network-nat whit qemu-dm not working

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

network-nat whit qemu-dm not working

Michele Castigliego-2
Hello,
please take a coffee (or beer) and read this, I'm having troubles here..

I'm using the following system:

Debian etch 4.0-r3
xen-hypervisor-3.2-1-i386 (The same appens with 3.0)
linux-image-2.6.18-6-xen-vserver-686

Dom0 is a machine with two network interfaces:
eth0 connected to Internet
eth1 connected to local network
On this system I run DNS and DHCP for the local network and I've set the
NAT for the Internet navigation. A simplified iptables rules is shown:

### iptables -L ###
Chain INPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     0    --  anywhere             anywhere            state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     0    --  anywhere             anywhere            state NEW

Chain OUTPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     0    --  anywhere             anywhere            state NEW

### iptables -t nat -L ###
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination        

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination        
SNAT       0    --  192.168.0.0/24       anywhere
to:192.168.1.254
SNAT       0    --  10.0.0.0/16          anywhere
to:192.168.1.254

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination        

I would like to use my Dom0 as the firewall for the local network and
DomUs, and access DomUs machine from the local network.

I've setup this xend-config.sxp:
  (network-script network-dummy)
  (network-script 'network-nat netdev=eth1')
  (vif-script 'vif-nat dhcp=yes')
  (dom0-min-mem 512)
  (dom0-cpus 0)
  (vnc-listen '0.0.0.0')

## DomU xen-etch.cfg from an example:
  kernel  = '/boot/vmlinuz-2.6.18-6-xen-vserver-686'
  ramdisk = '/boot/initrd.img-2.6.18-6-xen-vserver-686'
  memory  = '512'
  root    = '/dev/sda1 ro'
  disk    =
[ 'file:/home/xen/domains/xen-etch/disk.img,sda1,w','file:/home/xen/domains/xen-etch/swap.img,sda2,w' ]
  name    = 'xen-etch'
  dhcp = 'dhcp'
  vif  = [ '' ]
  on_poweroff = 'destroy'
  on_reboot   = 'restart'
  on_crash    = 'restart'

## DomU win.cfg from an example:
  kernel = '/usr/lib/xen-3.2-1/boot/hvmloader'
  builder = 'hvm'
  memory = '512'
  device_model='/usr/lib/xen-3.2-1/bin/qemu-dm'
disk=[ 'file:/root/win_vm.img,ioemu:hda,w','file:/root/WINXP.iso,ioemu:hdc:cdrom,r' ]
  name = 'win01'        
  vif = ['type=ioemu, vifname=wif_win']
  dhcp = 'dhcp'
  usbdevice="tablet"
  boot='d'
  vnc=1
  vncviewer=1
  vncunused=0
  sdl=0

I've commented out qemu-ifup because of NAT:
#ifconfig $1 0.0.0.0 up
#brctl addif $2 $1


After DomUs starting this is my iptables -L shown:
Chain INPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     0    --  anywhere             anywhere            state NEW

Chain FORWARD (policy DROP)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     0    --  anywhere             anywhere            state NEW
ACCEPT     0    --  10.0.0.0/16          anywhere            PHYSDEV
match --physdev-in vif8.0
ACCEPT     udp  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif8.0 udp spt:bootpc dpt:bootps
ACCEPT     0    --  10.0.0.0/16          anywhere            PHYSDEV
match --physdev-in wif_win
ACCEPT     udp  --  anywhere             anywhere            PHYSDEV
match --physdev-in wif_win udp spt:bootpc dpt:bootps

Chain OUTPUT (policy DROP)
target     prot opt source               destination        
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED
ACCEPT     0    --  anywhere             anywhere            state NEW

my iptables -t nat -L is the same as previuos.
Finally this is my ifconfig:
eth0      Link encap:Ethernet  HWaddr 00:1D:92:3D:XX:XX  
          inet addr:192.168.1.254  Bcast:192.168.1.255
Mask:255.255.255.0
          inet6 addr: fe80::21d:92ff:fe3d:c74b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1484885 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2058483 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:412365010 (393.2 MiB)  TX bytes:1104053767 (1.0 GiB)
          Interrupt:17 Base address:0x6000

eth1      Link encap:Ethernet  HWaddr 00:0D:88:CD:XX:XX  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20d:88ff:fecd:6634/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2033285 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1459103 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000
          RX bytes:1098654659 (1.0 GiB)  TX bytes:412892888 (393.7 MiB)
          Interrupt:16 Base address:0xec00

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:9321 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9321 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:1387261 (1.3 MiB)  TX bytes:1387261 (1.3 MiB)

vif8.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF  
          inet addr:10.0.8.128  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:8384 (8.1 KiB)  TX bytes:3200 (3.1 KiB)

wif_win   Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF  
          inet addr:10.0.9.128  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

# ROUTE output:
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.0.10.1       0.0.0.0         255.255.255.255 UH    0      0        0
wif_win
10.0.8.1        0.0.0.0         255.255.255.255 UH    0      0        0
vif8.0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0
eth1
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0
eth0


NOW, my DomU etch is working well, I can access Internet and machine on
the local network whitout problems.
The DomU win is up with a network card but is unable to gain access to
Dom0.
I think Xen is doing the correct working by inserting correct rules and
correct host declaration in dhcpd.conf.

The only thing I've noticed is with a ps auxwwwwwwwwww:
root     11492  3.7  0.3  26040  3592 ?        Sl   14:40
0:00 /usr/lib/xen-3.2-1/bin/qemu-dm -d 10 -domain-name win01 -vnc
0.0.0.0:0 -vcpus 1 -boot d -acpi -usbdevice tablet -net
nic,vlan=1,macaddr=00:16:3e:2a:f3:ea,model=rtl8139 -net
tap,vlan=1,bridge=xenbr0 -M xenfv

I see xen passed a bridge... but I've commented it out from win.cfg..
It's not strange? Is this a bug?
Someone else have my same configuration working?

Thanks,
Michele


_______________________________________________
Xen-users mailing list
[hidden email]
http://lists.xensource.com/xen-users