Experimental Physics and
Industrial Control System

Hi Michael,

Thanks for your reply!
Maybe it was not clear in my last response, but I already tried to remove the iptables rules. (ref output of iptable-save at the bottom) Without success.

Since we don't need libvirt and related virtual bridge, I reinstalled the system without optional packages.
But I still have the same issue: when requesting a ca or pva, I get a time-out.

Again I checked if it will work when setting the EPICS environment variables, which confirmed that by setting EPICS_CA_ADDR_LIST 'caget' works.

After digging and googling more; I found out that CentOS8 has by default a firewalld running (I'm new to CentOS, I'm used to work with IP tables ...). 
This one is default set to public network.
When I disable it with ' sudo systemctl stop firewalld ', all works fine.

So bottom line, all works as expected (issue was mainly my lack of knowledge with CentOS...)

Thanks for your support, it guided me in the right direction!

Kind regards,
Kris

-----Original Message-----
From: Michael Davidsaver <mdavidsaver at gmail.com> 
Sent: maandag 16 augustus 2021 17:01
To: Meeus Kris <Kris.Meeus at sckcen.be>
Cc: tech-talk at aps.anl.gov
Subject: Re: IOC PVA on mTCA CPU requires environment variables to be set

On 8/16/21 4:57 AM, Meeus Kris wrote:
> Hi Michael,
> Thanks for your reply, below you can find the requested settings. It seems that the installation added a virtual bridge.
> 
> I've tried to disable the virtual bridge; cleared iptables and checked again, without success. Ref listed settings at the end.

A virtual bridge can work.  I use this configuration on my laptop.
Although I explicitly allow all traffic between host and guests.

I suspect the libvirt created firewall rules are causing your difficulties.
I don't use libvirt myself, and so can't give you a simple solution.

> -A LIBVIRT_FWO -s 192.168.122.0/24 -i virbr0 -j ACCEPT
> -A LIBVIRT_FWO -i virbr0 -j REJECT --reject-with icmp-port-unreachable
> -A LIBVIRT_FWI -d 192.168.122.0/24 -o virbr0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
> -A LIBVIRT_FWI -o virbr0 -j REJECT --reject-with icmp-port-unreachable

As quick an experiment, you could try removing these two REJECT rules.


Firewalling CA is complicated by the handoff from UDP search to TCP connection,
which Linux 'conntrack' doesn't know about.  PVA is even more complicated
because some servers (pvAccessCPP) send search responses from a random port,
so Linux 'conntrack' can't even associate search requests and replies.

https://libvirt.org/firewall.html

https://wiki.libvirt.org/page/Networking

References:

IOC PVA on mTCA CPU requires environment variables to be set Meeus Kris via Tech-talk

Re: IOC PVA on mTCA CPU requires environment variables to be set Michael Davidsaver via Tech-talk

RE: IOC PVA on mTCA CPU requires environment variables to be set Meeus Kris via Tech-talk

Re: IOC PVA on mTCA CPU requires environment variables to be set Michael Davidsaver via Tech-talk

Navigate by Date:

Prev: Re: Question about retrieve history data in archiver appliance Shankar, Murali via Tech-talk

Next: Configuring Phoebus alarm related display via a kafka message John Dobbins via Tech-talk

Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  <2021>  2022  2023  2024 

Navigate by Thread:

Prev: Re: IOC PVA on mTCA CPU requires environment variables to be set Michael Davidsaver via Tech-talk

Next: IOC up, but can't connect via channel access Daykin, Evan via Tech-talk

Index: 1994  1995  1996  1997  1998  1999  2000  2001  2002  2003  2004  2005  2006  2007  2008  2009  2010  2011  2012  2013  2014  2015  2016  2017  2018  2019  2020  <2021>  2022  2023  2024