Mr. Teo En Ming (Zhang Enming)
2009-Aug-23 16:08 UTC
[Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest
Hi, My Intel DQ45CB motherboard BIOS has VT-d enabled. I am using Xen 3.4.1 and Jeremy Fitzhardinge''s paravirt ops dom 0 kernels 2.6.30-rc3 and 2.6.31-rc6. When Xen boots up, it says that I/O virtualisation is enabled (VT-d working). I have Windows XP Home 32-bit installed as a HVM guest. I am not trying direct access to physical NIC yet. I am still using virtual NIC in Win XP Home. When I configured IP address in Win XP HVM guest, I can ping the IP in Dom 0. In Dom 0, I can also ping the IP of my Win XP domU. However, other network devices/computers in the same LAN cannot see the IP of Win XP domU. Only Dom 0 can see. Similary, Win XP dom U can only talk to Dom 0 and cannot talk to other computers in the network. Why is this so? -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Caz Yokoyama
2009-Aug-23 16:39 UTC
RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest
Hello Teo, What type of network device do you have? Virtual network or shared physical device? If you have virtual network, I suspect your domU and dom0 are in their own sub-network and the domU is not visible to anyone other than dom0. If you have shared physical device, root cause is something else. -caz -----Original Message----- From: xen-devel-bounces@lists.xensource.com [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Mr. Teo En Ming (Zhang Enming) Sent: Sunday, August 23, 2009 9:09 AM To: xen-devel@lists.xensource.com Subject: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest Hi, My Intel DQ45CB motherboard BIOS has VT-d enabled. I am using Xen 3.4.1 and Jeremy Fitzhardinge''s paravirt ops dom 0 kernels 2.6.30-rc3 and 2.6.31-rc6. When Xen boots up, it says that I/O virtualisation is enabled (VT-d working). I have Windows XP Home 32-bit installed as a HVM guest. I am not trying direct access to physical NIC yet. I am still using virtual NIC in Win XP Home. When I configured IP address in Win XP HVM guest, I can ping the IP in Dom 0. In Dom 0, I can also ping the IP of my Win XP domU. However, other network devices/computers in the same LAN cannot see the IP of Win XP domU. Only Dom 0 can see. Similary, Win XP dom U can only talk to Dom 0 and cannot talk to other computers in the network. Why is this so? -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Mr. Teo En Ming (Zhang Enming)
2009-Aug-23 16:40 UTC
Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest
Just to add, the ethernet bridge on Dom 0 is eth0 and not xenbr0, virbr0, or anything else. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 12:08 AM, Mr. Teo En Ming (Zhang Enming) wrote:> Hi, > > My Intel DQ45CB motherboard BIOS has VT-d enabled. I am using Xen > 3.4.1 and Jeremy Fitzhardinge''s paravirt ops dom 0 kernels 2.6.30-rc3 > and 2.6.31-rc6. > > When Xen boots up, it says that I/O virtualisation is enabled (VT-d > working). > > I have Windows XP Home 32-bit installed as a HVM guest. I am not > trying direct access to physical NIC yet. > > I am still using virtual NIC in Win XP Home. > > When I configured IP address in Win XP HVM guest, I can ping the IP in > Dom 0. In Dom 0, I can also ping the IP of my Win XP domU. > > However, other network devices/computers in the same LAN cannot see > the IP of Win XP domU. Only Dom 0 can see. Similary, Win XP dom U can > only talk to Dom 0 and cannot talk to other computers in the network. > > Why is this so? >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Mr. Teo En Ming (Zhang Enming)
2009-Aug-23 16:47 UTC
Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest
Dear Caz, I have the Intel Corporation 82567LM-3 Gigabit Network Connection on my Intel DQ45CB Desktop Board. There is only one network interface on my computer and it is eth0. When I start xend, it creates ethernet bridge eth0. My Dom 0 and Win XP Dom U share the same ethernet bridge. On Dom 0, IP address is configured on the bridge eth0. In my Win XP dom U configuration, I specified vif = [ ''bridge=eth0'' ] So my Dom 0 and Dom U are sharing the same bridge, and hence the same physical network card. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 12:39 AM, Caz Yokoyama wrote:> Hello Teo, > What type of network device do you have? Virtual network or shared physical > device? If you have virtual network, I suspect your domU and dom0 are in > their own sub-network and the domU is not visible to anyone other than dom0. > If you have shared physical device, root cause is something else. > -caz > > -----Original Message----- > From: xen-devel-bounces@lists.xensource.com > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Mr. Teo En Ming > (Zhang Enming) > Sent: Sunday, August 23, 2009 9:09 AM > To: xen-devel@lists.xensource.com > Subject: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows > XP Home 32-bit HVM Guest > > Hi, > > My Intel DQ45CB motherboard BIOS has VT-d enabled. I am using Xen 3.4.1 > and Jeremy Fitzhardinge''s paravirt ops dom 0 kernels 2.6.30-rc3 and > 2.6.31-rc6. > > When Xen boots up, it says that I/O virtualisation is enabled (VT-d > working). > > I have Windows XP Home 32-bit installed as a HVM guest. I am not trying > direct access to physical NIC yet. > > I am still using virtual NIC in Win XP Home. > > When I configured IP address in Win XP HVM guest, I can ping the IP in > Dom 0. In Dom 0, I can also ping the IP of my Win XP domU. > > However, other network devices/computers in the same LAN cannot see the > IP of Win XP domU. Only Dom 0 can see. Similary, Win XP dom U can only > talk to Dom 0 and cannot talk to other computers in the network. > > Why is this so? > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Caz Yokoyama
