Has anyone managed to combine bridged network model and SNAT?
I have a machine that just ssh''s into other boxes and updates via rsync
a
copy of their filesystems. I figured I could stage a xen VM for this
server with a private IP address and do SNAT and "routing" via the
dom0
box, but I get a wierd
"Performing cross-bridge DNAT requires IP forwarding to be enabled"
message. Looking at TCPdump output, my packets were going out of the domU
correctly, being nat''d correctly by dom0 (to the dom0 ip address),
being
sent across the wire to a target box, which was replying. On dom0, I could
see the replies on peth0, but not eth0 ... so of course dom0 never got
them to nat back to domU. The MAC addresses for the returning packets
appeared to be correct.
This is 3.0.2-2 with the default linux version, but custom compiled. There
are a couple other references on the net to that message in combination
with XEN, so I''m not the first to hit it... then again the 3 of us may
have made the same stupid mistake.
It''s not really a problem. I have more real IP addresses I can use, but
they are in short supply.
The bitch seems to come from br_nf_pre_routing_finish() in
net/bridge/br_netfilter.c (linux source)... and follows these
conditions...
if (dnat_took_place(skb)) {
<snip>
if (ip_route_input(skb, iph->daddr, iph->saddr,
iph->tos,
<snip>
if (!ip_route_output_key(&rt, &fl)) {
<snip>
if (((struct dst_entry *)rt)->dev == dev ||
rt->rt_type == RTN_LOCAL) {
** ok here **
else
** CHOKE with above msg **
As far as I know, there was nothing fancy in my settings. A host
specific route for the vifX.0 and the domU, normal subnet routing
on eth0 and the target was in that subnet. SNAT rule was
simple...
iptables -t nat -A POSTROUTING -s 192.168.3.0/24 -j SNAT --to-source $MASQIP
-Tom
----------------------------------------------------------------------
tbrown@BareMetal.com | Put all your eggs in one basket and
http://BareMetal.com/ | WATCH THAT BASKET!
web hosting since ''95 | - Mark Twain
_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users
On Jul 14, 2006 at 1729 -0700, tbrown@baremetal.com appeared and said:> > Has anyone managed to combine bridged network model and SNAT?No, but I stumbled into the same problem.> [...] Looking at TCPdump output, my packets were going out of the domU > correctly, being nat''d correctly by dom0 (to the dom0 ip address), being > sent across the wire to a target box, which was replying. On dom0, I could > see the replies on peth0, but not eth0 ... so of course dom0 never got > them to nat back to domU. The MAC addresses for the returning packets > appeared to be correct.I have two bridges - one for the external IPs and one for DomUs in a LAN. The Dom0 is an IPsec and OpenVPN gateway linking the DomU LAN with a remote office and roadwarriors. This works all fine. The only thing that needs to be done is a SNAT for the DomU LAN. I used the standard SNAT rule iptables -t nat -A POSTROUTING -s 10.0.2.0/24 -d ! 10.0.1.0/24 -m physdev ! --physdev-is-bridged --jump SNAT --to-source 11.22.33.44 which does SNAT, but the return packets get dropped inside Dom0. tcpdump shows TCP SYNs getting out, NATted correctly, only the return packets disappear. I also tried the ethtool checksum magick, it makes no difference. It''s a recent Xen 3.0.2 on Gentoo Linux. Ideas anyone? Best, René, melting in Vienna. -- "From the delicate strands, between minds we weave our mesh: a blanket to warm the soul." --- Lady Deirdre Skye (SMAC) --- _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
René Pfeiffer schrieb:> but the return packets get dropped inside Dom0.just an idea -> have you this rule in Dom0 ??? -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Jul 21, 2006 at 1956 +0200, Norman Zimmer appeared and said:> René Pfeiffer schrieb: > >but the return packets get dropped inside Dom0. > > just an idea -> have you this rule in Dom0 ??? > > -I FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPTWe don''t use any firewalling on Dom0 (yet). I first want to sort out the checksumming issue, the bridging and the NATing. Best, René. -- "From the delicate strands, between minds we weave our mesh: a blanket to warm the soul." --- Lady Deirdre Skye (SMAC) --- _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users