Re: [Xen-users] Yet another question about multiple NICs

[Simon Hobson <linux@xxxxxxxxxxxxxxxx>]

Philippe Combes wrote:

> > Did DomU send an ARP request for the remote device ?
> Yes.
>
> > Did the remote device reply ?
> > Are the ping requests going out ?
> > Are the replies coming back ? To the right MAC ?
> No, No, No.
>
> $ ping 192.168.24.125 & tshark -i peth1
<snip>
> > If you see requests going out, but no reply, try firing up a packet 
> > sniffer on the remote machine and see if the requests are reaching 
> > it.
> I used tshark on the target too. No packet reaches it.
Well I'm stumped now !

We can see ARP requests going out via peth1, but they don't arrive at 
the other device - so they are either not being transmitted, or the 
switch is blocking them.
I'd still suggest changing nothing except to connect the machine 
direct* to something (eg a laptop) and try again - just to completely 
eliminate any potential switch problem. Having said that, it's not a 
problem I've personally come across.
* Or use a known "dumb" switch so you can have the rest of the 
network connected (so you get DHCP) and then unplug it from the rest 
of the network for testing.
> I found no such message in my logs, but I remember I saw them on
> the console, once when I had an access to it.
> But looking those messages, I found something I never saw before,
> because it was in /var/log/syslog, and I only looked in /var/log/xen/* so far:
> ----
> logger: /etc/xen/scripts/vif-bridge: Successful vif-bridge online for
> vif1.0, bridge eth0
> .
> logger: /etc/xen/scripts/block: Writing
> backend/vbd/1/51713/hotplug-status connected to x
> enstore.
> logger: /etc/xen/scripts/vif-bridge: Writing
> backend/vif/1/0/hotplug-status connected to
> xenstore.
> logger: /etc/xen/scripts/vif-bridge: iptables -A FORWARD -m physdev
> --physdev-in vif1.1
> -j ACCEPT failed.#012If you are using iptables, this may affect
> networking for guest domains.
> logger: /etc/xen/scripts/vif-bridge: Successful vif-bridge online for
> vif1.1, bridge eth1
> .
> logger: /etc/xen/scripts/vif-bridge: Writing
> backend/vif/1/1/hotplug-status connected to
> xenstore.
Well I've no idea what's wrong here. The line that's failing reads :
Append a rule to the FORWARD table, match (-m) using the physdev 
module, macthing in put port (--physdev-in) vif1.1, and jump (-j) to 
the ACCEPT rule.
In other words - for any packets entering via bridge port vif1.1, forward them.

Now, I've just checked on one of my work servers, and it does indeed 
have rules like these.
# iptables -L -vn
...
Chain FORWARD (policy ACCEPT 180M packets, 36G bytes)
 pkts bytes target     prot opt in     out     source               destination
  46M   50G ACCEPT     all  --  *      *       xx.xx.xx.xx 
0.0.0.0/0           PHYSDEV match --physdev-in xxxxx
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0 
0.0.0.0/0           PHYSDEV match --physdev-in xxxxx udp spt:68 dpt:67
While I see from an earlier message that your iptables is empty.
However, It shouldn't matter since the default policy on your FORWARD 
chain is accept - ie anything not expressly blocked should be passed.
Is it possible that you don't have physdev matching available in your 
Dom0 installation ?
I don't think this is anything to do with your problem, but could 
account for the error message.

As an aside, I can now see one thing that setting the guest IP 
address does - it includes the IP address in the iptables rules added 
for the guest when it starts.
--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users