#703 pfilter rejects some traffic thru ethernet bridge interface
For some reason, I am using an ethernet bridge as the internal
interface of OSCAR installation. I used several network ports to
setup this bridge. Theoretically by doing so, the bandwidth
available for each computing node can increase greatly. However
current pfilter setting prevent the nodes in one network port of the
bridge from connecting to other nodes in another network port of
the bridge.
For the network diagram, please check my blog article at
http://apple.sysbio.info/~mjhsieh/archives/000491.html
To solve this problem, I suggest to modify the script at /opt/oscar/
packages/pfilter/scripts and allow the traffic going through the
internal interface.
--- post_clients.orig 2005-08-23 20:35:18.000000000 -0700
+++ post_clients 2005-08-23 20:34:44.000000000 -0700
@@ -176,7 +176,7 @@
# the server and every compute node trust each other
-trusted %oscar_server% %nodes%
+trusted %oscar_server% %nodes% $on_interface
open multicast # for ganglia
#
@@ -256,7 +256,7 @@
# the server and every compute node trust each other
-trusted %oscar_server% %nodes%
+trusted %oscar_server% %nodes% $on_interface
# let us be pingable from everywhere
Logged In: YES
user_id=1144685
There was a typo in previous patch, The pfileter.conf.clients should not
be touched. The patch follows is better.
------------- cut here -------------
--- post_clients.orig 2005-08-23 20:35:18.000000000 -0700
+++ post_clients 2005-08-23 20:34:44.000000000 -0700
@@ -176,7 +176,7 @@
# the server and every compute node trust each other
-trusted %oscar_server% %nodes%
+trusted %oscar_server% %nodes% $on_interface
open multicast # for ganglia
#
------------- cut here -------------
Logged In: YES
user_id=1144685
There was a typo in previous patch, The pfileter.conf.clients should not
be touched. The patch follows is better.
------------- cut here -------------
--- post_clients.orig 2005-08-23 20:35:18.000000000 -0700
+++ post_clients 2005-08-23 20:34:44.000000000 -0700
@@ -176,7 +176,7 @@
# the server and every compute node trust each other
-trusted %oscar_server% %nodes%
+trusted %oscar_server% %nodes% $on_interface
open multicast # for ganglia
#
------------- cut here -------------
Logged In: YES
user_id=338721
When I try
trusted %oscar_server% %nodes% on eth0
pfilter reports an error:
error - extra/unkown argument(s) <on eth0> for trusted on line 31
in /etc/pfilter.conf
This is obviously an illegal argument. How comes this works for
you?
Logged In: YES
user_id=1144685
To efocht:
the value of $on_interface won't contain "on " string.
In your case, if you want to manually specify it to eth0,
you should use:
trusted %oscar_server% %nodes% eth0
Logged In: YES
user_id=338721
Looking at post_clients I see exactly one place where the
variable $on_interface gets a reasonable value, and that has the
form "on $ENV{OSCAR_HEAD_INTERNAL_INTERFACE}".
If you use
trusted ... ... eth0 # without "on"
you actually disable the firewall on the internal interface.
For some setups (cluster on separate internal network) this
makes a lot of sense. For others (no internal network) this is
almost equivalent to disabling pfilter. Actually then it is sufficient
to do only:
trusted eth0
I'm also having intermitent trouble with pfilter and can't really
point my finger to the problem. All rejected packages should
pass according to the rules.