[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Xen with 'Routing' scripts

  • To: xen-users <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: Roland Paterson-Jones <roland@xxxxxxxxxxxx>
  • Date: Fri, 15 Apr 2005 14:59:09 +0200
  • Delivery-date: Fri, 15 Apr 2005 12:58:38 +0000
  • List-id: Xen user discussion <xen-users.lists.xensource.com>

Nils, thanks for the great response.

Some more details: we have a network of dom-0's that will host a number of dom-U's.

We need dynamic addressing, so proxy-arp sounds the simplest for us (simpler than full-on routing, that is).

Bridging is not so nice cos it exposes ethernet to the (untrusted) dom-U's.

We can't use NAT cos we want the dom-U's to be externally addressable.

Something I'm still unclear on - we don't want to reserve dom-U addresses for each dom-0 (it'll be wasteful), so we want dom-U to use DHCP. But then we've got to do DHCP relaying in dom-0, I think, and capture the dom-U IP address, unless there's a better way.

Another thing that's confusing me is that I expect there should be a left-hand (dom-0) and right-hand (dom-U) address for each of the vif's in routing mode, but I see only the one address in the scripts.

I hope this makes sense - as you might have noticed I'm approaching this from first principles. I'm sure I'll get there in the end :(


Nils Toedtmann wrote:

Am Freitag, den 15.04.2005, 09:20 +0200 schrieb Roland Paterson-Jones:

I had a brief look at the routing scripts in /etc/xen/scripts. Essentially the main script turns on ip forwarding in dom-0, and the dom-U vif script seems to configure a address for each vif (auto-configure address, I think), then enable proxy ARP on the vif.

Some questions: How do remote machines pick up routing information for the dom-U's? Do I have to run a routing protocol in dom-0 (maybe with zebra) so that remote machines can 'see' the dom-U's?

Depends on network configuration: If you use bridging or proxy-arp or
NAT that's not necessary. If not, routes can be configured statically
into remote machines or dynamically via routing protocals like RIP or
This is not a Xen-specific question, look around for networking howtos.

Could someone maybe explain the details of the ifconfig <vif> ...

From RFC 3330 <http://www.faqs.org/rfcs/rfc3330.html>: - This is the "link local" block. It is allocated for communication between hosts on a single link. Hosts obtain these
 addresses by auto-configuration, such as when a DHCP server may not
 be found.

You may use random IPs in this range as a poor backup alternative to dhcp. MS Windows and many devices like printers use such IPs if they
cannot find a dhcp server.

and what the proxy ARP stuff does?

It kinda "pseudo-bridging". For example if your domU and your dom0 shall
use ips within the same IP prefix (say, and another
physical host is acting as default gateway (lets say dom0=,
domU=, gw=, there are (at least) four

* DNAT all domU-services on dom0

   iptables -t nat -A PREROUTING -j DNAT -d \
      --dport 80 --to-destination

* hostroutes for domU
   gw#   ip route add via
   dom0# ip route add dev vif1.0

* bridging

* proxy-arp: When gw tries to send an IP packet to domU it thinks domU
 is link-local, so it tries to resolve to a MAC address by
 ARP-request. But that ARP-request can never reach domU (it's not
bridged). Now
   ip route add dev vif1.0
   sysctl -w net.ipv4.conf.eth0.proxy_arp=1

 (or has it to be "net.ipv4.conf.vif1.0.proxy_arp"?) tells dom0 to
 reply to that ARP-request with dom0's MAC-address on behalf of domU.

 A better way to do proxyarp are static arp entries:

So the xen-script ips plus proxyarp on vif* is probably
for automagical inter-domU-communication.


Xen-users mailing list



Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.