Sounds dangerous, hope you get home with a good tale. On Wed, Jan 19, 2022 at 10:32 AM Wido den Hollander <w...@widodh.nl> wrote:
> > > On 1/17/22 4:28 PM, Wei ZHOU wrote: > > Hi Wido, > > > > CloudStack allows users to add multiple IP ranges to a shared network. > All > > these IPs share the same vlan. I hope it helps you. > > > > Yes, but then they would also be allocated to VMs. > > > The problem is, a secondary IP can only be assigned to a VM. I think we > can > > add a flag like `floating` to secondary IP . If the flag is true, it can > be > > assigned to multiple VMs (belonging to same owner) as secondary IP. > > > > Something along that way. I would like to be able to add a IPv4 or IPv6 > address as a secondary without it being checked. Just allow any address > to be added as a secondary address. > > This would already be sufficient. > > Wido > > > -Wei > > > > On Mon, 17 Jan 2022 at 14:37, Wido den Hollander <w...@widodh.nl> wrote: > > > >> Hi, > >> > >> Use-case: I have a SG enabled shared network where a VM establishes a > >> BGP session with the upstream router. > >> > >> Over this BGP session the VM announces a /32 (IPv4) and/or /128 (IPv6) > >> address and the router now installs this route. > >> > >> I do the same (with the same IPs) on a few different VMs and this way I > >> can have a Anycast/Floating IP which is being routed to those VMs. > >> > >> Problem: Security Group filtering prohibits this as the 'ipset' on the > >> hypervisor checks all the packets originating from the VM and drops all > >> packets not matching the ipset. > >> > >> Name: i-79-1328-VM > >> Type: hash:ip > >> Revision: 4 > >> Header: family inet hashsize 1024 maxelem 65536 > >> Size in memory: 248 > >> References: 5 > >> Number of entries: 1 > >> Members: > >> 62.221.XXX.11 > >> > >> I want to add /32 and /128 addresses to this subnet so that the SG does > >> not filter away this traffic. > >> > >> They could be added as a secondary IP to the VM, but this is not allowed > >> by the API as the secondary IPs you want to add should always come from > >> the subnet configured for that network. > >> > >> I do not want to turn off security grouping as this poses other > >> potential issues. > >> > >> Solutions I see: > >> > >> - Add global/account/domain setting which allows arbitrary secondary IPs > >> - Add per-network setting which allows arbitrary secondary IPs > >> - Pre-define subnets which Anycast/Floating IPs can be picked from per > >> network > >> > >> Any ideas or suggestions? > >> > >> Wido > >> > > > -- Daan
