Xen users - May 2008 - Specific vif-route or vif-bridge in DomU config file?

Is there any way to specific on the vif = [] line of a DomU config 
if an interface should be routed or bridged?

    Have a situation that I believe calls for wanting to use both 
methods at the same time.  (Bridging for almost everything, but routing 
for a few special use case DomUs)... I thought I saw mention in a man 
file someplace that this could be specified, but no ideal where I saw it 
now...

    Basically, we have a physical box with two ethernet ports, one goes 
to our internal private LAN, the other connects to the outside world.. 
want to fullfill three needs:

       - Every DomU needs to be able to access the private network that 
hangs off eth0, but doesn''t need to be accessible FROM the private 
network (bridging at use).
       - Every DomU needs to be able to access the internet (hanging off 
Dom0''s eth1), and *some* need to be accessible from the rest of the 
internet (routing at play).
       - Every DomU needs to be able to communicate with *each other*, 
freely, on the 192.168.x.x network that was created by libvirtd (or 
where-ever that was started)..

The first two I have working fine, using vif-route network-route, and 
some manual manipulation of the routing tables on the DomUs... the last 
one is driving me insane, as traffic from one DomU to another is showing 
up (for instance, in nfs, and even tcpdumps) as coming from the Dom0''s 
IP address instead...   If I use brctl manually and add the appropriate 
vif#.0 to the bridge, it works okay, but if I can''t automate it,
it''s
not going to work out.  (ie: having to run brctl every time a DomU is 
restarted != fun).

If I switch xend-config over to bridging, I can make the third thing 
work, but lose the first two. :(   So I''m wondering if there''s
any way
to specify in more detail how a specific vif should be built?   Or am I 
chasing this in entirely the wrong direction?  I''m assuming someone out
there has wanted to do something similar before, I just can''t seem to 
find mention anywhere online of *how* anyone has accomplished it. :)

- Shannon

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

Hi Shannon,

On Mon, May 19, 2008 at 4:54 PM, Shannon <slafferty@purenrg.com>
wrote:
>   Is there any way to specific on the vif = [] line of a DomU config if an
> interface should be routed or bridged?
>
>   Have a situation that I believe calls for wanting to use both methods at
> the same time.  (Bridging for almost everything, but routing for a few
> special use case DomUs)... I thought I saw mention in a man file someplace
> that this could be specified, but no ideal where I saw it now...
>
>   Basically, we have a physical box with two ethernet ports, one goes to
our
> internal private LAN, the other connects to the outside world.. want to
> fullfill three needs:
>
>      - Every DomU needs to be able to access the private network that hangs
> off eth0, but doesn''t need to be accessible FROM the private
network
> (bridging at use).
>      - Every DomU needs to be able to access the internet (hanging off
> Dom0''s eth1), and *some* need to be accessible from the rest of
the internet
> (routing at play).
>      - Every DomU needs to be able to communicate with *each other*,
freely,
> on the 192.168.x.x network that was created by libvirtd (or where-ever that
> was started)..
>
> The first two I have working fine, using vif-route network-route, and some
> manual manipulation of the routing tables on the DomUs... the last one is
> driving me insane, as traffic from one DomU to another is showing up (for
> instance, in nfs, and even tcpdumps) as coming from the Dom0''s IP
address
> instead...   If I use brctl manually and add the appropriate vif#.0 to the
> bridge, it works okay, but if I can''t automate it, it''s
not going to work
> out.  (ie: having to run brctl every time a DomU is restarted != fun).
>
> If I switch xend-config over to bridging, I can make the third thing work,
> but lose the first two. :(   So I''m wondering if there''s
any way to specify
> in more detail how a specific vif should be built?   Or am I chasing this
in
> entirely the wrong direction?  I''m assuming someone out there has
wanted to
> do something similar before, I just can''t seem to find mention
anywhere
> online of *how* anyone has accomplished it. :)
>
Sounds like you just need to use a custom network script.

Below are a couple good links that explain it pretty well.

The basic idea is that you will use your custom script to call the proper
network scripts and setup the right netdevs, vifs, and bridges with those
scripts. Then you will connect your guest to the proper bridge.

http://wiki.xensource.com/xenwiki/XenNetworking#head-7b845eda5e0154fecb98165adbd774f6168119d1
http://lists.centos.org/pipermail/centos-virt/2007-December/000119.html

Let us know if you have any problems making the scripts after taking a
look at those links.

