Hi,
The IGMP packets are blocked by default.
In case of xenserver multicast traffic is blocked in ebtables.
To allow IGMP traffic please update the eatables and iptables rules on the
xenserver.
For testing you can add rules to accept multicast traffic in the eatables and
iptables.
Example rules on host:
sample iptables rules for VM:
Chain i-8-9-QA (1 references)
pkts bytes target prot opt in out source destination
Chain i-8-9-QA-eg (1 references)
pkts bytes target prot opt in out source destination
Chain i-8-9-def (2 references)
pkts bytes target prot opt in out source destination
0 0 RETURN udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif34.0 --physdev-is-bridged set i-8-9-QA
src udp dpt:53
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif34.0 --physdev-is-bridged !set i-8-9-QA
src
0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vif34.0 --physdev-is-bridged !set i-8-9-QA
dst
0 0 i-8-9-QA-eg all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif34.0 --physdev-is-bridged set i-8-9-QA
src
0 0 i-8-9-QA all -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-out vif34.0 --physdev-is-bridged
ebtables:
:DEFAULT_EBTABLES ACCEPT
:i-8-9-QA ACCEPT
-A FORWARD -j DEFAULT_EBTABLES
-A FORWARD -i vif34.0 -j i-8-9-QA
-A FORWARD -o vif34.0 -j i-8-9-QA
-A DEFAULT_EBTABLES -p IPv4 --ip-dst 255.255.255.255 --ip-proto udp --ip-dport
67 -j ACCEPT
-A DEFAULT_EBTABLES -p ARP --arp-op Request -j ACCEPT
-A DEFAULT_EBTABLES -p ARP --arp-op Reply -j ACCEPT
-A DEFAULT_EBTABLES -p IPv4 -d Broadcast -j DROP
-A DEFAULT_EBTABLES -p IPv4 -d Multicast -j DROP
-A DEFAULT_EBTABLES -p IPv4 --ip-dst 255.255.255.255 -j DROP
-A DEFAULT_EBTABLES -p IPv4 --ip-dst 224.0.0.0/4 -j DROP
-A DEFAULT_EBTABLES -p IPv4 -j RETURN
-A DEFAULT_EBTABLES -p IPv6 -j DROP
-A DEFAULT_EBTABLES -p 802_1Q -j DROP
-A DEFAULT_EBTABLES -j DROP
-A i-8-9-QA -s ! 6:bb:e8:0:0:1e -i vif34.0 -j DROP
-A i-8-9-QA -p IPv4 -i vif34.0 --ip-proto udp --ip-dport 68 -j DROP
-A i-8-9-QA -p IPv4 -o vif34.0 --ip-proto udp --ip-dport 67 -j DROP
Note: If you update rules manually cloudstack overwrite on vm reboot or when
new rule is added.
Thanks,
Jayapal
On 21-Jun-2013, at 1:21 AM, Kenneth Warren <[email protected]>
wrote:
> Good Afternoon!
>
> We are working with multicast and IGMP groups on our CloudStack
> infrastructure, and I have a question regarding security groups.
>
> To create an ingress rule, one must navigate to the security groups panel
> then add a new rule based on protocol. The values allowed are ICMP, TCP, and
> UDP. I am concerned that the IGMP member query messages on the network are
> being blocked by the security group settings, as our VMs continually act as
> if they have been kicked out of the membership group.
>
> Are IGMP packets blocked by security groups by default? If so, how do we
> enable them?
>
> Thanks!
>
> Kenny Warren, MITM
> Associate Information Assurance Engineer
> Orbis Technologies, Inc.
> 443.569.6722
> www.orbistechnologies.com<http://www.orbistechnologies.com/>
>
