[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] xl nat and wrong IPs

I guess i finally understood the basic idea of the nat script:

You set an IP for the vif interface. This will not be the IP of the
interface, but the IP the domU will be using internally. This way if
the dom0 receives a package for the configured IP, it will be routed
through the dom0-interface to the domU. (In detail: This way the
package goes into the iptables forward chain and not the input chain,
changing the hosts general treatment of the package).

So not setting the interface to the configured IP but only creating an
ip route makes perfect sense.

But then the vif-nat script assignes an IP+127 to the interface. This
creates 2 problems in my opinion:

1) When using the dom0 for routing network traffic from one domU to an
other, so basically using the dom0 as a network cable, the src
attribute used in the routing creation will alter the source ip
address from one domU to the ip+127 address which is, at least in my
network setup, pretty annoying.

So if you got domUs A (IP 10.0.0.1) and B (IP 10.0.0.2) and send
traffic from A to B, B will see the traffic coming from 10.0.0.128
instead of .1 .

2) I haven't tested it, but I don't really know what would happen if
you set IPs >128 in the domU configuration and this way create
out-of-bounce routing IPs.


Well, I think that most people don't use the nat feature of xen and
this isn't tested much.. But somebody might want to look at it at a
given point of time...

For me, changing the IP setting lines to

do_or_die ip addr add "0.0.0.0" dev "${dev}"
do_or_die ip route add "$vif_ip" dev "${dev}"

This doesn't set an IP to the interface in the domU and no src.
attribute to the route, fixing the above issues.. Might be worth
thinkin about including in xen main line, i don't really know..

Posted this only if somebody might need this later..




2013/2/4 Ian Campbell <Ian.Campbell@xxxxxxxxxx>:
> On Sun, 2013-02-03 at 21:29 +0000, Matthias wrote:
>> Hi,
>>
>> I finally got the chance to do the testing..
>>
>> You were right, the issue was due to routing_ip or better why the
>> calculated ($ip + 127) is used later here:
>>
>> do_or_die ip addr add "$router_ip" dev "${dev}"
>> do_or_die ip route add "$vif_ip" dev "${dev}" src "$router_ip"
>>
>> I don't really see any point in creating a dedicated router-IP and
>
> Glad you've got it sorted, I don't understand this stuff either though
> I'm afraid. (Perhaps they form two ends of a point-to-point /31 network?
> Total guess)
>
>> using it this way and i dont' see why this worked for me when using xm
>> earlier, but I might did some hacking before to fix this in my xm
>> installation, i can't really remember..
>
> FWIW this script doesn't appear to have changed in hg for many years.
>
> Ian.
>

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.