Hi,
I feel confused to the xen network.
My Dom0 is fefora8 and xen is 4.0.0. My xend network configuration is
bridge. The network in the pv (which is ubuntu) configuration is like this
vif = [''bridge=virbr0'']
When I start the PV, I use the command brctl to see all the bridges in my
computer. The output as following.
[root@localhost ~]# brctl show
bridge name bridge id STP enabled interfaces
eth0 8000.0024e839fa54 no peth0
virbr0 8000.feffffffffff no vif1.0
So the interface vif1.0 is PV''s backend network device. And vif1.0 can
access to the internet through bridge virbr0. According the description of
xen bridge in xend configuration file, which is list here, *virbr0 is the
bridge. Is it right? *
*Does the bridge virbr0 connect to outside internet through eth0?
What''s the
relationship between the eth0 and peth0? Which is my real network device
card? And what''s role of the other one?*
(the description of xen bridge in xend configuration file)
# To bridge network traffic, like this:
#
# dom0: ----------------- bridge -> real eth0 -> the network
# |
# domU: fake eth0 -> vifN.0 -+
(The network interfaces on my computer are as following. )
[root@localhost ~]# ifconfig
eth0 Link encap:Ethernet HWaddr 00:24:E8:39:FA:54
inet addr:192.168.1.129 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::224:e8ff:fe39:fa54/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:421887 errors:0 dropped:0 overruns:0 frame:0
TX packets:21811 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:82335005 (78.5 MiB) TX bytes:4166441 (3.9 MiB)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:1474 errors:0 dropped:0 overruns:0 frame:0
TX packets:1474 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:3466544 (3.3 MiB) TX bytes:3466544 (3.3 MiB)
peth0 Link encap:Ethernet HWaddr 00:24:E8:39:FA:54
inet6 addr: fe80::224:e8ff:fe39:fa54/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:441848 errors:0 dropped:0 overruns:0 frame:0
TX packets:21849 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:89824688 (85.6 MiB) TX bytes:4172186 (3.9 MiB)
Memory:fe6e0000-fe700000
vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:90 errors:0 dropped:0 overruns:0 frame:0
TX packets:94 errors:0 dropped:4 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:8073 (7.8 KiB) TX bytes:9696 (9.4 KiB)
virbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0
inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:90 errors:0 dropped:0 overruns:0 frame:0
TX packets:129 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:8073 (7.8 KiB) TX bytes:15177 (14.8 KiB)
Any advice from you is appreciated.
Thank you very much!
Bei Guan
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
Bei Guan, le Fri 22 Oct 2010 22:25:02 +0800, a écrit :> What''s the relationship between the eth0 and peth0? Which is my real > network device card?That''s what you missed in the scheme: the xen scripts rename your real network device card into peth0, and puts it into a bridge called eth0. So you need to use the bridge called "eth0" in your PV scripts. Samuel _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Another questions: In order to test the network connection of the PV (such ubuntu). I use a simple cilent and server program base the linux socket API. If the server get a connection from the client, the server will print the client''s ip infomation and the client will print the message got from the server. I put the server in the Ubuntu PV (its ip is 192.168.122.187) and the client in the Dom0 (its ip is 192.168.1.129). I start the server first, and then the client. The client can connect to the server successfully. The message printed like these. root@ubuntu:~/test1# ./server 13 Server get connection from 192.168.122.1 [root@localhost test1]# ./client 192.168.122.187 13 agrv[1] = 192.168.122.187 I have received:Hello! Are You Fine? *I can not understand why the server just print the virbr0'' IP address (it is xen net bridge) other than Dom0''s real IP, 192.168.1.129. What the relationship between the two IPs(192.168.1.129 and 192.168.122.1)?