WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

Re: [Xen-users] Yet another question about multiple NICs

Philippe Combes wrote:

Did DomU send an ARP request for the remote device ?
Yes.

Did the remote device reply ?
Are the ping requests going out ?
Are the replies coming back ? To the right MAC ?
No, No, No.

$ ping 192.168.24.125 & tshark -i peth1
<snip>
If you see requests going out, but no reply, try firing up a packet sniffer on the remote machine and see if the requests are reaching it.

I used tshark on the target too. No packet reaches it.

Well I'm stumped now !

We can see ARP requests going out via peth1, but they don't arrive at the other device - so they are either not being transmitted, or the switch is blocking them.

I'd still suggest changing nothing except to connect the machine direct* to something (eg a laptop) and try again - just to completely eliminate any potential switch problem. Having said that, it's not a problem I've personally come across.

* Or use a known "dumb" switch so you can have the rest of the network connected (so you get DHCP) and then unplug it from the rest of the network for testing.

I found no such message in my logs, but I remember I saw them on
the console, once when I had an access to it.
But looking those messages, I found something I never saw before,
because it was in /var/log/syslog, and I only looked in /var/log/xen/* so far:
----
logger: /etc/xen/scripts/vif-bridge: Successful vif-bridge online for
vif1.0, bridge eth0
.
logger: /etc/xen/scripts/block: Writing
backend/vbd/1/51713/hotplug-status connected to x
enstore.
logger: /etc/xen/scripts/vif-bridge: Writing
backend/vif/1/0/hotplug-status connected to
xenstore.
logger: /etc/xen/scripts/vif-bridge: iptables -A FORWARD -m physdev
--physdev-in vif1.1
-j ACCEPT failed.#012If you are using iptables, this may affect
networking for guest domains.
logger: /etc/xen/scripts/vif-bridge: Successful vif-bridge online for
vif1.1, bridge eth1
.
logger: /etc/xen/scripts/vif-bridge: Writing
backend/vif/1/1/hotplug-status connected to
xenstore.

Well I've no idea what's wrong here. The line that's failing reads :
Append a rule to the FORWARD table, match (-m) using the physdev module, macthing in put port (--physdev-in) vif1.1, and jump (-j) to the ACCEPT rule.
In other words - for any packets entering via bridge port vif1.1, forward them.

Now, I've just checked on one of my work servers, and it does indeed have rules like these.
# iptables -L -vn
...
Chain FORWARD (policy ACCEPT 180M packets, 36G bytes)
 pkts bytes target     prot opt in     out     source               destination
46M 50G ACCEPT all -- * * xx.xx.xx.xx 0.0.0.0/0 PHYSDEV match --physdev-in xxxxx 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in xxxxx udp spt:68 dpt:67

While I see from an earlier message that your iptables is empty.
However, It shouldn't matter since the default policy on your FORWARD chain is accept - ie anything not expressly blocked should be passed.

Is it possible that you don't have physdev matching available in your Dom0 installation ?

I don't think this is anything to do with your problem, but could account for the error message.



As an aside, I can now see one thing that setting the guest IP address does - it includes the IP address in the iptables rules added for the guest when it starts.

--
Simon Hobson

Visit http://www.magpiesnestpublishing.co.uk/ for books by acclaimed
author Gladys Hobson. Novels - poetry - short stories - ideal as
Christmas stocking fillers. Some available as e-books.

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users