[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] Question regarding xen networking (bonding, xen-bridging)

To: xen-users@xxxxxxxxxxxxx
From: Alexandre Kouznetsov <alk@xxxxxxxxxx>
Date: Mon, 18 Feb 2013 10:05:13 -0600
Delivery-date: Mon, 18 Feb 2013 16:06:16 +0000
List-id: Xen user discussion <xen-users.lists.xen.org>

Hello.

El 18/02/13 05:47, Jonas Meurer escribió:

  On the dom0 LAN connection works as expected. Gateway responds,
connection to the internet works. Dom0 and domU see each other.

Make sure, the DomU's interface is really attached to the intended bridge.
xm list
brctl show

But from domU, everything beyond the dom0 is unreachable, e.g. the
gateway doesn't respond. MAC address from the domU is propagated to
switches and gateway, I can see it in the arp table. In other words, the
packets from domU find their way out, but the responding packets don't
find their way back.

Double check your routing and ipfilter (or whatever) configuration onyour DomU and the gateway. This is the most common cause of issues withthis description.

A quick look at the iptables rules on dom0 give me
the impression, that dom0 doesn't know how to handle packets for domU:

# iptables -L FORWARD
Chain FORWARD (policy ACCEPT)
target   prot opt source     destination
ACCEPT   all  --  anywhere   anywhere   PHYSDEV match --physdev-out
vif1.0 --physdev-is-bridged
ACCEPT   udp  --  anywhere   anywhere   PHYSDEV match --physdev-in
vif1.0 --physdev-is-bridged udp spt:bootpc dpt:bootps
ACCEPT   all  --  anywhere   anywhere   PHYSDEV match --physdev-out
vif1.0 --physdev-is-bridged
ACCEPT   all  --  <DOMU-IP>  anywhere   PHYSDEV match --physdev-in
vif1.0 --physdev-is-bridged

The last rule seems to accept packets [...]

Your policy is ACCEPT. So, unless there is a specific DROP or REJECTrule, you may count on netfilter does not prevent the packets from arriving.

with domU-IP as source, but I
cannot find a rule which handles incoming packets for domU.

That is a, mostly, antyspoofing rule. Most of Xen't iptabels setup isintended to protect the network from the DomU's, so it does not filterincoming traffic by default.

In other
words, the dom0 doesn't know what to do with packets for the domU. Is my
assumption correct?

It does not need to know a too much. It a packet made it to the bridge,it should be picked up by the interface (member of the bridge) with thecorresponding destination MAC. That is, unless there is some filteringpreventing it, which seems not to be the case.

Check with tcpdump on Dom0 (bridge) and DomU (interface). You aresupposed to see the same traffic involving your DomU's MAC address,including the incoming responses to outgoing connections. Any differenceshould bring some light to the matter.

Is it related to interface bonding?

Should not. A incorrect bonding setup could prevent packets leavingphysical interface, or arriving on it. If a packet is visible on thebridge, than it already has made it through the bond, so we may assumeit works fine, unless it looses some packets.



--
Alexandre Kouznetsov


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxx
http://lists.xen.org/xen-users

References:
- [Xen-users] Question regarding xen networking (bonding, xen-bridging)
  - From: Jonas Meurer

Prev by Date: [Xen-users] Xen Document Day: Feb 25th, 2013 on IRC freenode #xendocs
Next by Date: [Xen-users] [SOLVED] Re: [Pkg-xen-devel] Recent hypervisor update on Debian Wheezy breaks domU networking
Previous by thread: [Xen-users] Question regarding xen networking (bonding, xen-bridging)
Next by thread: Re: [Xen-users] Question regarding xen networking (bonding, xen-bridging)
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.