* *If I put server in Dom0 and the client in Ubuntu. The client can not connect to the server.* However, I can ping Dom0''s IP (192.168.1.129) successfully from Ubuntu. *What''s reason?* Thanks a lot! Best Wishes. Bei Guan 2010/10/22 Bei Guan <gbtju85@gmail.com>> Hi, > > I feel confused to the xen network. > My Dom0 is fefora8 and xen is 4.0.0. My xend network configuration is > bridge. The network in the pv (which is ubuntu) configuration is like this > > vif = [''bridge=virbr0''] > > When I start the PV, I use the command brctl to see all the bridges in my > computer. The output as following. > > [root@localhost ~]# brctl show > bridge name bridge id STP enabled interfaces > eth0 8000.0024e839fa54 no peth0 > virbr0 8000.feffffffffff no vif1.0 > > So the interface vif1.0 is PV''s backend network device. And vif1.0 can > access to the internet through bridge virbr0. According the description of > xen bridge in xend configuration file, which is list here, *virbr0 is the > bridge. Is it right? * > > *Does the bridge virbr0 connect to outside internet through eth0? What''s > the relationship between the eth0 and peth0? Which is my real network device > card? And what''s role of the other one?* > > > (the description of xen bridge in xend configuration file) > # To bridge network traffic, like this: > # > # dom0: ----------------- bridge -> real eth0 -> the network > # | > # domU: fake eth0 -> vifN.0 -+ > > (The network interfaces on my computer are as following. ) > [root@localhost ~]# ifconfig > eth0 Link encap:Ethernet HWaddr 00:24:E8:39:FA:54 > inet addr:192.168.1.129 Bcast:192.168.1.255 Mask:255.255.255.0 > inet6 addr: fe80::224:e8ff:fe39:fa54/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:421887 errors:0 dropped:0 overruns:0 frame:0 > TX packets:21811 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:82335005 (78.5 MiB) TX bytes:4166441 (3.9 MiB) > > lo Link encap:Local Loopback > inet addr:127.0.0.1 Mask:255.0.0.0 > inet6 addr: ::1/128 Scope:Host > UP LOOPBACK RUNNING MTU:16436 Metric:1 > RX packets:1474 errors:0 dropped:0 overruns:0 frame:0 > TX packets:1474 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:3466544 (3.3 MiB) TX bytes:3466544 (3.3 MiB) > > peth0 Link encap:Ethernet HWaddr 00:24:E8:39:FA:54 > inet6 addr: fe80::224:e8ff:fe39:fa54/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:441848 errors:0 dropped:0 overruns:0 frame:0 > TX packets:21849 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:100 > RX bytes:89824688 (85.6 MiB) TX bytes:4172186 (3.9 MiB) > Memory:fe6e0000-fe700000 > > vif1.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF > inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:90 errors:0 dropped:0 overruns:0 frame:0 > TX packets:94 errors:0 dropped:4 overruns:0 carrier:0 > collisions:0 txqueuelen:32 > RX bytes:8073 (7.8 KiB) TX bytes:9696 (9.4 KiB) > > virbr0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF > inet addr:192.168.122.1 Bcast:192.168.122.255 > Mask:255.255.255.0 > inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link > UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 > RX packets:90 errors:0 dropped:0 overruns:0 frame:0 > TX packets:129 errors:0 dropped:0 overruns:0 carrier:0 > collisions:0 txqueuelen:0 > RX bytes:8073 (7.8 KiB) TX bytes:15177 (14.8 KiB) > > > Any advice from you is appreciated. > Thank you very much! > > Bei Guan > > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
Bei Guan, le Fri 22 Oct 2010 22:56:29 +0800, a écrit :> root@ubuntu:~/test1# ./server 13 > Server get connection from 192.168.122.1 > > [root@localhost test1]# ./client 192.168.122.187 13 > agrv[1] = 192.168.122.187 > I have received:Hello! Are You Fine? > > I can not understand why the server just print the virbr0'' IP address (it is > xen net bridge) other than Dom0''s real IP, 192.168.1.129.Because that''s the IP of the Dom0 interface from which the connection is made. It''s just the same as in a usual intranet/internet router box.> What the relationship > between the two IPs(192.168.1.129 and 192.168.122.1)?None, except your dom0 has these two addresses.> If I put server in Dom0 and the client in Ubuntu. The client can not connect to > the server. However, I can ping Dom0''s IP (192.168.1.129) successfully from > Ubuntu. What''s reason?We can''t divine, show your code / iptables configuration / tcpdump output. The usual network stuff, actually. Samuel _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
