WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] advanced bridging...

ok i now have a domu with 2 (apparent)ethernet interfaces, which is a
good start.
How do i now get all ethernet frames to be passed to eth0 on my firewall
domu ?
I then will be setting the firewall up with a caching DNS , NAT, and
dhcp on its eth1 to serve all the rest of my domU's usig nprivate 192.168.

Question though., how should i configure an IP for use by dom0??

Thanks
R

Marc Patino Gómez wrote:
Hi again,

this is the config of xen in my Debian Etch:

/etc/xen/xend-config

(network-script network-bridge-wrapper)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)
(vncpasswd '')
---------------------------------------------------------------------------

/etc/xen/scripts/network-bridge-wrapper

/etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
/usr/sbin/brctl addbr xenbr1
/sbin/ifconfig xenbr1 up
----------------------------------------------------------------------------

the domu (Firewall)

/etc/xen/firewall-config.sxp


name="firewall"
kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
root="/dev/hda1"
cpu=3
memory=256
disk=['file:/xen1/firewall.img,hda1,w']

vif=[ 'mac=00:16:3e:70:21:02,bridge=xenbr0,vifname=firewall.eth0','mac=00:16:3e:70:32:02,bridge=xenbr1,vifname=firewall.eth1' ]
dhcp="off"
ip="XX.XX.XX.XX"
netmask="255.255.255.0"
gateway="XX.XX.XX.XX"
hostname="firewall.domain.com"

extra="3"

on_poweroff = 'destroy'
on_reboot   = 'restart'
on_crash    = 'restart'
-------------------------------------------------------------------------------

in this domU (the firewall) I have a bridge between eth1 and eth0, you can do in CentOS way (inside the domain) ;)


here is the config file of a domu behind the FW:

/etc/xen/domu-config.sxp
name="domu"
kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
root="/dev/hda1"
cpu=3
memory=92
disk=['file:/xen1/domu.img,hda1,w']

vif=[ 'bridge=xenbrFW , vifname=domu.eth0' ]
dhcp="off"
ip="XX.XX.XX.XX"
netmask="255.255.255.0"
gateway="XX.XX.XX.XX"
hostname="domu.domain.com"

extra="3"

on_poweroff = 'destroy'
on_reboot   = 'restart'
on_crash    = 'restart'
----------------------------------------------------------------------------------------------------


In the domU (firewall) I have the following iptables config:
#!/bin/sh
# /etc/network/if-pre-up.d/iptables-start

iptables=/sbin/iptables

$iptables -F

$iptables -P INPUT ACCEPT
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT

# Logs
#$iptables -A INPUT -j LOG   --log-prefix="IPTABLES-INPUT: "
#$iptables -A OUTPUT -j LOG  --log-prefix="IPTABLES-OUTPUT: "
#$iptables -A FORWARD -j LOG --log-prefix="IPTABLES-FORWARD: "

$iptables -A INPUT -i lo -j ACCEPT

# Traffic control
tc qdisc del dev eth0 parent root
tc qdisc add dev eth0 parent root handle 1:0 htb default 40
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 10mbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 512kbit
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit
tc class add dev eth0 parent 1:1 classid 1:30 htb rate 2mbit
tc class add dev eth0 parent 1:1 classid 1:40 htb rate 5mbit

tc qdisc del dev eth1 parent root
tc qdisc add dev eth1 parent root handle 2:0 htb default 40
tc class add dev eth1 parent 2:0 classid 2:1 htb rate 10mbit
tc class add dev eth1 parent 2:1 classid 2:10 htb rate 512kbit
tc class add dev eth1 parent 2:1 classid 2:20 htb rate 1mbit
tc class add dev eth1 parent 2:1 classid 2:30 htb rate 2mbit
tc class add dev eth1 parent 2:1 classid 2:40 htb rate 5mbit

$iptables -t mangle -A POSTROUTING -d XX.XX.XX.XX -j CLASSIFY --set-class 2:20 $iptables -t mangle -A POSTROUTING -s XX.XX.XX.XX -j CLASSIFY --set-class 1:20


Sustitute XX.XX.XX.XX by your ip 's ;)

There is an issue with the traffic control in one way, the rate is multiplied by 2, I don't know the reason :(, I have tested this tc config with another box without XEN and it works great.

Don't forget to do this:

echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables

see the post " iptables and state matches (established, related)" in this mail list. You can put it in your sysctl.conf.

So... that's all (I hope :) ) if you need anything else.... tell me

Regards,

Marc


Ronan wrote:
Marc
thats exactly what i require...
any of your config would be really helpful!

many thanks in advance!

Ronan
Hi Ronan,

do you want to do something like this (see the image) ?

After reading a lot of stuff I made a wrapper of network-bridge, that I call network-bridge-wrapper, here is it:

#!/bin/sh
/etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
/usr/sbin/brctl addbr xenbr1
/sbin/ifconfig xenbr1 up

I changed the line in xend-config.sxp that calls, network-bridge to call network-bridge-wrapper ...

If you want I can post more info about this config (my domu config files, iptables, ebtables....). I'm using Debian, so... I hope scripts in CentOS are so close to Debian.

Regards,

Marc


Ronan wrote:
My situation:
Running centos5 on a machine directly connected to internet.
I have a paravirtualised centos5 core machine in domu1 with only 1 eth configured eth0 dy dhcp.

What I want:
to configure the dom0 bridge to simply route all traffic at ethernet level to dom1(firewall/router) and have dom1 then nat if out to my other domu's and machines on my private 192.168 network using dhcpd configured on eth1 on the machine.

My difficulties:
setting up the dom0 bridging to do what i want ie xenbr0 to eth0 on domu1 and then xenbr1 to eth1 on domu1

I then intend to remove / lock dom0 down and only use the domu's as dhcp configured servers.

There are a couple of URLs i've looked at
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html

etc but there aren't any specific configuration information.
Can i get some pointers as to where to look, or even example configs?

thanks

Ronan

(ps if this is the 3rd like message of mine today i apologise, I can tell if the other two messages i send actually did...)


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


------------------------------------------------------------------------



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users