Olivier Berger
2007-Jun-27 11:00 UTC
[Pkg-xen-devel] Bug#430778: xen-utils-common: NAT scripts not generic enough, and made for DHCP ?
Package: xen-utils-common
Version: 3.0.3-0-2
Severity: normal
I cannot find a use the network-nat and vif-nat provided in the general case,
where I'd like to NAT between vifx.0
and ethx interfaces.
I have setup the following in /etc/xen/xend-config.sxp :
## Use the following if network traffic is routed with NAT, as an alternative
# to the settings for bridged networking given above.
(network-script 'network-nat netdev=eth1')
(vif-script vif-nat)
(in my setup, eth1 is my wired link to the net gateway)
After the domU is started, I get :
# iptables -v -L -n
Chain INPUT (policy ACCEPT 39178 packets, 45M bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy DROP 245 packets, 20580 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT 0 -- * * 192.168.2.100 0.0.0.0/0
PHYSDEV match --physdev-in vif3.0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0
PHYSDEV match --physdev-in vif3.0 udp spt:68 dpt:67
Chain OUTPUT (policy ACCEPT 24821 packets, 1643K bytes)
pkts bytes target prot opt in out source destination
and :
# iptables -v -L -n -t nat
Chain PREROUTING (policy ACCEPT 863 packets, 104K bytes)
pkts bytes target prot opt in out source destination
Chain POSTROUTING (policy ACCEPT 55 packets, 3593 bytes)
pkts bytes target prot opt in out source destination
2 125 MASQUERADE 0 -- * eth1 0.0.0.0/0 0.0.0.0/0
Chain OUTPUT (policy ACCEPT 611 packets, 38296 bytes)
pkts bytes target prot opt in out source destination
However, the masquerade doesn't work :(
I think that the "PHYSDEV match --physdev-in vifx.0" declaration in
the FORWARD rule doesn't work.
I find it a bit strange also that the provided scripts seem to be producing
iptables rules suited for DHCP, with open ports 67 and 68 somehow... even if no
dhcp option is set in the scripts parameters.
I tried a more standard iptables setup like this which give much better results
:
# iptables -F FORWARD
# iptables -A FORWARD -d 192.168.2.100/32 -m state --state ESTABLISHED,RELATED
-j ACCEPT
# iptables -A FORWARD -s 192.168.2.100/32 -j ACCEPT
# iptables -A FORWARD -j LOG
(In my setup, the domU is configured for IP 192.168.2.100)
Any comments ?
Hope this helps,
-- System Information:
Debian Release: lenny/sid
APT prefers testing
APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)
Kernel: Linux 2.6.18-4-xen-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Versions of packages xen-utils-common depends on:
ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip
ii udev 0.105-4 /dev/ and hotplug management daemo
xen-utils-common recommends no packages.
-- no debconf information
Maybe Matching Threads
- [Xense-devel] [RFC][PATCH][ACM] enforcing ACM policy on network traffic between virtual network interfaces
- so close! just an iptables rule away.....?
- [Bug 751] New: IPv6 bridging bug
- Arp Flip Flops make machine inaccessible.
- Bug#571634: bridge loosing connection
Wisdom of the Ancients
