIRT_FWX - [0:0]
> -A INPUT -j LIBVIRT_INP
> -A FORWARD -j LIBVIRT_FWX
> -A FORWARD -j LIBVIRT_FWI
> -A FORWARD -j LIBVIRT_FWO
> -A OUTPUT -j LIBVIRT_OUT
> -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A LIBVIRT_INP -i virbr0 -p udp -m udp --dport 67 -j ACCEPT
> -A LIBVIRT_INP -i virbr0 -p tcp -m tcp --dport 67 -j ACCEPT
> -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 53 -j ACCEPT
> -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 53 -j ACCEPT
> -A LIBVIRT_OUT -o virbr0 -p udp -m udp --dport 68 -j ACCEPT
> -A LIBVIRT_OUT -o virbr0 -p tcp -m tcp --dport 68 -j ACCEPT
> -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
> -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A LIBVIRT_FWX -i virbr0 -o virbr0 -j ACCEPT
> COMMIT
> # Completed on Mon Aug 16 13:11:30 2021
> # Generated by iptables-save v1.8.4 on Mon Aug 16 13:11:30 2021
> *security
> :INPUT ACCEPT [2055:115579]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2268:162437]
> COMMIT
> # Completed on Mon Aug 16 13:11:30 2021
> # Generated by iptables-save v1.8.4 on Mon Aug 16 13:11:30 2021
> *raw
> :PREROUTING ACCEPT [3391:292302]
> :OUTPUT ACCEPT [2271:163149]
> COMMIT
> # Completed on Mon Aug 16 13:11:30 2021
> # Generated by iptables-save v1.8.4 on Mon Aug 16 13:11:30 2021
> *mangle
> :PREROUTING ACCEPT [3391:292302]
> :INPUT ACCEPT [3152:270313]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [2274:163653]
> :POSTROUTING ACCEPT [2382:184751]
> :LIBVIRT_PRT - [0:0]
> -A POSTROUTING -j LIBVIRT_PRT
> -A LIBVIRT_PRT -o virbr0 -p udp -m udp --dport 68 -j CHECKSUM --checksum-fill
> COMMIT
> # Completed on Mon Aug 16 13:11:30 2021
> # Generated by iptables-save v1.8.4 on Mon Aug 16 13:11:30 2021
> *nat
> :PREROUTING ACCEPT [1231:155805]
> :INPUT ACCEPT [3:180]
> :POSTROUTING ACCEPT [1023:75682]
> :OUTPUT ACCEPT [1023:75682]
> :LIBVIRT_PRT - [0:0]
> -A POSTROUTING -j LIBVIRT_PRT
> -A LIBVIRT_PRT -s 192.168.122.0/24 -d 224.0.0.0/24 -j RETURN
> -A LIBVIRT_PRT -s 192.168.122.0/24 -d 255.255.255.255/32 -j RETURN
> -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p tcp -j MASQUERADE --to-ports 1024-65535
> -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -p udp -j MASQUERADE --to-ports 1024-65535
> -A LIBVIRT_PRT -s 192.168.122.0/24 ! -d 192.168.122.0/24 -j MASQUERADE
> COMMIT
> # Completed on Mon Aug 16 13:11:30 2021
>
>
> casr 1:
> --------
> Starting iocInit
> ############################################################################
> ## EPICS R7.0.4.2-DEV
> ## Rev. 2021-08-10T15:08+0200
> ############################################################################
> iocRun: All initialization complete
> epics> casr 1
> Channel Access Server V4.13
> No clients connected.