2010/10/22 Samuel Thibault <samuel.thibault@ens-lyon.org>> Bei Guan, le Fri 22 Oct 2010 22:25:02 +0800, a écrit : > > What''s the relationship between the eth0 and peth0? Which is my real > > network device card? > > That''s what you missed in the scheme: the xen scripts rename your real > network device card into peth0, and puts it into a bridge called eth0. > So you need to use the bridge called "eth0" in your PV scripts. >I update the Ubuntu''s network configuration as vif = [''bridge=eth0''] And after the Ubuntu booting, I set its IP as 192.168.1.20 However, I can access to the outside network. root@ubuntu:~/test1# ping 61.135.169.125 connect: Network is unreachable root@ubuntu:~/test1# ping 192.168.1.166 PING 192.168.1.166 (192.168.1.166) 56(84) bytes of data.>From 192.168.1.129 icmp_seq=1 Destination Host Prohibited >From 192.168.1.129 icmp_seq=2 Destination Host Prohibited >From 192.168.1.129 icmp_seq=3 Destination Host Prohibited >From 192.168.1.129 icmp_seq=4 Destination Host ProhibitedBut if PV use the virbr0 bridge, it can access to outside network successfully with IP 192.168.122.187.> Samuel >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
2010/10/22 Samuel Thibault <samuel.thibault@ens-lyon.org>> Bei Guan, le Fri 22 Oct 2010 22:56:29 +0800, a écrit : > > root@ubuntu:~/test1# ./server 13 > > Server get connection from 192.168.122.1 > > > > [root@localhost test1]# ./client 192.168.122.187 13 > > agrv[1] = 192.168.122.187 > > I have received:Hello! Are You Fine? > > > > I can not understand why the server just print the virbr0'' IP address (it > is > > xen net bridge) other than Dom0''s real IP, 192.168.1.129. > > Because that''s the IP of the Dom0 interface from which the connection is > made. It''s just the same as in a usual intranet/internet router box. > > > What the relationship > > between the two IPs(192.168.1.129 and 192.168.122.1)? > > None, except your dom0 has these two addresses. > > > If I put server in Dom0 and the client in Ubuntu. The client can not > connect to > > the server. However, I can ping Dom0''s IP (192.168.1.129) successfully > from > > Ubuntu. What''s reason? > > We can''t divine, show your code / iptables configuration / tcpdump > output. The usual network stuff, actually. >Sorry, you mean the client and server code? The iptables configurations of all the Ubuntu PV and Dom0?> > Samuel >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
When I run the client from Dom0 (Fedora 8) to connect to server running in
the PV Ubuntu (use the virbr0 as bridge). The command and data caught by
tcpdump are:
[root@localhost test1]# ./server 8081
root@ubuntu:~/test1# ./client 192.168.1.192 8081
agrv[1] = 192.168.1.192
Connect Error:No route to host
[root@localhost ~]# tcpdump -i virbr0 -nn
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on virbr0, link-type EN10MB (Ethernet), capture size 96 bytes
23:49:18.581878 IP 192.168.122.187.37635 > 192.168.1.192.8081: S
2526621589:2526621589(0) win 5840 <mss 1460,sackOK,timestamp 4294946904
0,nop,wscale 4>
23:49:21.577743 IP 192.168.122.187.37635 > 192.168.1.192.8081: S
2526621589:2526621589(0) win 5840 <mss 1460,sackOK,timestamp 4294947204
0,nop,wscale 4>
23:49:21.607282 IP 192.168.122.1 > 192.168.122.187: ICMP host 192.168.1.192
unreachable, length 68
23:49:21.607296 IP 192.168.122.1 > 192.168.122.187: ICMP host 192.168.1.192
unreachable, length 68
23:49:23.577759 arp who-has 192.168.122.1 tell 192.168.122.187
23:49:23.577770 arp reply 192.168.122.1 is-at fe:ff:ff:ff:ff:ff
My Dom0''s Iptables configuration, server and client program list blew.