2009-Aug-23 16:53 UTC
RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest
Hello Teo, I am not clear what you say. Could you tell me the IP address of domU? -caz -----Original Message----- From: Mr. Teo En Ming (Zhang Enming) [mailto:enming.teo@asiasoftsea.net] Sent: Sunday, August 23, 2009 9:48 AM To: cazyokoyama@gmail.com Cc: xen-devel@lists.xensource.com Subject: Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest Dear Caz, I have the Intel Corporation 82567LM-3 Gigabit Network Connection on my Intel DQ45CB Desktop Board. There is only one network interface on my computer and it is eth0. When I start xend, it creates ethernet bridge eth0. My Dom 0 and Win XP Dom U share the same ethernet bridge. On Dom 0, IP address is configured on the bridge eth0. In my Win XP dom U configuration, I specified vif = [ ''bridge=eth0'' ] So my Dom 0 and Dom U are sharing the same bridge, and hence the same physical network card. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 12:39 AM, Caz Yokoyama wrote:> Hello Teo, > What type of network device do you have? Virtual network or sharedphysical> device? If you have virtual network, I suspect your domU and dom0 are in > their own sub-network and the domU is not visible to anyone other thandom0.> If you have shared physical device, root cause is something else. > -caz > > -----Original Message----- > From: xen-devel-bounces@lists.xensource.com > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Mr. Teo EnMing> (Zhang Enming) > Sent: Sunday, August 23, 2009 9:09 AM > To: xen-devel@lists.xensource.com > Subject: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC inWindows> XP Home 32-bit HVM Guest > > Hi, > > My Intel DQ45CB motherboard BIOS has VT-d enabled. I am using Xen 3.4.1 > and Jeremy Fitzhardinge''s paravirt ops dom 0 kernels 2.6.30-rc3 and > 2.6.31-rc6. > > When Xen boots up, it says that I/O virtualisation is enabled (VT-d > working). > > I have Windows XP Home 32-bit installed as a HVM guest. I am not trying > direct access to physical NIC yet. > > I am still using virtual NIC in Win XP Home. > > When I configured IP address in Win XP HVM guest, I can ping the IP in > Dom 0. In Dom 0, I can also ping the IP of my Win XP domU. > > However, other network devices/computers in the same LAN cannot see the > IP of Win XP domU. Only Dom 0 can see. Similary, Win XP dom U can only > talk to Dom 0 and cannot talk to other computers in the network. > > Why is this so? > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Mr. Teo En Ming (Zhang Enming)
2009-Aug-23 16:54 UTC
Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest
I had wanted my Win XP Home dom U to contact my wireless router to get an IP from the DHCP server inside the router. But it couldn''t see the wireless router at all (via wired connection). Similarly other devices on the same network could not see my Win XP dom U. I was able to get networking up for Windows Dom Us using OpenSUSE 11.1 Xen paravirt ops dom 0 host. But apparently I can''t do it in Fedora 11 host. Puzzled. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 12:47 AM, Mr. Teo En Ming (Zhang Enming) wrote:> Dear Caz, > > I have the Intel Corporation 82567LM-3 Gigabit Network Connection on > my Intel DQ45CB Desktop Board. > > There is only one network interface on my computer and it is eth0. > > When I start xend, it creates ethernet bridge eth0. My Dom 0 and Win > XP Dom U share the same ethernet bridge. > > On Dom 0, IP address is configured on the bridge eth0. In my Win XP > dom U configuration, I specified vif = [ ''bridge=eth0'' ] > > So my Dom 0 and Dom U are sharing the same bridge, and hence the same > physical network card. >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Mr. Teo En Ming (Zhang Enming)
2009-Aug-23 16:56 UTC
Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest
Dear Caz, For e.g. my Dom 0 is 10.0.0.5, and my Win XP home dom U is 10.0.0.6. They are in the same subnet and sharing the same ethernet bridge eth0 in dom 0. And of course sharing the same physical network card. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 12:53 AM, Caz Yokoyama wrote:> Hello Teo, > I am not clear what you say. Could you tell me the IP address of domU? > -caz > > -----Original Message----- > From: Mr. Teo En Ming (Zhang Enming) [mailto:enming.teo@asiasoftsea.net] > Sent: Sunday, August 23, 2009 9:48 AM > To: cazyokoyama@gmail.com > Cc: xen-devel@lists.xensource.com > Subject: Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in > Windows XP Home 32-bit HVM Guest > > Dear Caz, > > I have the Intel Corporation 82567LM-3 Gigabit Network Connection on my > Intel DQ45CB Desktop Board. > > There is only one network interface on my computer and it is eth0. > > When I start xend, it creates ethernet bridge eth0. My Dom 0 and Win XP > Dom U share the same ethernet bridge. > > On Dom 0, IP address is configured on the bridge eth0. In my Win XP dom > U configuration, I specified vif = [ ''bridge=eth0'' ] > > So my Dom 0 and Dom U are sharing the same bridge, and hence the same > physical network card. > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Caz Yokoyama
