WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Confused about bridged DomU's.

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Confused about bridged DomU's.
From: Ed Roper <edro+xen@xxxxxxxxxxx>
Date: Tue, 03 Oct 2006 19:19:14 -0700
Delivery-date: Tue, 03 Oct 2006 19:20:03 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 1.5.0.7 (X11/20060922)
(If this message comes across twice, I apologize. I sent it from the wrong source address originally)

Hello,

My first exposure to Linux bridged networking is with Xen. I'm still not clear on some bits, well, most bits really. I have the following configuration which I've managed to get working, I think. I'm not quite sure what was causing some of the headaches I was experiencing earlier though and I'm hoping that someone can tell me.

I have a system with the following network interfaces. It serves as a firewall/router in addition to now running a couple XenU's.

eth0: 10.0.0.0/24 (Trusted)
eth1: 10.0.1.0/24 (WiFi, very limited trust)
eth2: public-ip, with some other public ip's aliased to the interface and later hijacked with iptables PREROUTING.
(new) dummy0: originally 10.0.4.0/24

The iptables firewall is in Dom0.

Most hosts in 10.0.0.0/24 are simply SNATed and DNATed as they traverse eth2, to an IP address dedicated to that purpose.
Some hosts are SNAT/DNAT mapped in their entirety (when traversing eth2)
Some ports to some public IPs get redirected to yet again other internal hosts (when they come in eth2).

This has all worked fairly well for me over the past couple years. Then came Xen <big grin>

I attempted to add dummy0 with 10.0.4.1/24. My intent was that all DomU's would live in the 10.0.4.0/24 subnet. My original intent would have been to make them live in the 10.0.0.0/24 subnet, but my misconfiguration of bridging kept breaking my Internet access, making it harder to track down documentation.

The problem began when I tried to SNAT Internet bound traffic originating from the DomU machine at 10.0.4.2. Depending on my iptables rules I was either SNATing before it went out eth2, or wasn't SNATing at all, simply bypassing the rule (somehow... see note 1 below.) and dumping RFC1918 originated packets out to my ISP.

Stripping the address from dummy0 and then assigning 10.0.4.1 to xenbr0 (the bridge) solved this problem, apparently in its entirety.

I fiddled with ebtables a bit as well, but I suppose my grasp over how exactly packets traverse all the magic Xen interfaces leaves much to be desired, particularly when Dom0 is routing/firewalling in addition to bridging a dummy interface.

So the questions:

- Why was the following ignored?: (the inverse DNAT worked fine)
iptables -t nat -A POSTROUTING -s 10.0.4.2 -o eth2 -J SNAT --to-source xxx.xxx.xxx.xxx or: iptables -t nat -A POSTROUTING -s 10.0.4.2 -m physdev --physdev-out eth2 -J SNAT --to-source xxx.xxx.xxx.xxx

- What do I lose setting the ip on xenbr0 insteady of dummy0?

Is there a diagram somewhere showing packet traversal from a DomU to a Dom0, preferably one showing the hook-in points for eb/iptables? There seems to be quite a few classes of interfaces on the Dom0.



Thanks very much,
Ed


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

<Prev in Thread] Current Thread [Next in Thread>