But I
can not find the Ubuntu PV''s iptables configuration file. Maybe it
doesn''t
have one.
My Dom0 (fedora 8) iptables /etc/sysconfig/iptables
# Firewall configuration written by system-config-firewall
# Manual customization of this file is not recommended.
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p 50 -j ACCEPT
-A RH-Firewall-1-INPUT -p 51 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j
ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j
ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
-A FORWARD -j REJECT --reject-with icmp-host-prohibited
COMMIT
The server and client program is as following.
/******* (server.c) ************/
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
#include <string.h>
int main(int argc, char *argv[])
{
int sockfd,new_fd;
struct sockaddr_in server_addr;
struct sockaddr_in client_addr;
int sin_size,portnumber;
char hello[]="Hello! Are You Fine?\n";
if(argc!=2)
{
fprintf(stderr,"Usage:%s portnumber\a\n",argv[0]);
return 1;
}
if( (portnumber = atoi(argv[1])) < 0 )
{
fprintf(stderr,"Usage:%s portnumber\a\n",argv[0]);
return 1;
}
/* create socket descripter */
if( (sockfd = socket(AF_INET,SOCK_STREAM, 0)) == -1 )
{
fprintf(stderr,"Socket error:%s\n\a",strerror(errno));
return 1;
}
/* set sockaddr */
//bzero(&server_addr, sizeof(struct sockaddr_in));
memset(&server_addr, 0, sizeof(struct sockaddr_in));
server_addr.sin_family = AF_INET;
server_addr.sin_addr.s_addr = htonl(INADDR_ANY);
server_addr.sin_port = htons(portnumber);
/* bind to a port */
if( bind(sockfd,(struct sockaddr *)(&server_addr),sizeof(struct
sockaddr))==-1 )
{
fprintf(stderr,"Bind error:%s\n\a",strerror(errno));
return 1;
}
/* listen to the port */
if( -1 == listen(sockfd,5) )
{
fprintf(stderr,"Listen error:%s\n\a",strerror(errno));
return 1;
}
while(1)
{
/* accept */
sin_size=sizeof(struct sockaddr_in);
//if( (new_fd = accept(sockfd, (struct sockaddr *)(&client_addr),
&sin_size)) == -1)
new_fd = accept(sockfd, (struct sockaddr *)(&client_addr),
&sin_size);
if( -1 == new_fd )
{
fprintf(stderr,"Accept error:%s\n\a",strerror(errno));
return 1;
}
fprintf(stderr,"Server get connection from %s\n",
inet_ntoa(client_addr.sin_addr));
if(write(new_fd,hello,strlen(hello))==-1)
{
fprintf(stderr,"Write Error:%s\n",strerror(errno));
return 1;
}
/* over */
close(new_fd);
/* next */
}
close(sockfd);
return 0;
}
/******* client.c ************/
#include <sys/types.h>
#include <sys/socket.h>
#include <stdio.h>
#include <netinet/in.h>
#include <arpa/inet.h>
#include <unistd.h>
#include <errno.h>
int main(int argc, char *argv[])
{
int sockfd;
char buffer[1024];
struct sockaddr_in server_addr;
