xen-users

[Top] [All Lists]

[Xen-users] vif/network-bridge and SNAT ?

from [tbrown]

[Permanent Link][Original]

To:	xen-users@xxxxxxxxxxxxxxxxxxx
Subject:	[Xen-users] vif/network-bridge and SNAT ?
From:	tbrown@xxxxxxxxxxxxx
Date:	Fri, 14 Jul 2006 17:29:55 -0700 (PDT)
Delivery-date:	Fri, 14 Jul 2006 17:30:39 -0700
Envelope-to:	www-data@xxxxxxxxxxxxxxxxxx
List-help:	<mailto:xen-users-request@lists.xensource.com?subject=help>
List-id:	Xen user discussion <xen-users.lists.xensource.com>
List-post:	<mailto:xen-users@lists.xensource.com>
List-subscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe:	<http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender:	xen-users-bounces@xxxxxxxxxxxxxxxxxxx

Has anyone managed to combine bridged network model and SNAT?

I have a machine that just ssh's into other boxes and updates via rsync a
copy of their filesystems. I figured I could stage a xen VM for this
server with a private IP address and do SNAT and "routing" via the dom0
box, but I get a wierd

  "Performing cross-bridge DNAT requires IP forwarding to be enabled"

message. Looking at TCPdump output, my packets were going out of the domU
correctly, being nat'd correctly by dom0 (to the dom0 ip address), being
sent across the wire to a target box, which was replying. On dom0, I could
see the replies on peth0, but not eth0 ... so of course dom0 never got
them to nat back to domU. The MAC addresses for the returning packets
appeared to be correct.

This is 3.0.2-2 with the default linux version, but custom compiled. There
are a couple other references on the net to that message in combination
with XEN, so I'm not the first to hit it... then again the 3 of us may
have made the same stupid mistake.

It's not really a problem. I have more real IP addresses I can use, but
they are in short supply.

The bitch seems to come from br_nf_pre_routing_finish() in
net/bridge/br_netfilter.c (linux source)...  and follows these
conditions...

        if (dnat_took_place(skb)) {
<snip>
                if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos,
<snip>
                        if (!ip_route_output_key(&rt, &fl)) {
<snip>
                                if (((struct dst_entry *)rt)->dev == dev ||
                                    rt->rt_type == RTN_LOCAL) {
                                   ** ok here **
                                else
                                   ** CHOKE with above msg **

As far as I know, there was nothing fancy in my settings. A host
specific route for the vifX.0 and the domU, normal subnet routing
on eth0 and the target was in that subnet. SNAT rule was
simple...

   iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j SNAT --to-source $MASQIP

-Tom

----------------------------------------------------------------------
tbrown@xxxxxxxxxxxxx   | Put all your eggs in one basket and
http://BareMetal.com/  |      WATCH THAT BASKET!
web hosting since '95  | - Mark Twain


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
[Xen-users] vif/network-bridge and SNAT ?, tbrown <= Re: [Xen-users] vif/network-bridge and SNAT ?, René Pfeiffer Re: [Xen-users] vif/network-bridge and SNAT ?, Norman Zimmer Re: [Xen-users] vif/network-bridge and SNAT ?, René Pfeiffer

Previous by Date:	RE: [Xen-users] "xm save" hanging when saving domain in "pause" state, Petersson, Mats
Next by Date:	[Xen-users] NetBSD as Xen domU on FC5, John Woodstock
Previous by Thread:	[Xen-users] RE: compiling oprofile in FC5 for setting up xenoprof, Ranganathan, Shobha
Next by Thread:	Re: [Xen-users] vif/network-bridge and SNAT ?, René Pfeiffer
Indexes:	[Date] [Thread] [Top] [All Lists]