WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] basic networking questions

To: xen ml <xen-users@xxxxxxxxxxxxxxxxxxx>
Subject: [Xen-users] basic networking questions
From: Andy Smith <andy@xxxxxxxxxxxxxx>
Date: Thu, 28 Apr 2005 01:21:03 +0000
Delivery-date: Thu, 28 Apr 2005 01:20:43 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Openpgp: id=BF15490B; url=http://strugglers.net/~andy/pubkey.asc
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Mutt/1.5.9i
Apologies if these questions are rather basic, but I'm a little
confused by the bridging.

I've got a debian sarge dom0 with several debian sarge domUs, using
different IPs in the same network and the default bridging setup and
for IPv4 everything seems to work fine.

One thing I've noticed though, is that my dom0 cannot talk to any of
the domUs over IPv6 even though IPv6 is fully working in the domUs and
works for non-local addresses in dom0:

[andy@dom0 andy]$ ip -6 addr
1: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qlen 1000
    inet6 2001:ba8:0:1f1:2e0:81ff:fe64:1d07/64 scope global dynamic
       valid_lft 2313320sec preferred_lft 326120sec
    inet6 fe80::2e0:81ff:fe64:1d07/64 scope link
       valid_lft forever preferred_lft forever
3: lo: <LOOPBACK,UP> mtu 16436
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
5: xen-br0: <BROADCAST,MULTICAST,UP> mtu 1500
    inet6 2001:ba8:0:1f1:2e0:81ff:fe64:1d07/64 scope global dynamic
       valid_lft 2591938sec preferred_lft 604738sec
    inet6 fe80::200:ff:fe00:0/64 scope link
       valid_lft forever preferred_lft forever
7: vif2.0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500
    inet6 fe80::fcff:ffff:feff:ffff/64 scope link
       valid_lft forever preferred_lft forever
9: vif3.0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500
    inet6 fe80::fcff:ffff:feff:ffff/64 scope link
       valid_lft forever preferred_lft forever
10: vif4.0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500
    inet6 fe80::fcff:ffff:feff:ffff/64 scope link
       valid_lft forever preferred_lft forever
[andy@dom0 andy]$ ip -6 ro
2001:ba8:0:1f1::/64 dev eth0  proto kernel  metric 256  expires 2312526sec mtu 
1500 advmss 1440 hoplimit 64
2001:ba8:0:1f1::/64 dev xen-br0  proto kernel  metric 256  expires 2591856sec 
mtu 1500 advmss 1440 hoplimit 64
fe80::/64 dev eth0  metric 256  mtu 1500 advmss 1440 hoplimit 64
fe80::/64 dev xen-br0  metric 256  mtu 1500 advmss 1440 hoplimit 64
fe80::/64 dev vif2.0  metric 256  mtu 1500 advmss 1440 hoplimit 64
fe80::/64 dev vif3.0  metric 256  mtu 1500 advmss 1440 hoplimit 64
fe80::/64 dev vif4.0  metric 256  mtu 1500 advmss 1440 hoplimit 64
ff00::/8 dev eth0  metric 256  mtu 1500 advmss 1440 hoplimit 1
ff00::/8 dev xen-br0  metric 256  mtu 1500 advmss 1440 hoplimit 1
ff00::/8 dev vif2.0  metric 256  mtu 1500 advmss 1440 hoplimit 1
ff00::/8 dev vif3.0  metric 256  mtu 1500 advmss 1440 hoplimit 1
ff00::/8 dev vif4.0  metric 256  mtu 1500 advmss 1440 hoplimit 1
default via fe80::20a:41ff:fe62:c140 dev xen-br0  proto kernel  metric 1024  
expires 1656sec mtu 1500 advmss 1440 hoplimit 64
unreachable default dev lo  proto none  metric -1  error -101 hoplimit 255
[andy@dom0 andy]$ ping6 www.sixxs.net
PING www.sixxs.net(noc.sixxs.net) 56 data bytes
64 bytes from noc.sixxs.net: icmp_seq=1 ttl=52 time=139 ms
64 bytes from noc.sixxs.net: icmp_seq=2 ttl=52 time=138 ms
64 bytes from noc.sixxs.net: icmp_seq=3 ttl=52 time=138 ms
64 bytes from noc.sixxs.net: icmp_seq=4 ttl=52 time=138 ms

--- www.sixxs.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3035ms
rtt min/avg/max/mdev = 138.083/138.572/139.084/0.532 ms


