Am 16.08.2011 21:30, schrieb Pasi Kärkkäinen:
On Tue, Aug 16, 2011 at 09:05:13PM +0200, Mark Schneider wrote:
So here's your problem. Your bridge in dom0 is NOT forwarding the
packets out to peth0..
So where are these packets going to ? They're not getting out of
dom0..
Do you have a firewall rule in dom0 that drops them?
and "iptables -L -n -v" does not list any rules?
root@xen411dom0:~# iptables -L -n -v
Chain INPUT (policy ACCEPT 232 packets, 25984 bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy DROP 0 packets, 0 bytes)
pkts bytes target prot opt in out source
destination
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in peth0
So you DO have a firewall in place!
As a default ALL packets are DROPped!
And you're only allowing packets to other direction?
What I am wondering about is that if I boot or install debian wheezy and
squeezy or OpenSolaris iptables on dom0 is getting automatically such rules:
# ---
root@xen411dom0:/etc/xen# xm list
Name ID Mem VCPUs State
Time(s)
Domain-0 0 1536 2 r-----
1835.8
opensolarishvm.born2b3.net 9 4096 2 -b----
156.0
squeezehvm.born2b3.net 7 8192 4
-b---- 20.1
wheezyhvm.born2b3.net 1 8192 8
-b---- 32.0
root@xen411dom0:/etc/xen#
root@xen411dom0:/etc/xen#
root@xen411dom0:/etc/xen# iptables -L -v -n
Chain INPUT (policy ACCEPT 5366 packets, 14M bytes)
pkts bytes target prot opt in out source
destination
Chain FORWARD (policy DROP 8 packets, 2624 bytes)
pkts bytes target prot opt in out source
destination
59 59899 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif9.0 --physdev-is-bridged
239 24809 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif9.0 --physdev-is-bridged
51 13943 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif7.0 --physdev-is-bridged
13 2944 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif7.0 --physdev-is-bridged
59 17120 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-out vif1.0 --physdev-is-bridged
14 1564 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in vif1.0 --physdev-is-bridged
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 PHYSDEV match --physdev-in peth0
Chain OUTPUT (policy ACCEPT 5264 packets, 14M bytes)
pkts bytes target prot opt in out source
destination
# ---
So the HVM domU gets the correct MAC of the gateway,
and starts sending packets to it.
The next step would be to dump on eth0 on dom0.. do you see the same packets
there?
At the same time also dump on peth0, do the packets go out there to the
physical network?
# Requests and reply on peth0 are there:
18:06:00.324825 ARP, Request who-has 192.168.1.1 tell 192.168.1.180,
length 28
18:06:00.325012 ARP, Reply 192.168.1.1 is-at 00:1d:7e:ad:35:a8, length 46
# Requests and reply on eth0 are *also* there:
18:06:00.324825 ARP, Request who-has 192.168.1.1 tell 192.168.1.180,
length 28
18:06:00.325012 ARP, Reply 192.168.1.1 is-at 00:1d:7e:ad:35:a8, length 46
# There are ICMP requests on eth0 but look like that there are *not
forwarded* to peth0.
18:06:00.334350 IP 192.168.1.180> 192.168.1.1: ICMP echo request, id
55045, seq 1, length 64
18:06:01.324098 IP 192.168.1.180> 192.168.1.1: ICMP echo request, id
55045, seq 2, length 64
So the problem is in dom0 Linux kernel configuration.
As the current kernel configuration of dom0 (s. below) works (with
automatic setting of iptable rules) for debian / opensolaris why doesn't
it work in the same manner for CentOS 6.0 or NetBSD 5.1? (install and boot)
http://www.it-infrastrukturen.com/fileadmin/linux/debian-live-xen/config-3.0.1
What is different for CentOS or NetBSD images? .. PVM-HVM network
drivers support in kernel of dom0?
Any idea why? I have attached both tpcdumps.
Because of the firewall rule?
-- Pasi
Thanks a lot Pasi.
Regards, Mark
--
ms@xxxxxxxxxxxxxxxxxxxxxx
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home