Apologies if these questions are rather basic, but I'm a little
confused by the bridging.
I've got a debian sarge dom0 with several debian sarge domUs, using
different IPs in the same network and the default bridging setup and
for IPv4 everything seems to work fine.
One thing I've noticed though, is that my dom0 cannot talk to any of
the domUs over IPv6 even though IPv6 is fully working in the domUs and
works for non-local addresses in dom0:
[andy@dom0 andy]$ ip -6 addr
1: eth0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500 qlen 1000
inet6 2001:ba8:0:1f1:2e0:81ff:fe64:1d07/64 scope global dynamic
valid_lft 2313320sec preferred_lft 326120sec
inet6 fe80::2e0:81ff:fe64:1d07/64 scope link
valid_lft forever preferred_lft forever
3: lo: <LOOPBACK,UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
5: xen-br0: <BROADCAST,MULTICAST,UP> mtu 1500
inet6 2001:ba8:0:1f1:2e0:81ff:fe64:1d07/64 scope global dynamic
valid_lft 2591938sec preferred_lft 604738sec
inet6 fe80::200:ff:fe00:0/64 scope link
valid_lft forever preferred_lft forever
7: vif2.0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500
inet6 fe80::fcff:ffff:feff:ffff/64 scope link
valid_lft forever preferred_lft forever
9: vif3.0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500
inet6 fe80::fcff:ffff:feff:ffff/64 scope link
valid_lft forever preferred_lft forever
10: vif4.0: <BROADCAST,MULTICAST,PROMISC,UP> mtu 1500
inet6 fe80::fcff:ffff:feff:ffff/64 scope link
valid_lft forever preferred_lft forever
[andy@dom0 andy]$ ip -6 ro
2001:ba8:0:1f1::/64 dev eth0 proto kernel metric 256 expires 2312526sec mtu
1500 advmss 1440 hoplimit 64
2001:ba8:0:1f1::/64 dev xen-br0 proto kernel metric 256 expires 2591856sec
mtu 1500 advmss 1440 hoplimit 64
fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 64
fe80::/64 dev xen-br0 metric 256 mtu 1500 advmss 1440 hoplimit 64
fe80::/64 dev vif2.0 metric 256 mtu 1500 advmss 1440 hoplimit 64
fe80::/64 dev vif3.0 metric 256 mtu 1500 advmss 1440 hoplimit 64
fe80::/64 dev vif4.0 metric 256 mtu 1500 advmss 1440 hoplimit 64
ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 1
ff00::/8 dev xen-br0 metric 256 mtu 1500 advmss 1440 hoplimit 1
ff00::/8 dev vif2.0 metric 256 mtu 1500 advmss 1440 hoplimit 1
ff00::/8 dev vif3.0 metric 256 mtu 1500 advmss 1440 hoplimit 1
ff00::/8 dev vif4.0 metric 256 mtu 1500 advmss 1440 hoplimit 1
default via fe80::20a:41ff:fe62:c140 dev xen-br0 proto kernel metric 1024
expires 1656sec mtu 1500 advmss 1440 hoplimit 64
unreachable default dev lo proto none metric -1 error -101 hoplimit 255
[andy@dom0 andy]$ ping6 www.sixxs.net
PING www.sixxs.net(noc.sixxs.net) 56 data bytes
64 bytes from noc.sixxs.net: icmp_seq=1 ttl=52 time=139 ms
64 bytes from noc.sixxs.net: icmp_seq=2 ttl=52 time=138 ms
64 bytes from noc.sixxs.net: icmp_seq=3 ttl=52 time=138 ms
64 bytes from noc.sixxs.net: icmp_seq=4 ttl=52 time=138 ms
--- www.sixxs.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3035ms
rtt min/avg/max/mdev = 138.083/138.572/139.084/0.532 ms
[andy@domU andy]$ ip -6 addr
1: lo: <LOOPBACK,UP> mtu 16436
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP> mtu 1500 qlen 1000
inet6 2001:ba8:0:1f1:a800:ff:fe0a:dd6a/64 scope global dynamic
valid_lft 2591993sec preferred_lft 604793sec
inet6 fe80::a800:ff:fe0a:dd6a/64 scope link
valid_lft forever preferred_lft forever
[andy@domU andy]$ ip -6 ro
2001:ba8:0:1f1::/64 dev eth0 proto kernel metric 256 expires 2591819sec mtu
1500 advmss 1440 hoplimit 64
