[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] xl nat and wrong IPs

On Mon, 2013-02-04 at 21:28 +0000, Matthias wrote:
> I guess i finally understood the basic idea of the nat script:
> 
> You set an IP for the vif interface. This will not be the IP of the
> interface, but the IP the domU will be using internally. This way if
> the dom0 receives a package for the configured IP, it will be routed
> through the dom0-interface to the domU. (In detail: This way the
> package goes into the iptables forward chain and not the input chain,
> changing the hosts general treatment of the package).
> 
> So not setting the interface to the configured IP but only creating an
> ip route makes perfect sense.

Is an IP on the vifX.Y device not required in order to route to it? And
does that IP not need to differ from the one on the guests eth0 device?
(otherwise the packet will get delivered to dom0)

In the routing variant we use the IP address of dom0's own interface on
all of the vifX.Y devices, I wonder why this doesn't suffice for NAT.

> But then the vif-nat script assignes an IP+127 to the interface. This
> creates 2 problems in my opinion:
> 
> 1) When using the dom0 for routing network traffic from one domU to an
> other, so basically using the dom0 as a network cable, the src
> attribute used in the routing creation will alter the source ip
> address from one domU to the ip+127 address which is, at least in my
> network setup, pretty annoying.
> 
> So if you got domUs A (IP 10.0.0.1) and B (IP 10.0.0.2) and send
> traffic from A to B, B will see the traffic coming from 10.0.0.128
> instead of .1 .

Isn't this an expected property of NAT? 

When communicating with off box hosts/VMs the IP address would be dom0's
IP address.

Sounds like you might actually want a nat'ed brouter type configuration?
(i.e. the guests are bridged but offbox traffic is nat'ed)

> 2) I haven't tested it, but I don't really know what would happen if
> you set IPs >128 in the domU configuration and this way create
> out-of-bounce routing IPs.

I suspect this is probably a case of "don't do that".

> Well, I think that most people don't use the nat feature of xen and
> this isn't tested much.. But somebody might want to look at it at a
> given point of time...

It's certainly not the most widely used configuration.

> For me, changing the IP setting lines to
> 
> do_or_die ip addr add "0.0.0.0" dev "${dev}"
> do_or_die ip route add "$vif_ip" dev "${dev}"
> 
> This doesn't set an IP to the interface in the domU and no src.
> attribute to the route, fixing the above issues.. Might be worth
> thinkin about including in xen main line, i don't really know..

Me neither.

> Posted this only if somebody might need this later..

Thanks.

Ian.



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.