2009-Aug-23 16:59 UTC
RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest
How domU gets its IP address? Automatically? Or you assign the IP address? -caz -----Original Message----- From: Mr. Teo En Ming (Zhang Enming) [mailto:enming.teo@asiasoftsea.net] Sent: Sunday, August 23, 2009 9:56 AM To: cazyokoyama@gmail.com Cc: xen-devel@lists.xensource.com Subject: Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest Dear Caz, For e.g. my Dom 0 is 10.0.0.5, and my Win XP home dom U is 10.0.0.6. They are in the same subnet and sharing the same ethernet bridge eth0 in dom 0. And of course sharing the same physical network card. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 12:53 AM, Caz Yokoyama wrote:> Hello Teo, > I am not clear what you say. Could you tell me the IP address of domU? > -caz > > -----Original Message----- > From: Mr. Teo En Ming (Zhang Enming) [mailto:enming.teo@asiasoftsea.net] > Sent: Sunday, August 23, 2009 9:48 AM > To: cazyokoyama@gmail.com > Cc: xen-devel@lists.xensource.com > Subject: Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in > Windows XP Home 32-bit HVM Guest > > Dear Caz, > > I have the Intel Corporation 82567LM-3 Gigabit Network Connection on my > Intel DQ45CB Desktop Board. > > There is only one network interface on my computer and it is eth0. > > When I start xend, it creates ethernet bridge eth0. My Dom 0 and Win XP > Dom U share the same ethernet bridge. > > On Dom 0, IP address is configured on the bridge eth0. In my Win XP dom > U configuration, I specified vif = [ ''bridge=eth0'' ] > > So my Dom 0 and Dom U are sharing the same bridge, and hence the same > physical network card. > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Mr. Teo En Ming (Zhang Enming)
2009-Aug-24 00:01 UTC
Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest
Hi Caz, I found out why my Win XP Home HVM dom U couldn''t access the outside world. It''s because of the firewall rules on my Dom 0. When I flushed all my firewall rules, Dom U could obtain IP address from my wireless router and surf the internet. So I have to think of adding appropriate firewall rules so that my Dom U could access the outside world when the firewall is enabled. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 12:59 AM, Caz Yokoyama wrote:> How domU gets its IP address? Automatically? Or you assign the IP address? > -caz > > -----Original Message----- > From: Mr. Teo En Ming (Zhang Enming) [mailto:enming.teo@asiasoftsea.net] > Sent: Sunday, August 23, 2009 9:56 AM > To: cazyokoyama@gmail.com > Cc: xen-devel@lists.xensource.com > Subject: Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in > Windows XP Home 32-bit HVM Guest > > Dear Caz, > > For e.g. my Dom 0 is 10.0.0.5, and my Win XP home dom U is 10.0.0.6. > They are in the same subnet and sharing the same ethernet bridge eth0 in > dom 0. And of course sharing the same physical network card. > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Mr. Teo En Ming (Zhang Enming)
2009-Aug-24 00:10 UTC
Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest
Hi Caz, I did a tcpdump on my ethernet bridge eth0. When the firewall on Dom 0 is up, I see DHCP request packets but NO DHCP reply packets. When I flushed all the firewall rules on Dom 0, I see both DHCP request and reply packets going to my Win XP Home Dom U. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 08:01 AM, Mr. Teo En Ming (Zhang Enming) wrote:> Hi Caz, > > I found out why my Win XP Home HVM dom U couldn''t access the outside > world. It''s because of the firewall rules on my Dom 0. When I flushed > all my firewall rules, Dom U could obtain IP address from my wireless > router and surf the internet. > > So I have to think of adding appropriate firewall rules so that my Dom > U could access the outside world when the firewall is enabled. >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Teo En Ming (Zhang Enming)
2009-Aug-24 01:40 UTC
RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest
Thank you. But I still need to modify the firewall to allow my Win XP Home Dom U to talk to the outside world. Regards, Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com -----Original Message----- From: Caz Yokoyama [mailto:cazyokoyama@gmail.com] Sent: Monday, August 24, 2009 8:52 AM To: enming.teo@asiasoftsea.net Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest Congratulation. -caz -----Original Message----- From: Mr. Teo En Ming (Zhang Enming) [mailto:enming.teo@asiasoftsea.net] Sent: Sunday, August 23, 2009 5:11 PM To: enming.teo@asiasoftsea.net Cc: cazyokoyama@gmail.com; xen-devel@lists.xensource.com Subject: Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest Hi Caz, I did a tcpdump on my ethernet bridge eth0. When the firewall on Dom 0 is up, I see DHCP request packets but NO DHCP reply packets. When I flushed all the firewall rules on Dom 0, I see both DHCP request and reply packets going to my Win XP Home Dom U. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 08:01 AM, Mr. Teo En Ming (Zhang Enming) wrote:> Hi Caz, > > I found out why my Win XP Home HVM dom U couldn''t access the outside > world. It''s because of the firewall rules on my Dom 0. When I flushed > all my firewall rules, Dom U could obtain IP address from my wireless > router and surf the internet. > > So I have to think of adding appropriate firewall rules so that my Dom > U could access the outside world when the firewall is enabled. >No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Teo En Ming (Zhang Enming)