//struct hostent *host;
char *ip;
int portnumber,nbytes;
if(argc!=3)
{
fprintf(stderr,"Usage:%s ip portnumber\a\n",argv[0]);
return 1;
}
//if((host=gethostbyname(argv[1]))==NULL)
printf("agrv[1] = %s\n",argv[1]);
if( strlen(ip=argv[1])< 7 )
{
fprintf(stderr,"Get Ip address error\n");
return 1;
}
if((portnumber=atoi(argv[2]))<0)
{
fprintf(stderr,"Usage:%s hostname portnumber\a\n",argv[0]);
return 1;
}
/* create socket descripter */
if((sockfd=socket(AF_INET,SOCK_STREAM,0))==-1)
{
fprintf(stderr,"Socket Error:%s\a\n",strerror(errno));
return 1;
}
/* set the struct */
bzero(&server_addr, sizeof(server_addr));
server_addr.sin_family = AF_INET;
server_addr.sin_port = htons(portnumber);
//server_addr.sin_addr = *( (struct in_addr *)host->h_addr );
//server_addr.sin_addr.s_addr = inet_addr(host->h_addr);
server_addr.sin_addr.s_addr = inet_addr(ip);
//server_addr.sin_addr.s_addr = ((struct
in_addr*)(host->h_addr))->s_addr;
/* request to server */
if(connect(sockfd,(struct sockaddr *)(&server_addr),sizeof(struct
sockaddr))==-1)
{
fprintf(stderr,"Connect Error:%s\a\n",strerror(errno));
return 1;
}
/* connected successfully */
if((nbytes=read(sockfd,buffer,1024))==-1)
{
fprintf(stderr,"Read Error:%s\n",strerror(errno));
return 1;
}
buffer[nbytes]=''\0'';
printf("I have received:%s\n",buffer);
/* over */
close(sockfd);
return 0;
}
2010/10/22 Bei Guan <gbtju85@gmail.com>
>
>
> 2010/10/22 Samuel Thibault <samuel.thibault@ens-lyon.org>
>
> Bei Guan, le Fri 22 Oct 2010 22:56:29 +0800, a écrit :
>> > root@ubuntu:~/test1# ./server 13
>> > Server get connection from 192.168.122.1
>> >
>> > [root@localhost test1]# ./client 192.168.122.187 13
>> > agrv[1] = 192.168.122.187
>> > I have received:Hello! Are You Fine?
>> >
>> > I can not understand why the server just print the
virbr0'' IP address
>> (it is
>> > xen net bridge) other than Dom0''s real IP, 192.168.1.129.
>>
>> Because that''s the IP of the Dom0 interface from which the
connection is
>> made. It''s just the same as in a usual intranet/internet
router box.
>>
>> > What the relationship
>> > between the two IPs(192.168.1.129 and 192.168.122.1)?
>>
>> None, except your dom0 has these two addresses.
>>
>> > If I put server in Dom0 and the client in Ubuntu. The client can
not
>> connect to
>> > the server. However, I can ping Dom0''s IP (192.168.1.129)
successfully
>> from
>> > Ubuntu. What''s reason?
>>
>> We can''t divine, show your code / iptables configuration /
tcpdump
>> output. The usual network stuff, actually.
>>
>
> Sorry, you mean the client and server code? The iptables configurations of
> all the Ubuntu PV and Dom0?
