Bug#387762: proxy_arp for host network device has to be set to 1

Sat, 16 Sep 2006 08:54:00 -0700 

Package: vzctl
Version: 3.0.10-3
Severity: grave

(Sorry and thankful in advance this time ;) It is a long bug report.)
I am now running a second setup of etch with OpenVZ. However, this setup has more than one public IP address. One IP is assigned to the host system and each additional IP is assigned to its own vps. I used the vanilla source 2.6.16 + OpenVZ patch and did configure the kernel by hand. 

I encountered a problem:

On a regular debian system
/proc/sys/net/ipv4/conf/eth0/proxy_arp is set to 0.

If this is the case

ip neigh add proxy <publicIP> dev eth0
(taken from /usr/lib/vzctl/scripts/vps-functions ~line 111)

has absolutely no effect! (But does not drop an error msg either!)
By "no effect" I mean that I am unable to access the vps with its public IP from anywhere except from the host system because arp requests for the public IP of the vps are not answered.
After I had determined where the problem was, I and did a rather ugly workaround by editing /usr/lib/vzctl/scripts/vps-functions: 

function vzarp()
{
        local DEV

        [ -z "${NETDEVICES}" ] && vzwarning "Device list is empty"
        for DEV in $NETDEVICES; do
                sysctl -w net.ipv4.conf.$DEV.proxy_arp=1
                ${IP_CMD} neigh $1 proxy $2 dev $DEV > /dev/null 2>&1
        done
}
It works - but sysctl is executed on every single vps start (and stop?). In addition to those repeated executes of sysctl it might not be the greatest idea to add arp proxy support for private IPs to every local net device. What does the VE_ROUTE_SRC_DEV="eth0" value in /etc/vz/vz.conf exactly do btw? Maybe one(tm) could add a similar item which overrides $NETDEVICES filled by function vzgetnetdev() in /usr/lib/vzctl/scripts/vps-functions. 

There are other values I found flying around in connection with OpenVZ:

net.ipv4.ip_forward = 1 (can be manually set via /etc/network/options)
net.ipv4.conf.default.proxy_arp = 0
net.ipv4.conf.all.rp_filter = 1
kernel.sysrq = 1
net.ipv4.conf.default.send_redirects = 1
net.ipv4.conf.all.send_redirects = 0
(net.ipv4.tcp_ecn = 0)
One value (in my case net.ipv4.conf.venet0.send_redirects = 0) is set in /etc/init.d/vz in line 165. What about the other values? Shouldn't they be checked/set? 

This one really took me some time (and not just the report) ... :-/

Reply via email to