2009-Aug-24 02:23 UTC
RE: [Xen-devel] Bridged Networking in Dom 0 and VirtualNIC in Windows XP Home 32-bit HVM Guest
Dear Caz, Boris, and Pasi, I am reading XenNetworking at the Xen Wiki: http://wiki.xensource.com/xenwiki/XenNetworking <QOUTE> The default Xen configuration uses bridging within domain 0 to allow all domains to appear on the network as individual hosts. If extensive use of iptables is made in domain 0 (e.g. a firewall) then this can affect bridging because bridged packets pass through the PREROUTING, FORWARD and POSTROUTING iptables chains. This means that packets being bridged between guest domains and the external network will need to be permitted to pass those chains. The most likely problem is the FORWARD chain being configured to DROP or REJECT packets (this is different from IP forwarding in the kernel). iptable FORWARDing can be disabled for all packets; to prevent the dom0 from acting as an IP router: echo 0 > /proc/sys/net/ipv4/ip_forward. A slightly more secure method is to allowing packet forwarding (at the iptables level) between the external physical interface and the vifs for the guests. For a machine with a single ethernet card this would be: iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out ''!'' eth0 -j ACCEPT iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in ''!'' eth0 -j ACCEPT (needs the ipt_physdev [aka xt_physdev] module to be available). </QUOTE> So I may need to tweak the nat table in my iptables configuration. I don''t think the problem is with the filter table. Could you post your iptables configuration with the "iptables --table filter -L" and "iptables --table nat -L" commands? Thank you very much. Regards, Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com -----Original Message----- From: xen-devel-bounces@lists.xensource.com [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Teo En Ming (Zhang Enming) Sent: Monday, August 24, 2009 9:40 AM To: cazyokoyama@gmail.com Cc: xen-devel@lists.xensource.com Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and VirtualNIC in Windows XP Home 32-bit HVM Guest Thank you. But I still need to modify the firewall to allow my Win XP Home Dom U to talk to the outside world. Regards, Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com -----Original Message----- From: Caz Yokoyama [mailto:cazyokoyama@gmail.com] Sent: Monday, August 24, 2009 8:52 AM To: enming.teo@asiasoftsea.net Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest Congratulation. -caz -----Original Message----- From: Mr. Teo En Ming (Zhang Enming) [mailto:enming.teo@asiasoftsea.net] Sent: Sunday, August 23, 2009 5:11 PM To: enming.teo@asiasoftsea.net Cc: cazyokoyama@gmail.com; xen-devel@lists.xensource.com Subject: Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest Hi Caz, I did a tcpdump on my ethernet bridge eth0. When the firewall on Dom 0 is up, I see DHCP request packets but NO DHCP reply packets. When I flushed all the firewall rules on Dom 0, I see both DHCP request and reply packets going to my Win XP Home Dom U. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 08:01 AM, Mr. Teo En Ming (Zhang Enming) wrote:> Hi Caz, > > I found out why my Win XP Home HVM dom U couldn''t access the outside > world. It''s because of the firewall rules on my Dom 0. When I flushed > all my firewall rules, Dom U could obtain IP address from my wireless > router and surf the internet. > > So I have to think of adding appropriate firewall rules so that my Dom > U could access the outside world when the firewall is enabled. >No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Teo En Ming (Zhang Enming)
2009-Aug-24 04:27 UTC
RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest
Hi, I think I know the reason why my Windows HVM and Linux PV Dom U guests could previously access the outside world under OpenSUSE 11.1 32-bit host with Xen pv-ops dom 0 kernel 2.6.30-rc6 from Jeremy''s git branch (see my blog). When I execute the "iptables --table nat -L" command on the OpenSUSE 11.1 Xen pv-ops Dom 0 host in the office: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination That means everything is allowed in the nat table with default policy of accept for all chains in that table. It also means xend daemon did not add entries to the nat table when dom U guests are started on the OpenSUSE 11.1 host. The iptables entries that should be added to the nat table by xend but not added are: iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out ''!'' eth0 -j ACCEPT iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in ''!'' eth0 -j ACCEPT In contrast, my Fedora 11 64-bit Xen pv-ops dom 0 host in my home have above entries added to the nat table by the xend daemon. Perhaps I should flush the nat