fe80::/64 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 64
ff00::/8 dev eth0 metric 256 mtu 1500 advmss 1440 hoplimit 1
default via fe80::20a:41ff:fe62:c140 dev eth0 proto kernel metric 1024
expires 1619sec mtu 1500 advmss 1440 hoplimit 64
unreachable default dev lo proto none metric -1 error -101 hoplimit 255
[andy@domU andy]$ ping6 www.sixxs.net
PING www.sixxs.net(noc.sixxs.net) 56 data bytes
64 bytes from noc.sixxs.net: icmp_seq=1 ttl=52 time=137 ms
64 bytes from noc.sixxs.net: icmp_seq=2 ttl=52 time=138 ms
64 bytes from noc.sixxs.net: icmp_seq=3 ttl=52 time=138 ms
64 bytes from noc.sixxs.net: icmp_seq=4 ttl=52 time=138 ms
--- www.sixxs.net ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3035ms
rtt min/avg/max/mdev = 137.675/138.403/138.740/0.567 ms
domU can get to dom0:
[andy@domU andy]$ ping6 2001:ba8:0:1f1:2e0:81ff:fe64:1d07
PING 2001:ba8:0:1f1:2e0:81ff:fe64:1d07(2001:ba8:0:1f1:2e0:81ff:fe64:1d07) 56
data bytes
64 bytes from 2001:ba8:0:1f1:2e0:81ff:fe64:1d07: icmp_seq=1 ttl=64 time=4.57 ms
64 bytes from 2001:ba8:0:1f1:2e0:81ff:fe64:1d07: icmp_seq=2 ttl=64 time=0.071 ms
64 bytes from 2001:ba8:0:1f1:2e0:81ff:fe64:1d07: icmp_seq=3 ttl=64 time=0.082 ms
64 bytes from 2001:ba8:0:1f1:2e0:81ff:fe64:1d07: icmp_seq=4 ttl=64 time=0.077 ms
64 bytes from 2001:ba8:0:1f1:2e0:81ff:fe64:1d07: icmp_seq=5 ttl=64 time=0.078 ms
64 bytes from 2001:ba8:0:1f1:2e0:81ff:fe64:1d07: icmp_seq=6 ttl=64 time=0.051 ms
--- 2001:ba8:0:1f1:2e0:81ff:fe64:1d07 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5014ms
rtt min/avg/max/mdev = 0.051/0.822/4.575/1.678 ms
but dom0 can't get to domU:
[andy@dom0 andy]$ ping6 2001:ba8:0:1f1:a800:ff:fe0a:dd6a
PING 2001:ba8:0:1f1:a800:ff:fe0a:dd6a(2001:ba8:0:1f1:a800:ff:fe0a:dd6a) 56 data
bytes
From ::1 icmp_seq=1 Destination unreachable: Address unreachable
From ::1 icmp_seq=2 Destination unreachable: Address unreachable
From ::1 icmp_seq=3 Destination unreachable: Address unreachable
--- 2001:ba8:0:1f1:a800:ff:fe0a:dd6a ping statistics ---
5 packets transmitted, 0 received, +3 errors, 100% packet loss, time 4027ms
so have I missed something obvious? IPv4 works fine.
Secondly, my next goal is to use iptables in dom0 to restrict what
can get to both dom0 and the domUs.
If I need to refer to an interface in iptables (and ip6tables),
should it be eth0 or xen-br0?
Does all traffic for all domains arrive at both eth0 and xen-br0?
And leave by both those interfaces? Do the vif interfaces play any
role for iptables?
If I want to put in iptables rules to do accounting from traffic
going to/from each domain, should I be doing that by looking what
goes over each vif?
Finally, here's an example config file for one of my domUs:
name="foo"
memory=128
kernel="/boot/xen-linux-2.6.10xenu"
nics=1
disk=[ 'phy:mainvg/fooroot,sda1,w',
'phy:mainvg/fooswap,sda2,w' ]
root="/dev/sda1 ro"
when this got started this domain got a random MAC address as
expected. Then I realised that it would automatically configure an
IPv6 address based on that random MAC. As I don't want the IPv6
address to change again, I guess I need to tell it to keep the MAC
it has chosen already, across any restarts.
The domU currently has a MAC of aa:00:00:0a:dd:6a. Do I just need
to add:
vif=[ 'mac=aa:00:00:0a:dd:6a' ]
to the config file?
Thanks for any help or pointers with these probably very basic
questions.
pgpv0FKohfcRV.pgp
Description: PGP signature
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|