>
>
>
>
>>
>> Samuel
>>
>
>
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel
On 10/22/2010 05:50 PM, Bei Guan wrote:> My Dom0 (fedora 8) iptables /etc/sysconfig/iptablesThis is only half of your configuration. Libvirt is creating virbr0 and adding iptables rules to connect it to the outside world via NAT (the 192.168.122.x subnet). iptables -L can show those rules. Paolo _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
2010/10/23 Paolo Bonzini <pbonzini@redhat.com>> On 10/22/2010 05:50 PM, Bei Guan wrote: > >> My Dom0 (fedora 8) iptables /etc/sysconfig/iptables >> > > This is only half of your configuration. Libvirt is creating virbr0 and > adding iptables rules to connect it to the outside world via NAT (the > 192.168.122.x subnet). iptables -L can show those rules. >Sorry, my Dom0 (fedora 8) iptables configuration is as following. [root@localhost ~]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere localhost/24 state RELATED,ESTABLISHED ACCEPT all -- localhost/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp REJECT all -- anywhere anywhere reject-with icmp-host-prohibited> > Paolo >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
On 10/23/2010 05:27 PM, Bei Guan wrote:> Sorry, my Dom0 (fedora 8) iptables configuration is as following.I suggest upgrading libvirt, maybe that will fix it. Paolo _______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
2010/10/24 Samuel Thibault <samuel.thibault@ens-lyon.org>> Bei Guan, le Fri 22 Oct 2010 23:50:54 +0800, a écrit : > > [root@localhost test1]# ./server 8081 > > > > root@ubuntu:~/test1# ./client 192.168.1.192 8081 > > agrv[1] = 192.168.1.192 > > Connect Error:No route to host > > Try with 192.168.122.1 instead. >192.168.122.1 also doesn''t work. root@ubuntu:~/test1# ./client 192.168.122.1 8081 agrv[1] = 192.168.122.1 Connect Error:No route to host> > > :INPUT ACCEPT [0:0] > > :FORWARD ACCEPT [0:0] > > :OUTPUT ACCEPT [0:0] > > :RH-Firewall-1-INPUT - [0:0] > > -A INPUT -j RH-Firewall-1-INPUT > > -A RH-Firewall-1-INPUT -i lo -j ACCEPT > > -A RH-Firewall-1-INPUT -p icmp --icmp-type any -j ACCEPT > > -A RH-Firewall-1-INPUT -p 50 -j ACCEPT > > -A RH-Firewall-1-INPUT -p 51 -j ACCEPT > > -A RH-Firewall-1-INPUT -p udp --dport 5353 -d 224.0.0.251 -j ACCEPT > > -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT > > -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT > > -A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 21 -j > ACCEPT > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 2049 -j > > ACCEPT > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j > ACCEPT > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 23 -j > ACCEPT > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j > ACCEPT > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 443 -j > ACCEPT > > -A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 25 -j > ACCEPT > > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > > -A FORWARD -j REJECT --reject-with icmp-host-prohibited > > Apparently your firewall would reject connections actually. >Do you mean this one rejects the connection from VM ubuntu? -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited> Samuel >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
2010/10/25 Samuel Thibault <samuel.thibault@ens-lyon.org>> Bei Guan, le Mon 25 Oct 2010 09:06:20 +0800, a écrit : > > Apparently your firewall would reject connections actually. > > > > > > Do you mean this one rejects the connection from VM ubuntu? > > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited > > Things like this, yes. >Is that to say the VM can connect to Dom0 if I comment this rule in the configuration file? I want try this. However, when I restart the iptables service, the net bridge eth0 and virbr0 are all disappeared And my Dom0''s network is disconnect. I restart the service libvirtd and the net bridge virbr0 come back. But I can make the eth0 come back even I try to restart the service xend.> > Samuel >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
