Olivier Berger
2007-Jun-27 11:00 UTC
[Pkg-xen-devel] Bug#430778: xen-utils-common: NAT scripts not generic enough, and made for DHCP ?
Package: xen-utils-common Version: 3.0.3-0-2 Severity: normal I cannot find a use the network-nat and vif-nat provided in the general case, where I'd like to NAT between vifx.0 and ethx interfaces. I have setup the following in /etc/xen/xend-config.sxp : ## Use the following if network traffic is routed with NAT, as an alternative # to the settings for bridged networking given above. (network-script 'network-nat netdev=eth1') (vif-script vif-nat) (in my setup, eth1 is my wired link to the net gateway) After the domU is started, I get : # iptables -v -L -n Chain INPUT (policy ACCEPT 39178 packets, 45M bytes) pkts bytes target prot opt in out source destination Chain FORWARD (policy DROP 245 packets, 20580 bytes) pkts bytes target prot opt in out source destination 0 0 ACCEPT 0 -- * * 192.168.2.100 0.0.0.0/0 PHYSDEV match --physdev-in vif3.0 0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif3.0 udp spt:68 dpt:67 Chain OUTPUT (policy ACCEPT 24821 packets, 1643K bytes) pkts bytes target prot opt in out source destination and : # iptables -v -L -n -t nat Chain PREROUTING (policy ACCEPT 863 packets, 104K bytes) pkts bytes target prot opt in out source destination Chain POSTROUTING (policy ACCEPT 55 packets, 3593 bytes) pkts bytes target prot opt in out source destination 2 125 MASQUERADE 0 -- * eth1 0.0.0.0/0 0.0.0.0/0 Chain OUTPUT (policy ACCEPT 611 packets, 38296 bytes) pkts bytes target prot opt in out source destination However, the masquerade doesn't work :( I think that the "PHYSDEV match --physdev-in vifx.0" declaration in the FORWARD rule doesn't work. I find it a bit strange also that the provided scripts seem to be producing iptables rules suited for DHCP, with open ports 67 and 68 somehow... even if no dhcp option is set in the scripts parameters. I tried a more standard iptables setup like this which give much better results : # iptables -F FORWARD # iptables -A FORWARD -d 192.168.2.100/32 -m state --state ESTABLISHED,RELATED -j ACCEPT # iptables -A FORWARD -s 192.168.2.100/32 -j ACCEPT # iptables -A FORWARD -j LOG (In my setup, the domU is configured for IP 192.168.2.100) Any comments ? Hope this helps, -- System Information: Debian Release: lenny/sid APT prefers testing APT policy: (500, 'testing'), (500, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.18-4-xen-686 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages xen-utils-common depends on: ii lsb-base 3.1-23.1 Linux Standard Base 3.1 init scrip ii udev 0.105-4 /dev/ and hotplug management daemo xen-utils-common recommends no packages. -- no debconf information
Apparently Analagous Threads
- [Xense-devel] [RFC][PATCH][ACM] enforcing ACM policy on network traffic between virtual network interfaces
- so close! just an iptables rule away.....?
- [Bug 751] New: IPv6 bridging bug
- Arp Flip Flops make machine inaccessible.
- Bug#571634: bridge loosing connection