This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-users] Network Interface Problems for DomU Firewall

To: <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-users] Network Interface Problems for DomU Firewall
From: "Thomas Jensen" <tom.jensen@xxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 27 Jul 2009 15:02:01 -0500
Delivery-date: Mon, 27 Jul 2009 13:02:48 -0700
Dkim-signature: v=1; a=rsa-sha1; c=relaxed; d=digitaltoolbox-inc.com; h= from:to:subject:date:message-id:mime-version:content-type; s= mail; bh=gid4kmy2tBQZE2/ZBPm7wGFDP98=; b=Wm6H6eUfaRfonM8ygRaikKF NZk113UYsEd2SF/sQBIKHIM9onlZ6V65u57q0f7oZi4YPxNrShoE3Ai58Kv3YKay 6pzlOHmY0RDtRp8pQ7YPyAaXH3M04BgZSMSVTzEPu3N0YTMCz+Xd+Zwp687FDrGD sakEmMskHQP8oOQijW48=
Domainkey-signature: a=rsa-sha1; c=nofws; d=digitaltoolbox-inc.com; h=from:to :subject:date:message-id:mime-version:content-type; q=dns; s= mail; b=rPSefyJbL1rb3tH4oVyowijaHcE3fZZwcbRdkp8LliLNRPxY/J7zhFFJ d2hksrHICPQafX2O84ieTShiJmNSe46lkwNNuy6O/fdYhD+Xr5+Q40mov/7barSD lFHL4EMJwSBJPBg0BWLXI1yO/1s6ktp9odP69gxug0BG4LtoXIY=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcoO9RqnJ4So4EE5RIasiyenQKBepA==
I am attempting to setup a firewall in a DomU.  The firewall program I eventually want to run is Shorewall.
Both my Dom0 and DomU are Debian Lenny 64 bit systems.  The Dom0 has four physical network interfaces installed.  Currently, one of the NICs is hidden using the pciback.hide command in the /boot/grub/menu.lst file.  Similarly, the hidden NIC is passed to the DomU using the pci = ['device:address.0'] line in the DomU configuration file.
When I modify the DomU configuration file only to include the pci directive without an additional vif line, the networking works as expected in the DomU.  All of the networking settings are done in the /etc/network/interfaces file within the DomU.
I want to run a three interface firewall using Shorewall.  The physical NIC (eth0) will be used on the external side.  I want to add two virtual interfaces to the DomU for use as a DMZ interface (eth2) and private LAN interface (eth1).
Therefore, I returned to the DomU configuration file and added a vif line containing only the MAC address and Dom0 bridge.  No IP address is listed within the vif line in the DomU configuration file.
When starting the DomU, networking no longer works as expected.  Examining the results of ifconfig, I see that the DomU has assigned the NICs differently than I would expect.  Examining the MAC addresses, the passthrough NIC is now assigned as eth1 rather than eth0.
In a typical installation, I would edit /etc/udev/rules.d/70-persistent-net.rules to manually assign the netdev names based on MAC address.  However, this file doesn't exit in my newly created Debian Lenny DomU.
Can I simply create the file?  Does this file not exist due to some underlying Xen issue?  How should I rectify this problem?
Additional sanitized Info:
server# xm info
host                   : server.example.com
release                : 2.6.26-1-xen-amd64
version                : #1 SMP Fri Mar 13 21:39:38 UTC 2009
machine                : x86_64
nr_cpus                : 4
nr_nodes               : 1
cores_per_socket       : 1
threads_per_core       : 2
cpu_mhz                : 2992
hw_caps                : bfebfbff:20100800:00000000:00000180:0000641d
total_memory           : 4030
free_memory            : 0
node_to_cpu            : node0:0-3
xen_major              : 3
xen_minor              : 2
xen_extra              : -1
xen_caps               : xen-3.0-x86_64 xen-3.0-x86_32p
xen_scheduler          : credit
xen_pagesize           : 4096
platform_params        : virt_start=0xffff800000000000
xen_changeset          : unavailable
cc_compiler            : gcc version 4.3.1 (Debian 4.3.1-2)
cc_compile_by          : waldi
cc_compile_domain      : debian.org
cc_compile_date        : Sat Jun 28 09:32:18 UTC 2008
xend_config_format     : 4
Xen-users mailing list