WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC inWindows XP

To: <enming.teo@xxxxxxxxxxxxxxx>, <cazyokoyama@xxxxxxxxx>
Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC inWindows XP Home 32-bit HVM Guest
From: "Teo En Ming (Zhang Enming)" <enming.teo@xxxxxxxxxxxxxxx>
Date: Mon, 24 Aug 2009 23:12:19 +0800
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Delivery-date: Mon, 24 Aug 2009 08:12:49 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <F83967D8270F440C970C27D599AEB11D@ASOITIS16>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
Reply-to: enming.teo@xxxxxxxxxxxxxxx
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
Thread-index: AcokT1WQH0Z5MVvjRZyfqo6fbF/RXgABb8dQAAGp+YAAAWnDoAAEHcnw
Hi,

I think I know the reason why my Windows HVM and Linux PV Dom U guests could
previously access the outside world under OpenSUSE 11.1 32-bit host with Xen
pv-ops dom 0 kernel 2.6.30-rc6 from Jeremy's git branch (see my blog). 

When I execute the "iptables --table nat -L" command on the OpenSUSE 11.1
Xen pv-ops Dom 0 host in the office:

Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

That means everything is allowed in the nat table with default policy of
accept for all chains in that table. It also means xend daemon did not add
entries to the nat table when dom U guests are started on the OpenSUSE 11.1
host. The iptables entries that should be added to the nat table by xend but
not added are:

iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  -j
ACCEPT 
iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!' eth0  -j
ACCEPT

In contrast, my Fedora 11 64-bit Xen pv-ops dom 0 host in my home have above
entries added to the nat table by the xend daemon. Perhaps I should flush
the nat table only to test out my Windows XP Home HVM dom U connectivity to
the outside world. I will not flush the filter table.

Do you have any suggestions on the entries in the nat table?

Regards,
 
Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering)
BEng(Hons)(Mechanical Engineering) 
Technical Support Engineer 
Information Technology Department
Asiasoft Online Pte Ltd
Tampines Central 1 #04-01 Tampines Plaza 
Singapore 529541
Republic of Singapore
Mobile: +65-9648-9798
MSN: teoenming@xxxxxxxxxxx

-----Original Message-----
From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Teo En Ming
(Zhang Enming)
Sent: Monday, August 24, 2009 10:24 AM
To: enming.teo@xxxxxxxxxxxxxxx; cazyokoyama@xxxxxxxxx
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and VirtualNIC in
WindowsXP Home 32-bit HVM Guest

Dear Caz, Boris, and Pasi,

I am reading XenNetworking at the Xen Wiki:
http://wiki.xensource.com/xenwiki/XenNetworking

<QOUTE>
The default Xen configuration uses bridging within domain 0 to allow all
domains to appear on the network as individual hosts. If extensive use of
iptables is made in domain 0 (e.g. a firewall) then this can affect bridging
because bridged packets pass through the PREROUTING, FORWARD and POSTROUTING
iptables chains. This means that packets being bridged between guest domains
and the external network will need to be permitted to pass those chains. The
most likely problem is the FORWARD chain being configured to DROP or REJECT
packets (this is different from IP forwarding in the kernel).

iptable FORWARDing can be disabled for all packets; to prevent the dom0 from
acting as an IP router: echo 0 > /proc/sys/net/ipv4/ip_forward.

A slightly more secure method is to allowing packet forwarding (at the
iptables level) between the external physical interface and the vifs for the
guests. For a machine with a single ethernet card this would be:

iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out '!' eth0  -j
ACCEPT iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in '!'
eth0  -j ACCEPT

(needs the ipt_physdev [aka xt_physdev] module to be available).
</QUOTE>

So I may need to tweak the nat table in my iptables configuration. I don't
think the problem is with the filter table.

Could you post your iptables configuration with the "iptables --table filter
-L" and "iptables --table nat -L" commands?

Thank you very much.

Regards,
 
Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering)
BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information
Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01
Tampines Plaza Singapore 529541 Republic of Singapore
Mobile: +65-9648-9798
MSN: teoenming@xxxxxxxxxxx

-----Original Message-----
From: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
[mailto:xen-devel-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Teo En Ming
(Zhang Enming)
Sent: Monday, August 24, 2009 9:40 AM
To: cazyokoyama@xxxxxxxxx
Cc: xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and VirtualNIC in
Windows XP Home 32-bit HVM Guest

Thank you.

But I still need to modify the firewall to allow my Win XP Home Dom U to
talk to the outside world.

Regards,
 
Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering)
BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information
Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01
Tampines Plaza Singapore 529541 Republic of Singapore
Mobile: +65-9648-9798
MSN: teoenming@xxxxxxxxxxx

-----Original Message-----
From: Caz Yokoyama [mailto:cazyokoyama@xxxxxxxxx]
Sent: Monday, August 24, 2009 8:52 AM
To: enming.teo@xxxxxxxxxxxxxxx
Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in
Windows XP Home 32-bit HVM Guest

Congratulation.
-caz

-----Original Message-----
From: Mr. Teo En Ming (Zhang Enming) [mailto:enming.teo@xxxxxxxxxxxxxxx]
Sent: Sunday, August 23, 2009 5:11 PM
To: enming.teo@xxxxxxxxxxxxxxx
Cc: cazyokoyama@xxxxxxxxx; xen-devel@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in
Windows XP Home 32-bit HVM Guest

Hi Caz,

I did a tcpdump on my ethernet bridge eth0.

When the firewall on Dom 0 is up, I see DHCP request packets but NO DHCP
reply packets.

When I flushed all the firewall rules on Dom 0, I see both DHCP request and
reply packets going to my Win XP Home Dom U.

--
Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering)
BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information
Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01
Tampines Plaza Singapore 529541 Republic of Singapore
Mobile: +65-9648-9798
MSN: teoenming@xxxxxxxxxxx
Alma Maters: Singapore Polytechnic, National University of Singapore



On 08/24/2009 08:01 AM, Mr. Teo En Ming (Zhang Enming) wrote:
> Hi Caz,
>
> I found out why my Win XP Home HVM dom U couldn't access the outside 
> world. It's because of the firewall rules on my Dom 0. When I flushed 
> all my firewall rules, Dom U could obtain IP address from my wireless 
> router and surf the internet.
>
> So I have to think of adding appropriate firewall rules so that my Dom 
> U could access the outside world when the firewall is enabled.
>




No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09
18:06:00

No virus found in this outgoing message.
Checked by AVG - www.avg.com 
Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09
18:06:00



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09
18:06:00

No virus found in this outgoing message.
Checked by AVG - www.avg.com 
Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09
18:06:00



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09
18:06:00

No virus found in this outgoing message.
Checked by AVG - www.avg.com 
Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/23/09
18:03:00



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

No virus found in this incoming message.
Checked by AVG - www.avg.com 
Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/23/09
18:03:00

No virus found in this outgoing message.
Checked by AVG - www.avg.com 
Version: 8.5.392 / Virus Database: 270.13.65/2322 - Release Date: 08/23/09
18:03:00



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel