WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] NAT through Dom0 on unstable branch

To: Eitan Isaacson <ee.jay.eye@xxxxxxxxx>
Subject: Re: [Xen-devel] NAT through Dom0 on unstable branch
From: Nils Toedtmann <xen-devel@xxxxxxxxxxxxxxxxxx>
Date: Tue, 21 Jun 2005 00:10:04 +0200
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 20 Jun 2005 22:09:10 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <fa8d26480506201140246713f7@xxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <fa8d26480506201140246713f7@xxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Am Montag, den 20.06.2005, 11:40 -0700 schrieb Eitan Isaacson:
> Hello,
> I might be the first to encounter this issue, so I think it is worth 
> posting...
> 
> I am trying to set up a configuration in which a DomU and Dom0 are on
> their own subnet, and DomU accesses the real network through Dom0's
> NAT.
> 
> These are the steps that I take (note, these steps worked fine in
> "testing" and "stable" branches):
> 
> I first set up a bridge with a private IP:
> 
> brctl addbr mybr0
> ip addr add 192.168.0.1/24 dev mybr0
> ip link set mybr0 up
> 
> These are my network scripts in the xend config file:
> 
> (network-script     network-route)
> (vif-script         vif-bridge)
> (vif-bridge         mybr0)
> 
> I start a DomU with an IP of 192.168.0.101, and I am able to ping Dom0
> (192.186.0.1).
> 
> I enable IP forwarding, and I set up NAT:
> 
> sysctl -w net.ipv4.ip_forward=1  # (if not allready done by xend)
> iptables -t nat -A POSTROUTING -j MASQUERADE \
>   -o eth0 -s 192.168.0.1/24
> 
> I am able to ping the outside world by IP, but name resolution, or any
> other TCP/IP traffic does not work.
> The very strange part is that tcpdump seems to show packets arriving
> at their destination on the outside world hosts. but besides the ACKs,
> the outside hosts do not respond.
> I am not a networking expert, so I am sorry if my diagnoses is not full.

I cannot see any error (which does not mean that there is no one). Make
sure ("iptables -nL") that the filter chains have all "ACCEPT".

So TCP-SYN hits the target, it answers with TCP-SYN/ACK and the last
step in the TCP handshake (TCP-ACK domU-->target) is missing, right?
Sniff on vif1.0 (or better on domU's eth0) if the targets answer
(TCP-SYN/ACK) arrives at the domU and if the third packet (TCP-ACK)
leaves it. Check ("tcpdump -e") if the frames have the correct
destination MACs.

/nils.

> Here is a bit more info (on Dom0):
> # iptables -t nat -L
> Chain PREROUTING (policy ACCEPT)
> target     prot opt source               destination
> 
> Chain POSTROUTING (policy ACCEPT)
> target     prot opt source               destination
> MASQUERADE  all  --  192.168.0.0/24       anywhere
> 
> Chain OUTPUT (policy ACCEPT)
> target     prot opt source               destination
> 
> # ifconfig
> eth0      Link encap:Ethernet  HWaddr 00:0F:1F:8C:17:D6
>           inet addr: 10.0.20.10  Bcast:10.0.255.255  Mask:255.255.0.0
>           UP BROADCAST NOTRAILERS RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:30868 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:1121 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:1000
>           RX bytes:8172500 (7.7 Mb)  TX bytes:158965 (155.2 Kb)
>           Base address:0xdf40 Memory:fcfe0000-fd000000
> 
> lo        Link encap:Local Loopback
>           inet addr:127.0.0.1  Mask:255.0.0.0
>           UP LOOPBACK RUNNING  MTU:16436  Metric:1
>           RX packets:5 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:288 (288.0 b)  TX bytes:288 (288.0 b)
> 
> mybr0     Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>           inet addr:192.168.0.1  Bcast:0.0.0.0  Mask:255.255.255.0
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:12 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:13 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:834 (834.0 b)  TX bytes:938 (938.0 b)
> 
> vif1.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
>           UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
>           RX packets:13 errors:0 dropped:0 overruns:0 frame:0
>           TX packets:10 errors:0 dropped:0 overruns:0 carrier:0
>           collisions:0 txqueuelen:0
>           RX bytes:1044 (1.0 Kb)  TX bytes:812 (812.0 b)
> 
> # brctl show
> bridge name     bridge id               STP enabled     interfaces
> mybr0           8000.feffffffffff       no              vif1.0
-- 
there is no sig


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel