[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-users] vif/network-bridge and SNAT ?

Has anyone managed to combine bridged network model and SNAT?

I have a machine that just ssh's into other boxes and updates via rsync a
copy of their filesystems. I figured I could stage a xen VM for this
server with a private IP address and do SNAT and "routing" via the dom0
box, but I get a wierd

  "Performing cross-bridge DNAT requires IP forwarding to be enabled"

message. Looking at TCPdump output, my packets were going out of the domU
correctly, being nat'd correctly by dom0 (to the dom0 ip address), being
sent across the wire to a target box, which was replying. On dom0, I could
see the replies on peth0, but not eth0 ... so of course dom0 never got
them to nat back to domU. The MAC addresses for the returning packets
appeared to be correct.

This is 3.0.2-2 with the default linux version, but custom compiled. There
are a couple other references on the net to that message in combination
with XEN, so I'm not the first to hit it... then again the 3 of us may
have made the same stupid mistake.

It's not really a problem. I have more real IP addresses I can use, but
they are in short supply.

The bitch seems to come from br_nf_pre_routing_finish() in
net/bridge/br_netfilter.c (linux source)...  and follows these
conditions...

        if (dnat_took_place(skb)) {
<snip>
                if (ip_route_input(skb, iph->daddr, iph->saddr, iph->tos,
<snip>
                        if (!ip_route_output_key(&rt, &fl)) {
<snip>
                                if (((struct dst_entry *)rt)->dev == dev ||
                                    rt->rt_type == RTN_LOCAL) {
                                   ** ok here **
                                else
                                   ** CHOKE with above msg **

As far as I know, there was nothing fancy in my settings. A host
specific route for the vifX.0 and the domU, normal subnet routing
on eth0 and the target was in that subnet. SNAT rule was
simple...

   iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j SNAT --to-source $MASQIP

-Tom

----------------------------------------------------------------------
tbrown@xxxxxxxxxxxxx   | Put all your eggs in one basket and
http://BareMetal.com/  |      WATCH THAT BASKET!
web hosting since '95  | - Mark Twain


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.