2010/10/25 Bei Guan <gbtju85@gmail.com>> > > 2010/10/25 Samuel Thibault <samuel.thibault@ens-lyon.org> > > Bei Guan, le Mon 25 Oct 2010 09:06:20 +0800, a écrit : >> > Apparently your firewall would reject connections actually. >> > >> > >> > Do you mean this one rejects the connection from VM ubuntu? >> > -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited >> >> Things like this, yes. >> > > Is that to say the VM can connect to Dom0 if I comment this rule in the > configuration file? > I want try this. However, when I restart the iptables service, the net > bridge eth0 and virbr0 are all disappeared And my Dom0''s network is > disconnect. > > I restart the service libvirtd and the net bridge virbr0 come back. But I > can make the eth0 come back even I try to restart the service xend. > >OK, I can make the xen bridge come back again using the script "network-bridge start".> > >> >> Samuel >> > >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel
2010/10/22 Samuel Thibault <samuel.thibault@ens-lyon.org>> Bei Guan, le Fri 22 Oct 2010 22:25:02 +0800, a écrit : > > What''s the relationship between the eth0 and peth0? Which is my real > > network device card? > > That''s what you missed in the scheme: the xen scripts rename your real > network device card into peth0, and puts it into a bridge called eth0. > So you need to use the bridge called "eth0" in your PV scripts. > >Hi Samuel, With the libvrit, my PV can access to the outside network now. But it is something like NAT network, outside host can not access to the PV. Now I try to using the Xen bridge to configure my PV''s network. As you say, the bridge here is "eth0", not "xenbr0". So in the PV configuration file, the net interface is vif = [''bridge=eth0''] After the PV (ubuntu) rebooting, I set its ip as 192.168.1.186. I can "ping" other host that are the in the same ethernet with the PV (192.168) successfully from Ubuntu. However, *I can not access to my Ubuntu from host in ethernet "192.168"*. And my *Ubuntu also can not "ping" the outside networ such as " 61.135.169.105". *I think maybe some configuration is not correct, but i can not find it. The following data maybe useful to find the reason. Ping the outside internet from PV Ubuntu(192.168.1.186). root@ubuntu:~# ping 61.135.169.105 connect: Network is unreachable Ping the PV Ubuntu(192.168.1.186) from host(192.168.1.215) in the same ethernet. My Dom0’s ip is 192.168.1.129. [root@localhost ~]# ping 192.168.1.186 PING 192.168.1.186 (192.168.1.186) 56(84) bytes of data.>From 192.168.1.129 icmp_seq=1 Destination Host Prohibited >From 192.168.1.129 icmp_seq=2 Destination Host Prohibited >From 192.168.1.129 icmp_seq=3 Destination Host Prohibited >From 192.168.1.129 icmp_seq=4 Destination Host Prohibited >From 192.168.1.129 icmp_seq=5 Destination Host Prohibited >From 192.168.1.129 icmp_seq=6 Destination Host Prohibited >From 192.168.1.129 icmp_seq=7 Destination Host Prohibited--- 192.168.1.186 ping statistics --- 7 packets transmitted, 0 received, +7 errors, 100% packet loss, time 5995ms The data tcpdump caught as following. [root@localhost ~]# tcpdump -i eth0 -nn host 192.168.1.186 tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on eth0, link-type EN10MB (Ethernet), capture size 96 bytes 21:03:46.478403 arp who-has 192.168.1.186 tell 192.168.1.215 21:03:46.478452 arp reply 192.168.1.186 is-at 00:21:9b:67:fb:b5 21:03:46.479022 IP 192.168.1.215 > 192.168.1.186: ICMP echo request, id 20242, seq 1, length 64 21:03:47.471539 IP 192.168.1.215 > 192.168.1.186: ICMP echo request, id 20242, seq 2, length 64 21:03:48.470562 IP 192.168.1.215 > 192.168.1.186: ICMP echo request, id 20242, seq 3, length 64 21:03:49.469642 IP 192.168.1.215 > 192.168.1.186: ICMP echo request, id 20242, seq 4, length 64 21:03:50.468594 IP 192.168.1.215 > 192.168.1.186: ICMP echo request, id 20242, seq 5, length 64 21:03:51.468415 IP 192.168.1.215 > 192.168.1.186: ICMP echo request, id 20242, seq 6, length 64 21:03:52.468643 IP 192.168.1.215 > 192.168.1.186: ICMP echo request, id 20242, seq 7, length 64 My dom0 iptables: [root@localhost test1]# iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT tcp -- anywhere anywhere tcp dpt:domain ACCEPT udp -- anywhere anywhere udp dpt:bootps ACCEPT tcp -- anywhere anywhere tcp dpt:bootps RH-Firewall-1-INPUT all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif7.1 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.1 udp spt:bootpc dpt:bootps ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif7.1 ACCEPT all -- localhost anywhere PHYSDEV match --physdev-in vif7.1 ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED PHYSDEV match --physdev-out vif7.0 ACCEPT all -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 ACCEPT all -- anywhere localhost/24 state RELATED,ESTABLISHED ACCEPT all -- localhost/24 anywhere ACCEPT all -- anywhere anywhere REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-port-unreachable REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain OUTPUT (policy ACCEPT) target prot opt source destination Chain RH-Firewall-1-INPUT (1 references) target prot opt source destination ACCEPT all -- anywhere anywhere ACCEPT icmp -- anywhere anywhere icmp any ACCEPT esp -- anywhere anywhere ACCEPT ah -- anywhere anywhere ACCEPT udp -- anywhere 224.0.0.251 udp dpt:mdns ACCEPT udp -- anywhere anywhere udp dpt:ipp ACCEPT tcp -- anywhere anywhere tcp dpt:ipp ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ftp ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:nfs ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:ssh ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:telnet ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:http ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:https ACCEPT tcp -- anywhere anywhere state NEW tcp dpt:smtp My bridge info: [root@localhost test1]# brctl show bridge name bridge id STP enabled interfaces eth0 8000.0024e839fa54 no peth0 vif7.0 vif7.1 virbr0 8000.000000000000 no My network interface: [root@localhost test1]# ifconfig eth0 Link encap:Ethernet HWaddr 00:24:E8:39:FA:54 inet addr:192.168.1.129 Bcast:192.168.1.255 Mask:255.255.255.0 inet6 addr: fe80::224:e8ff:fe39:fa54/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:138634 errors:0 dropped:0 overruns:0 frame:0 TX packets:31385 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:29362891 (28.0 MiB) TX bytes:5957728 (5.6 MiB) lo Link encap:Local Loopback inet addr:127.0.0.1 Mask:255.0.0.0 inet6 addr: ::1/128 Scope:Host UP LOOPBACK RUNNING MTU:16436 Metric:1 RX packets:1915 errors:0 dropped:0 overruns:0 frame:0 TX packets:1915 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:3136132 (2.9 MiB) TX bytes:3136132 (2.9 MiB) peth0 Link encap:Ethernet HWaddr 00:24:E8:39:FA:54 inet6 addr: fe80::224:e8ff:fe39:fa54/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:144620 errors:0 dropped:0 overruns:0 frame:0 TX packets:31686 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:100 RX bytes:31634537 (30.1 MiB) TX bytes:6025862 (5.7 MiB) Memory:fe6e0000-fe700000 vif7.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:64 errors:0 dropped:0 overruns:0 frame:0 TX packets:17333 errors:0 dropped:28 overruns:0 carrier:0 collisions:0 txqueuelen:32 RX bytes:16284 (15.9 KiB) TX bytes:1075564 (1.0 MiB) vif7.1 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:43 errors:0 dropped:17360 overruns:0 carrier:0 collisions:0 txqueuelen:32 RX bytes:0 (0.0 b) TX bytes:8116 (7.9 KiB) virbr0 Link encap:Ethernet HWaddr 00:00:00:00:00:00 inet addr:192.168.122.1 Bcast:192.168.122.255 Mask:255.255.255.0 inet6 addr: fe80::200:ff:fe00:0/64 Scope:Link UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 RX packets:0 errors:0 dropped:0 overruns:0 frame:0 TX packets:37 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:0 RX bytes:0 (0.0 b) TX bytes:5621 (5.4 KiB) Any advice from you is appreciated. Thank you very much! Bei Guan> Samuel >_______________________________________________ Xen-devel mailing list Xen-devel@lists.xensource.com http://lists.xensource.com/xen-devel