table only to test out my Windows XP Home HVM dom U connectivity to the outside world. I will not flush the filter table. Do you have any suggestions on the entries in the nat table? Regards, Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com -----Original Message----- From: xen-devel-bounces@lists.xensource.com [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Teo En Ming (Zhang Enming) Sent: Monday, August 24, 2009 10:24 AM To: enming.teo@asiasoftsea.net; cazyokoyama@gmail.com Cc: xen-devel@lists.xensource.com Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and VirtualNIC in WindowsXP Home 32-bit HVM Guest Dear Caz, Boris, and Pasi, I am reading XenNetworking at the Xen Wiki: http://wiki.xensource.com/xenwiki/XenNetworking <QOUTE> The default Xen configuration uses bridging within domain 0 to allow all domains to appear on the network as individual hosts. If extensive use of iptables is made in domain 0 (e.g. a firewall) then this can affect bridging because bridged packets pass through the PREROUTING, FORWARD and POSTROUTING iptables chains. This means that packets being bridged between guest domains and the external network will need to be permitted to pass those chains. The most likely problem is the FORWARD chain being configured to DROP or REJECT packets (this is different from IP forwarding in the kernel). iptable FORWARDing can be disabled for all packets; to prevent the dom0 from acting as an IP router: echo 0 > /proc/sys/net/ipv4/ip_forward. A slightly more secure method is to allowing packet forwarding (at the iptables level) between the external physical interface and the vifs for the guests. For a machine with a single ethernet card this would be: iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out ''!'' eth0 -j ACCEPT iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in ''!'' eth0 -j ACCEPT (needs the ipt_physdev [aka xt_physdev] module to be available). </QUOTE> So I may need to tweak the nat table in my iptables configuration. I don''t think the problem is with the filter table. Could you post your iptables configuration with the "iptables --table filter -L" and "iptables --table nat -L" commands? Thank you very much. Regards, Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com -----Original Message----- From: xen-devel-bounces@lists.xensource.com [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Teo En Ming (Zhang Enming) Sent: Monday, August 24, 2009 9:40 AM To: cazyokoyama@gmail.com Cc: xen-devel@lists.xensource.com Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and VirtualNIC in Windows XP Home 32-bit HVM Guest Thank you. But I still need to modify the firewall to allow my Win XP Home Dom U to talk to the outside world. Regards, Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com -----Original Message----- From: Caz Yokoyama [mailto:cazyokoyama@gmail.com] Sent: Monday, August 24, 2009 8:52 AM To: enming.teo@asiasoftsea.net Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest Congratulation. -caz -----Original Message----- From: Mr. Teo En Ming (Zhang Enming) [mailto:enming.teo@asiasoftsea.net] Sent: Sunday, August 23, 2009 5:11 PM To: enming.teo@asiasoftsea.net Cc: cazyokoyama@gmail.com; xen-devel@lists.xensource.com Subject: Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest Hi Caz, I did a tcpdump on my ethernet bridge eth0. When the firewall on Dom 0 is up, I see DHCP request packets but NO DHCP reply packets. When I flushed all the firewall rules on Dom 0, I see both DHCP request and reply packets going to my Win XP Home Dom U. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 08:01 AM, Mr. Teo En Ming (Zhang Enming) wrote:> Hi Caz, > > I found out why my Win XP Home HVM dom U couldn''t access the outside > world. It''s because of the firewall rules on my Dom 0. When I flushed > all my firewall rules, Dom U could obtain IP address from my wireless > router and surf the internet. > > So I have to think of adding appropriate firewall rules so that my Dom > U could access the outside world when the firewall is enabled. >No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/23/09 18:03:00 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Teo En Ming (Zhang Enming)
2009-Aug-24 15:12 UTC
RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC inWindows XP Home 32-bit HVM Guest
Hi, I think I know the reason why my Windows HVM and Linux PV Dom U guests could previously access the outside world under OpenSUSE 11.1 32-bit host with Xen pv-ops dom 0 kernel 2.6.30-rc6 from Jeremy''s git branch (see my blog). When I execute the "iptables --table nat -L" command on the OpenSUSE 11.1 Xen pv-ops Dom 0 host in the office: Chain PREROUTING (policy ACCEPT) target prot opt source destination Chain POSTROUTING (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination That means everything is allowed in the nat table with default policy of accept for all chains in that table. It also means xend daemon did not add entries to the nat table when dom U guests are started on the OpenSUSE 11.1 host. The iptables entries that should be added to the nat table by xend but not added are: iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out ''!'' eth0 -j ACCEPT iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in ''!'' eth0 -j ACCEPT In