Cheers,
Todd

_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users

On Mon, May 19, 2008 at 4:54 PM, Shannon <slafferty@purenrg.com> wrote:
>   Is there any way to specific on the vif = [] line of a DomU config if an
> interface should be routed or bridged?
>
>   Have a situation that I believe calls for wanting to use both methods at
> the same time.  (Bridging for almost everything, but routing for a few
> special use case DomUs)... I thought I saw mention in a man file someplace
> that this could be specified, but no ideal where I saw it now...
>
>   Basically, we have a physical box with two ethernet ports, one goes to
> our internal private LAN, the other connects to the outside world.. want to
> fullfill three needs:
>
>      - Every DomU needs to be able to access the private network that hangs
> off eth0, but doesn''t need to be accessible FROM the private
network
> (bridging at use).
>      - Every DomU needs to be able to access the internet (hanging off
> Dom0''s eth1), and *some* need to be accessible from the rest of
the internet
> (routing at play).
>      - Every DomU needs to be able to communicate with *each other*,
> freely, on the 192.168.x.x network that was created by libvirtd (or
> where-ever that was started)..
>
> The first two I have working fine, using vif-route network-route, and some
> manual manipulation of the routing tables on the DomUs... the last one is
> driving me insane, as traffic from one DomU to another is showing up (for
> instance, in nfs, and even tcpdumps) as coming from the Dom0''s IP
address
> instead...   If I use brctl manually and add the appropriate vif#.0 to the
> bridge, it works okay, but if I can''t automate it, it''s
not going to work
> out.  (ie: having to run brctl every time a DomU is restarted != fun).
>
> If I switch xend-config over to bridging, I can make the third thing work,
> but lose the first two. :(   So I''m wondering if there''s
any way to specify
> in more detail how a specific vif should be built?   Or am I chasing this
in
> entirely the wrong direction?  I''m assuming someone out there has
wanted to
> do something similar before, I just can''t seem to find mention
anywhere
> online of *how* anyone has accomplished it. :)
>
> - Shannon
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xensource.com
> http://lists.xensource.com/xen-users
>

This sounds like my setup.  One physical box with two interfaces : eth0 to
the switch, and eth1 to the cable modem.  There are multiple domU''s in
the
box.

I bridge eth0 and hide eth1 from the dom0, then have these domU''s

DomU1-Firewall
  This domU has two interfaces, a real nic (eth1 hidden from domU, now eth0
in the domU), and a vif eth1 (bridged with dom0''s eth0).  It is the
gateway
to the internet for all the DomU''s and lan machines, doing ip
masquerading
.  It can port forward to each of the other domU''s services that you
want to
be available to the outside world.  Here are configs for eth0:
DEVICE=eth0
ONBOOT=yes
BOOTPROTO=dhcp
 and eth1:
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.0.1
NETMASK=255.255.255.0


Using shorewall:
  -> interfaces:
    net eth0
    loc eth1
  -> zones
    fw      firewall
    loc     ipv4
    net     ipv4
 -> masq
    eth0 eth1
 -> policy
   fw all ACCEPT
   loc all ACCEPT
   net all DROP
  -> rules
      #here is where you put the DNAT rules for the services you want
available on the net.
      #example
     DNAT net loc:192.168.0.205:5001 tcp 5001


DomU2-DomuN
 The rest of the DomU''s only need eth0 ( the vif from dom0''s
bridged
eth0).   They can see the internet through eth0 and the rest of the lan
through eth0 as well and can see each other and Dom0 as well.  Make sure
their default routes point to Dom1-Firewall.  You can do this with use of a
dhcp server or use static address in ifcfg-eth0: Ex:
# Xen Virtual Ethernet
DEVICE=eth0
BOOTPROTO=static
IPADDR=192.168.0.7
NETMASK=255.255.255.0
GATEWAY=192.168.0.1
ONBOOT=yes

Configure shorewall:
-> interfaces:
    loc eth0
  -> zones
    fw      firewall
    loc     ipv4
 -> policy (no DNAT''d service to this domU)
   fw loc ACCEPT
   loc fw ACCEPT
-> policy (DNAT''d service to this domU)
   all all DROP
      ** and then create a rule to accept the DNAT''d service
   ex:
   ACCEPT loc fw tcp 80

I speculate on the policy for the case of the DNAT''d service to the
domU.  I
think it will work though.

Chris


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users