[andy@domU andy]$ ip -6 addr
1: lo: <LOOPBACK,UP> mtu 16436
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qlen 1000
    inet6 2001:ba8:0:1f1:a800:ff:fe0a:dd6a/64 scope global dynamic
       valid_lft 2591993sec preferred_lft 604793sec
    inet6 fe80::a800:ff:fe0a:dd6a/64 scope link
       valid_lft forever preferred_lft forever
[andy@domU andy]$ ip -6 ro
2001:ba8:0:1f1::/64 dev eth0  proto kernel  metric 256  expires 2591819sec mtu 
1500 advmss 1440 hoplimit 64
fe80::/64 dev eth0  metric 256  mtu 1500 advmss 1440 hoplimit 64
ff00::/8 dev eth0  metric 256  mtu 1500 advmss 1440 hoplimit 1
default via fe80::20a:41ff:fe62:c140 dev eth0  proto kernel  metric 1024  
expires 1619sec mtu 1500 advmss 1440 hoplimit 64
unreachable default dev lo  proto none  metric -1  error -101 hoplimit 255
[andy@domU andy]$ ping6 www.sixxs.net
PING www.sixxs.net(noc.sixxs.net) 56 data bytes
64 bytes from noc.sixxs.net: icmp_seq=1 ttl=52 time=137 ms
64 bytes from noc.sixxs.net: icmp_seq=2 ttl=52 time=138 ms
64 bytes from noc.sixxs.net: icmp_seq=3 ttl=52 time=138 ms
64 bytes from noc.sixxs.net: icmp_seq=4 ttl=52 time=138 ms

--- www.sixxs.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3035ms
rtt min/avg/max/mdev = 137.675/138.403/138.740/0.567 ms

domU can get to dom0:

[andy@domU andy]$ ping6 2001:ba8:0:1f1:2e0:81ff:fe64:1d07
PING 2001:ba8:0:1f1:2e0:81ff:fe64:1d07(2001:ba8:0:1f1:2e0:81ff:fe64:1d07) 56 
data bytes
64 bytes from 2001:ba8:0:1f1:2e0:81ff:fe64:1d07: icmp_seq=1 ttl=64 time=4.57 ms
64 bytes from 2001:ba8:0:1f1:2e0:81ff:fe64:1d07: icmp_seq=2 ttl=64 time=0.071 ms
64 bytes from 2001:ba8:0:1f1:2e0:81ff:fe64:1d07: icmp_seq=3 ttl=64 time=0.082 ms
64 bytes from 2001:ba8:0:1f1:2e0:81ff:fe64:1d07: icmp_seq=4 ttl=64 time=0.077 ms
64 bytes from 2001:ba8:0:1f1:2e0:81ff:fe64:1d07: icmp_seq=5 ttl=64 time=0.078 ms
64 bytes from 2001:ba8:0:1f1:2e0:81ff:fe64:1d07: icmp_seq=6 ttl=64 time=0.051 ms

--- 2001:ba8:0:1f1:2e0:81ff:fe64:1d07 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5014ms
rtt min/avg/max/mdev = 0.051/0.822/4.575/1.678 ms

but dom0 can't get to domU:

[andy@dom0 andy]$ ping6 2001:ba8:0:1f1:a800:ff:fe0a:dd6a
PING 2001:ba8:0:1f1:a800:ff:fe0a:dd6a(2001:ba8:0:1f1:a800:ff:fe0a:dd6a) 56 data 
bytes
From ::1 icmp_seq=1 Destination unreachable: Address unreachable
From ::1 icmp_seq=2 Destination unreachable: Address unreachable
From ::1 icmp_seq=3 Destination unreachable: Address unreachable

--- 2001:ba8:0:1f1:a800:ff:fe0a:dd6a ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4027ms


so have I missed something obvious?  IPv4 works fine.

Secondly, my next goal is to use iptables in dom0 to restrict what
can get to both dom0 and the domUs.

If I need to refer to an interface in iptables (and ip6tables),
should it be eth0 or xen-br0?

Does all traffic for all domains arrive at both eth0 and xen-br0?
And leave by both those interfaces?  Do the vif interfaces play any
role for iptables?

If I want to put in iptables rules to do accounting from traffic
going to/from each domain, should I be doing that by looking what
goes over each vif?

Finally, here's an example config file for one of my domUs:

name="foo"
memory=128
kernel="/boot/xen-linux-2.6.10xenu"
nics=1
disk=[ 'phy:mainvg/fooroot,sda1,w',
       'phy:mainvg/fooswap,sda2,w' ]
root="/dev/sda1 ro"

when this got started this domain got a random MAC address as
expected.  Then I realised that it would automatically configure an
IPv6 address based on that random MAC.  As I don't want the IPv6
address to change again, I guess I need to tell it to keep the MAC
it has chosen already, across any restarts.

The domU currently has a MAC of aa:00:00:0a:dd:6a.  Do I just need
to add:

vif=[ 'mac=aa:00:00:0a:dd:6a' ]

to the config file?

Thanks for any help or pointers with these probably very basic
questions.

Attachment: pgpv0FKohfcRV.pgp
Description: PGP signature

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] basic networking questions, Andy Smith <=