contrast, my Fedora 11 64-bit Xen pv-ops dom 0 host in my home have above entries added to the nat table by the xend daemon. Perhaps I should flush the nat table only to test out my Windows XP Home HVM dom U connectivity to the outside world. I will not flush the filter table. Do you have any suggestions on the entries in the nat table? Regards, Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com -----Original Message----- From: xen-devel-bounces@lists.xensource.com [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Teo En Ming (Zhang Enming) Sent: Monday, August 24, 2009 10:24 AM To: enming.teo@asiasoftsea.net; cazyokoyama@gmail.com Cc: xen-devel@lists.xensource.com Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and VirtualNIC in WindowsXP Home 32-bit HVM Guest Dear Caz, Boris, and Pasi, I am reading XenNetworking at the Xen Wiki: http://wiki.xensource.com/xenwiki/XenNetworking <QOUTE> The default Xen configuration uses bridging within domain 0 to allow all domains to appear on the network as individual hosts. If extensive use of iptables is made in domain 0 (e.g. a firewall) then this can affect bridging because bridged packets pass through the PREROUTING, FORWARD and POSTROUTING iptables chains. This means that packets being bridged between guest domains and the external network will need to be permitted to pass those chains. The most likely problem is the FORWARD chain being configured to DROP or REJECT packets (this is different from IP forwarding in the kernel). iptable FORWARDing can be disabled for all packets; to prevent the dom0 from acting as an IP router: echo 0 > /proc/sys/net/ipv4/ip_forward. A slightly more secure method is to allowing packet forwarding (at the iptables level) between the external physical interface and the vifs for the guests. For a machine with a single ethernet card this would be: iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out ''!'' eth0 -j ACCEPT iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in ''!'' eth0 -j ACCEPT (needs the ipt_physdev [aka xt_physdev] module to be available). </QUOTE> So I may need to tweak the nat table in my iptables configuration. I don''t think the problem is with the filter table. Could you post your iptables configuration with the "iptables --table filter -L" and "iptables --table nat -L" commands? Thank you very much. Regards, Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com -----Original Message----- From: xen-devel-bounces@lists.xensource.com [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Teo En Ming (Zhang Enming) Sent: Monday, August 24, 2009 9:40 AM To: cazyokoyama@gmail.com Cc: xen-devel@lists.xensource.com Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and VirtualNIC in Windows XP Home 32-bit HVM Guest Thank you. But I still need to modify the firewall to allow my Win XP Home Dom U to talk to the outside world. Regards, Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com -----Original Message----- From: Caz Yokoyama [mailto:cazyokoyama@gmail.com] Sent: Monday, August 24, 2009 8:52 AM To: enming.teo@asiasoftsea.net Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest Congratulation. -caz -----Original Message----- From: Mr. Teo En Ming (Zhang Enming) [mailto:enming.teo@asiasoftsea.net] Sent: Sunday, August 23, 2009 5:11 PM To: enming.teo@asiasoftsea.net Cc: cazyokoyama@gmail.com; xen-devel@lists.xensource.com Subject: Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in Windows XP Home 32-bit HVM Guest Hi Caz, I did a tcpdump on my ethernet bridge eth0. When the firewall on Dom 0 is up, I see DHCP request packets but NO DHCP reply packets. When I flushed all the firewall rules on Dom 0, I see both DHCP request and reply packets going to my Win XP Home Dom U. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 08:01 AM, Mr. Teo En Ming (Zhang Enming) wrote:> Hi Caz, > > I found out why my Win XP Home HVM dom U couldn''t access the outside > world. It''s because of the firewall rules on my Dom 0. When I flushed > all my firewall rules, Dom U could obtain IP address from my wireless > router and surf the internet. > > So I have to think of adding appropriate firewall rules so that my Dom > U could access the outside world when the firewall is enabled. >No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 18:06:00 No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/23/09 18:03:00 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/23/09 18:03:00 No virus found in this outgoing message. Checked by AVG - www.avg.com Version: 8.5.392 / Virus Database: 270.13.65/2322 - Release Date: 08/23/09 18:03:00 _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Mr. Teo En Ming (Zhang Enming)
2009-Aug-24 15:20 UTC
Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC inWindows XP Home 32-bit HVM Guest
