[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Xen-users] Network Interface Problems for DomU Firewall


  • To: <xen-users@xxxxxxxxxxxxxxxxxxx>
  • From: "Thomas Jensen" <tom.jensen@xxxxxxxxxxxxxxxxxxxxxx>
  • Date: Wed, 29 Jul 2009 22:26:43 -0500
  • Delivery-date: Wed, 29 Jul 2009 20:27:51 -0700
  • Domainkey-signature: a=rsa-sha1; c=nofws; d=digitaltoolbox-inc.com; h=from:to :references:subject:date:message-id:mime-version:content-type: in-reply-to; q=dns; s=mail; b=5t8Czx7hmxWk3uPotNI3qkAsZBAdNpmZD4 VeDyA9RHh69w0DsXhXwjd/P4jukRMNZC9Zit5M7S/eQQJ38TYkGpGgx3T8rrSu/y uLYJr6TfyKlz8SHWFeRgNaO6QB5DoHBGpY3RUaHTWhDIwy67xqz+9ZUnmKAM1Pdg 9p3Bc5SzQ=
  • List-id: Xen user discussion <xen-users.lists.xensource.com>
  • Thread-index: AcoPVF52D5JYrkXqTZ2MY3i3UHYjcAAe2SogAD1SKyA=


From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Thomas Jensen
Sent: Tuesday, July 28, 2009 5:24 PM
To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: RE: [Xen-users] Network Interface Problems for DomU Firewall

Thanks for the response.  I apologize for the top post.  What is appropriate etiquette when responding to a top posted reply?
 
I changed the DomU configuration file to use the vif=[''] line.  The DomU started fine.  I checked the results of ifconfig after the initial boot and the interfaces were still opposite of what they should be (i.e. eth1 should be eth0, eth0 should be eth1).
 
When I tried the command 'ip link set eth1 name eth0', I get the result 'RTNETLINK answers: File exists'.
 
Before trying this suggestion, I tried a few other things after my original post.  I tried adding the file /etc/udev/rules.d/70-persistent-net.rules and modified it to include entries for the two MAC addresses; one real as a result of PCI pass through and one virtual.  The DomU hung when trying to boot.
 
I did additional research on the parameters that can be passed with the vif line in the DomU configuration file.  I found that I can define vifname which appears to address my intention of defining the interface name.  So I tried adding the syntax so that my DomU config file had the following line with the exception of the sanitized MAC address:
 
vif = [ 'mac=00:16:XX:XX:XX:XX,vifname=eth1,bridge=eth1' ]
 
When trying to boot the DomU with the configuration, I received the following error:
 
Error: Device 0 (vif) could not be connected. Hotplug scripts not working.
 
Can someone share what syntax combination or steps I need to follow in order to obtain a DomU with three interfaces; one of which is "real" as a result of PCI pass through and two which are virtual interfaces?


From: xen-users-bounces@xxxxxxxxxxxxxxxxxxx [mailto:xen-users-bounces@xxxxxxxxxxxxxxxxxxx] On Behalf Of Peter Müller
Sent: Tuesday, July 28, 2009 1:28 AM
To: Thomas Jensen
Cc: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: Re: [Xen-users] Network Interface Problems for DomU Firewall

Hi Thomas,

i had similar problems with a hidden NIC in my Asterisk DomU. When i inserted MAC, IP or a Bridge in the vif line, i sometimes got 2 interfaces in the DomU and from time to time the DomU crashed without any usable error in my logfiles.
I solved (it's not really a solution, more a workaround) the problem, with an empty vif line (vif = [ '']), and renamed the interface which had the name eth1 too with

 ip link set eth1 name eth0

This worked in my case, you should try this, maybe works for you too.

Greetings Peter

Thomas Jensen schrieb:
I am attempting to setup a firewall in a DomU.  The firewall program I eventually want to run is Shorewall.
 
Both my Dom0 and DomU are Debian Lenny 64 bit systems.  The Dom0 has four physical network interfaces installed.  Currently, one of the NICs is hidden using the pciback.hide command in the /boot/grub/menu.lst file.  Similarly, the hidden NIC is passed to the DomU using the pci = ['device:address.0'] line in the DomU configuration file.
 
When I modify the DomU configuration file only to include the pci directive without an additional vif line, the networking works as expected in the DomU.  All of the networking settings are done in the /etc/network/interfaces file within the DomU.
 
I want to run a three interface firewall using Shorewall.  The physical NIC (eth0) will be used on the external side.  I want to add two virtual interfaces to the DomU for use as a DMZ interface (eth2) and private LAN interface (eth1).
 
Therefore, I returned to the DomU configuration file and added a vif line containing only the MAC address and Dom0 bridge.  No IP address is listed within the vif line in the DomU configuration file.
 
When starting the DomU, networking no longer works as expected.  Examining the results of ifconfig, I see that the DomU has assigned the NICs differently than I would expect.  Examining the MAC addresses, the passthrough NIC is now assigned as eth1 rather than eth0.
 
In a typical installation, I would edit /etc/udev/rules.d/70-persistent-net.rules to manually assign the netdev names based on MAC address.  However, this file doesn't exit in my newly created Debian Lenny DomU.
 
Can I simply create the file?  Does this file not exist due to some underlying Xen issue?  How should I rectify this problem?
 
Additional sanitized Info:
server# xm info
host                   : server.example.com
release                : 2.6.26-1-xen-amd64
version                : #1 SMP Fri Mar 13 21:39:38 UTC 2009
machine                : x86_64
nr_cpus                : 4
nr_nodes               : 1
cores_per_socket       : 1
threads_per_core       : 2
cpu_mhz                : 2992
hw_caps                : bfebfbff:20100800:00000000:00000180:0000641d
total_memory           : 4030
free_memory            : 0
node_to_cpu            : node0:0-3
xen_major              : 3
xen_minor              : 2
xen_extra              : -1
xen_caps               : xen-3.0-x86_64 xen-3.0-x86_32p
xen_scheduler          : credit
xen_pagesize           : 4096
platform_params        : virt_start=0xffff800000000000
xen_changeset          : unavailable
cc_compiler            : gcc version 4.3.1 (Debian 4.3.1-2)
cc_compile_by          : waldi
cc_compile_domain      : debian.org
cc_compile_date        : Sat Jun 28 09:32:18 UTC 2008
xend_config_format     : 4

  _______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users 
 
Here is some output from /var/log/xen/xen-hotplug.log in the hopes someone might respond with an answer.
 
device eth1 is a bridge device itself; can't enslave a bridge device to a bridge device.
 
This error message is displayed when I use the vif syntax:
 
vif = [ 'mac=00:16:XX:XX:XX:XX,vifname=eth1,bridge=eth1' ]
 
My intention is to use the Dom0 bridge eth1 and assign it, presumably using the vifname parameter, as the DomU eth1.
 
 
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users

 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.