> CAS-TCP server on 0.0.0.0:5064 with
> CAS-UDP name server on 0.0.0.0:5064
> Sending CAS-beacons to 2 addresses:
> 192.168.0.255:5065
> 192.168.122.255:5065
> epics>
>
>
> Settings after removing virbr0 and clearing iptables
> ===========================================
> ifconfig:
> -----------
> enp22s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> inet 192.168.0.20 netmask 255.255.255.0 broadcast 192.168.0.255
> inet6 fe80::240:9eff:fe05:a4ba prefixlen 64 scopeid 0x20<link>
> ether 00:40:9e:05:a4:ba txqueuelen 1000 (Ethernet)
> RX packets 654 bytes 52760 (51.5 KiB)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 426 bytes 47582 (46.4 KiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> device memory 0xdf700000-df77ffff
>
> enp23s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> ether 00:40:9e:05:a4:bb txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> device memory 0xdf600000-df67ffff
>
> enp24s0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
> ether 00:40:9e:05:a4:bc txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> device memory 0xdf500000-df57ffff
>
> enp25s0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
> ether 00:40:9e:05:a4:bd txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
> device memory 0xdf400000-df47ffff
>
> ens9f0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
> ether 00:40:9e:05:a4:b8 txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> ens9f1: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
> ether 00:40:9e:05:a4:b9 txqueuelen 1000 (Ethernet)
> RX packets 0 bytes 0 (0.0 B)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 0 bytes 0 (0.0 B)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
> inet 127.0.0.1 netmask 255.0.0.0
> inet6 ::1 prefixlen 128 scopeid 0x10<host>
> loop txqueuelen 1000 (Local Loopback)
> RX packets 141 bytes 11468 (11.1 KiB)
> RX errors 0 dropped 0 overruns 0 frame 0
> TX packets 141 bytes 11468 (11.1 KiB)
> TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
>
> iptables:
> ------------
> # Generated by iptables-save v1.8.4 on Mon Aug 16 13:55:49 2021
> *filter
> :INPUT ACCEPT [685:52841]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [560:58709]
> COMMIT
> # Completed on Mon Aug 16 13:55:49 2021
> # Generated by iptables-save v1.8.4 on Mon Aug 16 13:55:49 2021
> *security
> :INPUT ACCEPT [638:48254]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [560:58709]
> COMMIT
> # Completed on Mon Aug 16 13:55:49 2021
> # Generated by iptables-save v1.8.4 on Mon Aug 16 13:55:49 2021
> *raw
> :PREROUTING ACCEPT [687:52921]
> :OUTPUT ACCEPT [563:59377]
> COMMIT
> # Completed on Mon Aug 16 13:55:49 2021
> # Generated by iptables-save v1.8.4 on Mon Aug 16 13:55:49 2021
> *mangle
> :PREROUTING ACCEPT [687:52921]
> :INPUT ACCEPT [685:52841]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [565:59745]
> :POSTROUTING ACCEPT [612:64332]
> COMMIT
> # Completed on Mon Aug 16 13:55:49 2021
> # Generated by iptables-save v1.8.4 on Mon Aug 16 13:55:49 2021
> *nat
> :PREROUTING ACCEPT [3:204]
> :INPUT ACCEPT [3:204]
> :POSTROUTING ACCEPT [77:5420]
> :OUTPUT ACCEPT [77:5420]
> COMMIT
> # Completed on Mon Aug 16 13:55:49 2021
>
>
> -----Original Message-----
> From: Michael Davidsaver <mdavidsaver at gmail.com>
> Sent: vrijdag 13 augustus 2021 20:45
> To: Meeus Kris <Kris.Meeus at sckcen.be>; tech-talk at aps.anl.gov
> Subject: Re: IOC PVA on mTCA CPU requires environment variables to be set
>
> On 8/13/21 6:49 AM, Meeus Kris via Tech-talk wrote:
>> ...
>> However, setting these environment variables shouldn't be required (and I never did before e.g. in wsl) since this is all localhost access.
>
> fyi. neither CA nor PVA searches using the loopback by default.
>
> To help understand the situation further, please provide some information
> about the host network configuration ('ifconfig' or 'ip addr'), and firewall
> configuration ('iptables-save' or 'nft list ruleset').
>
- Replies:
- RE: IOC PVA on mTCA CPU requires environment variables to be set Meeus Kris via Tech-talk
- References:
- IOC PVA on mTCA CPU requires environment variables to be set Meeus Kris via Tech-talk
- Re: IOC PVA on mTCA CPU requires environment variables to be set Michael Davidsaver via Tech-talk
- RE: IOC PVA on mTCA CPU requires environment variables to be set Meeus Kris via Tech-talk
- Navigate by Date:
- Prev:
ADCameralink on Linux Дмитрий Прощенко via Tech-talk
- Next:
Re: ADCameralink on Linux Mark Rivers via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
<2021>
2022
2023
2024
- Navigate by Thread:
- Prev:
RE: IOC PVA on mTCA CPU requires environment variables to be set Meeus Kris via Tech-talk
- Next:
RE: IOC PVA on mTCA CPU requires environment variables to be set Meeus Kris via Tech-talk
- Index:
1994
1995
1996
1997
1998
1999
2000
2001
2002
2003
2004
2005
2006
2007
2008
2009
2010
2011
2012
2013
2014
2015
2016
2017
2018
2019
2020
<2021>
2022
2023
2024
|
·
Home
·
News
·
About
·
Base
·
Modules
·
Extensions
·
Distributions
·
Download
·