Hi All, My conclusions earlier in the day were totally erroneous. The problem is with the FORWARD chain in the filter table. After Win XP Home 32-bit HVM Guest has started, I flushed the forward chain in the filter table with the command # iptables -t filter -F FORWARD This allows my WinXP Home HVM guest to obtain IP address successfully from the wireless router using DHCP. Success!!! This is still a temporary fix. I still have to write the correct rules for the FORWARD chain in the filter table. The following rules which are recommended by the XenNetworking Wiki did not work for me: iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out ''!'' eth0 -j ACCEPT iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in ''!'' eth0 -j ACCEPT Neither did the rules automatically added by xend after winxp hvm has started worked for me. Anyone knows the correct iptables rules to add to the forward chain in the filter table? -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 11:12 PM, Teo En Ming (Zhang Enming) wrote:> Hi, > > I think I know the reason why my Windows HVM and Linux PV Dom U guests could > previously access the outside world under OpenSUSE 11.1 32-bit host with Xen > pv-ops dom 0 kernel 2.6.30-rc6 from Jeremy''s git branch (see my blog). > > When I execute the "iptables --table nat -L" command on the OpenSUSE 11.1 > Xen pv-ops Dom 0 host in the office: > > Chain PREROUTING (policy ACCEPT) > target prot opt source destination > > Chain POSTROUTING (policy ACCEPT) > target prot opt source destination > > Chain OUTPUT (policy ACCEPT) > target prot opt source destination > > That means everything is allowed in the nat table with default policy of > accept for all chains in that table. It also means xend daemon did not add > entries to the nat table when dom U guests are started on the OpenSUSE 11.1 > host. The iptables entries that should be added to the nat table by xend but > not added are: > > iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out ''!'' eth0 -j > ACCEPT > iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in ''!'' eth0 -j > ACCEPT > > In contrast, my Fedora 11 64-bit Xen pv-ops dom 0 host in my home have above > entries added to the nat table by the xend daemon. Perhaps I should flush > the nat table only to test out my Windows XP Home HVM dom U connectivity to > the outside world. I will not flush the filter table. > > Do you have any suggestions on the entries in the nat table? > > Regards, > > Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) > BEng(Hons)(Mechanical Engineering) > Technical Support Engineer > Information Technology Department > Asiasoft Online Pte Ltd > Tampines Central 1 #04-01 Tampines Plaza > Singapore 529541 > Republic of Singapore > Mobile: +65-9648-9798 > MSN: teoenming@hotmail.com > > -----Original Message----- > From: xen-devel-bounces@lists.xensource.com > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Teo En Ming > (Zhang Enming) > Sent: Monday, August 24, 2009 10:24 AM > To: enming.teo@asiasoftsea.net; cazyokoyama@gmail.com > Cc: xen-devel@lists.xensource.com > Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and VirtualNIC in > WindowsXP Home 32-bit HVM Guest > > Dear Caz, Boris, and Pasi, > > I am reading XenNetworking at the Xen Wiki: > http://wiki.xensource.com/xenwiki/XenNetworking > > <QOUTE> > The default Xen configuration uses bridging within domain 0 to allow all > domains to appear on the network as individual hosts. If extensive use of > iptables is made in domain 0 (e.g. a firewall) then this can affect bridging > because bridged packets pass through the PREROUTING, FORWARD and POSTROUTING > iptables chains. This means that packets being bridged between guest domains > and the external network will need to be permitted to pass those chains. The > most likely problem is the FORWARD chain being configured to DROP or REJECT > packets (this is different from IP forwarding in the kernel). > > iptable FORWARDing can be disabled for all packets; to prevent the dom0 from > acting as an IP router: echo 0> /proc/sys/net/ipv4/ip_forward. > > A slightly more secure method is to allowing packet forwarding (at the > iptables level) between the external physical interface and the vifs for the > guests. For a machine with a single ethernet card this would be: > > iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out ''!'' eth0 -j > ACCEPT iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in ''!'' > eth0 -j ACCEPT > > (needs the ipt_physdev [aka xt_physdev] module to be available). > </QUOTE> > > So I may need to tweak the nat table in my iptables configuration. I don''t > think the problem is with the filter table. > > Could you post your iptables configuration with the "iptables --table filter > -L" and "iptables --table nat -L" commands? > > Thank you very much. > > Regards, > > Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) > BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information > Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 > Tampines Plaza Singapore 529541 Republic of Singapore > Mobile: +65-9648-9798 > MSN: teoenming@hotmail.com > > -----Original Message----- > From: xen-devel-bounces@lists.xensource.com > [mailto:xen-devel-bounces@lists.xensource.com] On Behalf Of Teo En Ming > (Zhang Enming) > Sent: Monday, August 24, 2009 9:40 AM > To: cazyokoyama@gmail.com > Cc: xen-devel@lists.xensource.com > Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and VirtualNIC in > Windows XP Home 32-bit HVM Guest > > Thank you. > > But I still need to modify the firewall to allow my Win XP Home Dom U to > talk to the outside world. > > Regards, > > Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) > BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information > Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 > Tampines Plaza Singapore 529541 Republic of Singapore > Mobile: +65-9648-9798 > MSN: teoenming@hotmail.com > > -----Original Message----- > From: Caz Yokoyama [mailto:cazyokoyama@gmail.com] > Sent: Monday, August 24, 2009 8:52 AM > To: enming.teo@asiasoftsea.net > Subject: RE: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in > Windows XP Home 32-bit HVM Guest > > Congratulation. > -caz > > -----Original Message----- > From: Mr. Teo En Ming (Zhang Enming) [mailto:enming.teo@asiasoftsea.net] > Sent: Sunday, August 23, 2009 5:11 PM > To: enming.teo@asiasoftsea.net > Cc: cazyokoyama@gmail.com; xen-devel@lists.xensource.com > Subject: Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC in > Windows XP Home 32-bit HVM Guest > > Hi Caz, > > I did a tcpdump on my ethernet bridge eth0. > > When the firewall on Dom 0 is up, I see DHCP request packets but NO DHCP > reply packets. > > When I flushed all the firewall rules on Dom 0, I see both DHCP request and > reply packets going to my Win XP Home Dom U. > > -- > Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) > BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information > Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 > Tampines Plaza Singapore 529541 Republic of Singapore > Mobile: +65-9648-9798 > MSN: teoenming@hotmail.com > Alma Maters: Singapore Polytechnic, National University of Singapore > > > > On 08/24/2009 08:01 AM, Mr. Teo En Ming (Zhang Enming) wrote: > >> Hi Caz, >> >> I found out why my Win XP Home HVM dom U couldn''t access the outside >> world. It''s because of the firewall rules on my Dom 0. When I flushed >> all my firewall rules, Dom U could obtain IP address from my wireless >> router and surf the internet. >> >> So I have to think of adding appropriate firewall rules so that my Dom >> U could access the outside world when the firewall is enabled. >> >> > > > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 > 18:06:00 > > No virus found in this outgoing message. > Checked by AVG - www.avg.com > Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 > 18:06:00 > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 > 18:06:00 > > No virus found in this outgoing message. > Checked by AVG - www.avg.com > Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 > 18:06:00 > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/20/09 > 18:06:00 > > No virus found in this outgoing message. > Checked by AVG - www.avg.com > Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/23/09 > 18:03:00 > > > > _______________________________________________ > Xen-devel mailing list > Xen-devel@lists.xensource.com > http://lists.xensource.com/xen-devel > > No virus found in this incoming message. > Checked by AVG - www.avg.com > Version: 8.5.392 / Virus Database: 270.13.63/2316 - Release Date: 08/23/09 > 18:03:00 > > No virus found in this outgoing message. > Checked by AVG - www.avg.com > Version: 8.5.392 / Virus Database: 270.13.65/2322 - Release Date: 08/23/09 > 18:03:00 > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Mr. Teo En Ming (Zhang Enming)
2009-Aug-24 15:37 UTC
Re: [Xen-devel] Bridged Networking in Dom 0 and Virtual NIC inWindows XP Home 32-bit HVM Guest
Dear All, Instead of flushing the forward chain in the filter table after win xp home hvm dom U has started, I have commented out/deactivated the following rule in the default Fedora 11 firewall configuration: -A FORWARD -j REJECT --reject-with icmp-host-prohibited This rule is the cause of all trouble. By deactivating this rule, I have totally eliminated the need to flush the forward chain in the filter table after win xp home hvm dom U has started. Hence now my Win XP Home HVM Dom U could access the outside world without any problem. -- Mr. Teo En Ming (Zhang Enming) Dip(Mechatronics Engineering) BEng(Hons)(Mechanical Engineering) Technical Support Engineer Information Technology Department Asiasoft Online Pte Ltd Tampines Central 1 #04-01 Tampines Plaza Singapore 529541 Republic of Singapore Mobile: +65-9648-9798 MSN: teoenming@hotmail.com Alma Maters: Singapore Polytechnic, National University of Singapore On 08/24/2009 11:20 PM, Mr. Teo En Ming (Zhang Enming) wrote:> Hi All, > > My conclusions earlier in the day were totally erroneous. > > The problem is with the FORWARD chain in the filter table. > > After Win XP Home 32-bit HVM Guest has started, I flushed the forward > chain in the filter table with the command > > # iptables -t filter -F FORWARD > > This allows my WinXP Home HVM guest to obtain IP address successfully > from the wireless router using DHCP. > > Success!!! > > This is still a temporary fix. I still have to write the correct rules > for the FORWARD chain in the filter table. > > The following rules which are recommended by the XenNetworking Wiki > did not work for me: > > iptables -A FORWARD -m physdev --physdev-in eth0 --physdev-out ''!'' > eth0 -j > ACCEPT > iptables -A FORWARD -m physdev --physdev-out eth0 --physdev-in ''!'' > eth0 -j > ACCEPT > > Neither did the rules automatically added by xend after winxp hvm has > started worked for me. > > Anyone knows the correct iptables rules to add to the forward chain in > the filter table? > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel