Xen devel - Oct 2003 - iptables nat redirect

I''m trying to do a nat redirect (traffic redirected from a router, not 
originally for the machine).  I can see the network traffic, but the 
iptable rules do not appear to do anything.  Is this possible on a 
virtual domain, and if not what needs to be done?

-Jeff



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

> I''m trying to do a nat redirect (traffic redirected from a router,
not
> originally for the machine).  I can see the network traffic, but the 
> iptable rules do not appear to do anything.  Is this possible on a 
> virtual domain, and if not what needs to be done?
This should work okay from domain 0. Domain 0 is allowed to send any
packet to the physical network. Also, packets that match no other rule
are forwarded to domain 0.

iptables -L -v 

and 

iptables -tnat -L -v

may help --- they tell you how many packets have matched each iptables
rule. You might therefore be able to work out whether packets are
reaching domain 0 and, if so, where they are getting misdirected.

 -- Keir


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

Keir Fraser wrote:
>>I''m trying to do a nat redirect (traffic redirected from a
router, not
>>originally for the machine).  I can see the network traffic, but the 
>>iptable rules do not appear to do anything.  Is this possible on a 
>>virtual domain, and if not what needs to be done?
>>    
>>
>
>This should work okay from domain 0. Domain 0 is allowed to send any
>packet to the physical network. Also, packets that match no other rule
>are forwarded to domain 0.
>
>iptables -L -v 
>
>and 
>
>iptables -tnat -L -v
>
>may help --- they tell you how many packets have matched each iptables
>rule. You might therefore be able to work out whether packets are
>reaching domain 0 and, if so, where they are getting misdirected.
>
> -- Keir
>  
>
I have verified that it does work on domain 0, but I''m actually trying 
to do the redirect on a different domain (non 0).

The router is using GRE to encapsulate traffic to the virtual machine.  
(verified working)
The GRE interface on the virtual machine decapsulates the packet. 
(verified working)
The iptable rule on the virtual machine matches the packet (verified 
working)
The iptable rule on the virtual machine redirects the packet to a local 
port (not working)

Any suggestions?

-Jeff



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

> I have verified that it does work on domain 0, but I''m actually
trying
> to do the redirect on a different domain (non 0).
> 
> The router is using GRE to encapsulate traffic to the virtual machine.  
> (verified working)
> The GRE interface on the virtual machine decapsulates the packet. 
> (verified working)
> The iptable rule on the virtual machine matches the packet (verified 
> working)
> The iptable rule on the virtual machine redirects the packet to a local 
> port (not working)
If the packets are getting through to the domain, its hard to
imagine how we could be stuffing it up.

The exact same config (including the IP addresses) works in
domain0, right?

What happens if you redirect to localhost rather than the
domain''s external IP?

Do the counters go up indicating that the redirect rule is being
used?

I guess we''ll have to investigate how the redirect actually
works, but I''d be surprised if it was arch or driver specific.

Ian


-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel

Ian Pratt wrote:
>If the packets are getting through to the domain, its hard to
>imagine how we could be stuffing it up.
>
>The exact same config (including the IP addresses) works in
>domain0, right?
>
>What happens if you redirect to localhost rather than the
>domain''s external IP?
>
>Do the counters go up indicating that the redirect rule is being
>used?
>
>I guess we''ll have to investigate how the redirect actually
>works, but I''d be surprised if it was arch or driver specific.
>
>Ian
>
>  
>
Initial tests show that the filter rule counters are being incremented 
just as the are on domain 0, but to be sure I will do more testing this 
evening and report back.

On another note, I just submitted an alternative to the xen_read_console 
program.  It does the same thing, but also has the option of running as 
a daemon and sending domain console output to syslog.

* Disclaimer: I''m not a C wiz, so go easy on my coding :)

-Jeff



-------------------------------------------------------
This SF.net email is sponsored by: SF.net Giveback Program.
SourceForge.net hosts over 70,000 Open Source Projects.
See the people who have HELPED US provide better services:
Click here: http://sourceforge.net/supporters.php
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/xen-devel