Peter Fokkinga
2006-Apr-01 13:18 UTC
[Xen-users] routing in xen 3.0: icmp gets routed, but tcp/ip only partially
Hello folks, I have this really strange routing problem that no amount of googling and experimenting has been able to solve. Then again, I''m new to Xen and "advanced" networking, so I could be missing something very basic. Summary: an unprivileged domU with PCI frontend for a NIC is used as a router; icmp gets routed, but tcp/ip only partially. I''m using a xen-unstable snapshot, dated March 31, running on Ubuntu Dapper Drake. Warning: this is a long post ;-) Here''s the network topology: +---------------+ | ext | | (192.168.2.1) | +---------------+ | | (eth2) +-------------+ +---------------+ | fw (domU) | (eth1) -+-----| dmz (domU) | +-------------+ | | (172.17.17.2) | (eth0) xenbr1 +---------------+ | +-- xenbr0 | +---------------+ | xeno (dom0) | | (10.0.0.1) | +---------------+ The domU host "fw" has the e100 (Intel EtherPro 100) driver loaded for eth2 (the PCI device was hidden from dom0). Hosts "xeno" and "fw" are connected to bridge "xenbr0", hosts "dmz" and "dmz" are connected through bridge "xenbr1". Routing tables are at the end of this post. Note that there''s no firewall installed (yet); it''s just plain routing at the moment. All hosts have inetd running, with services "daytime" and "echo" active; these services are great diagnostics; they''re simple and when "echo" works then more complicated things like ssh will too. What works? * ping from everywhere to everywhere (traceroute too) * full access from everywhere to "fw" * full access from "fw" to everywhere * full access from "dmz" to "xeno" * from "dmz": `telnet ext daytime` * from "xeno": `telnet ext daytime` If I disable ip_forwarding on "fw" then it''s not possible to connect from "dmz" to "xeno" or vice versa; so traffic really is going through "fw". What does NOT work? * from "ext": `telnet dmz daytime` * from "ext": `telnet dmz echo` * from "dmz": `telnet ext echo` * from "xeno": `telnet ext echo` In all these cases I get connected, but no output; however, I do get output when I connect to a specific interface on "fw" (iow, if host "fw0" is the ip-address of eth0 on "fw" then `telnet fw0 echo` works fine from "ext"). It''s as if no IP data (as opposed to syn/ack) wants to go from "fw" to "ext"? Routes defined on all hosts: (192.168.1.1 is the gateway connected to my ADSL modem) host "fw" Destination Gateway Genmask Flags Iface 172.17.17.0 0.0.0.0 255.255.255.0 U eth1 10.0.0.0 0.0.0.0 255.255.0.0 U eth0 192.168.0.0 0.0.0.0 255.255.0.0 U eth2 0.0.0.0 192.168.1.1 0.0.0.0 UG eth2 host "xeno" Destination Gateway Genmask Flags Iface 172.17.18.0 0.0.0.0 255.255.255.0 U xenbr1 10.0.0.0 0.0.0.0 255.255.0.0 U eth2 0.0.0.0 10.0.1.1 0.0.0.0 UG eth2 host "dmz" Destination Gateway Genmask Flags Iface 172.17.17.0 0.0.0.0 255.255.255.0 U eth0 0.0.0.0 172.17.17.1 0.0.0.0 UG eth0 host "ext" (not xen, separate machine on my LAN) Destination Gateway Genmask Flags Iface 172.17.17.0 192.168.8.1 255.255.255.0 UG eth0 192.168.0.0 0.0.0.0 255.255.0.0 U eth0 10.0.0.0 192.168.8.1 255.0.0.0 UG eth0 0.0.0.0 192.168.1.1 0.0.0.0 UG eth0 Help me, Obi-Wan Xenobi; you''re my only hope. Regards, Peter Fokkinga _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Daniel Bauer
2006-Apr-04 05:59 UTC
Re: [Xen-users] routing in xen 3.0: icmp gets routed, but tcp/ip only partially
Hi Peter, From: "Peter Fokkinga" <peter@fokkinga.nl>> I have this really strange routing problem that no amount of > googling and experimenting has been able to solve. Then again, > I''m new to Xen and "advanced" networking, so I could be missing > something very basic. > > Summary: an unprivileged domU with PCI frontend for a NIC > is used as a router; icmp gets routed, but tcp/ip only > partially. I''m using a xen-unstable snapshot, dated March 31, > running on Ubuntu Dapper Drake. > [...]I''ve got the same problem. ethtool -K eth0 tx off solves the problem. You should give this command on all interfaces. I couldn''t explain, if this makes a security hole. HTH Daniel _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users