Xen users - Apr 2008 - network-nat whit qemu-dm not working

Hello,
please take a coffee (or beer) and read this, I''m having troubles
here..

I''m using the following system:

Debian etch 4.0-r3
xen-hypervisor-3.2-1-i386 (The same appens with 3.0)
linux-image-2.6.18-6-xen-vserver-686

Dom0 is a machine with two network interfaces:
eth0 connected to Internet
eth1 connected to local network
On this system I run DNS and DHCP for the local network and I''ve set
the
NAT for the Internet navigation. A simplified iptables rules is shown:

### iptables -L ###
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED 
ACCEPT     0    --  anywhere             anywhere            state NEW 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED 
ACCEPT     0    --  anywhere             anywhere            state NEW 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED 
ACCEPT     0    --  anywhere             anywhere            state NEW 

### iptables -t nat -L ###
Chain PREROUTING (policy ACCEPT)
target     prot opt source               destination         

Chain POSTROUTING (policy ACCEPT)
target     prot opt source               destination         
SNAT       0    --  192.168.0.0/24       anywhere
to:192.168.1.254 
SNAT       0    --  10.0.0.0/16          anywhere
to:192.168.1.254 

Chain OUTPUT (policy ACCEPT)
target     prot opt source               destination         

I would like to use my Dom0 as the firewall for the local network and
DomUs, and access DomUs machine from the local network.

I''ve setup this xend-config.sxp:
  (network-script network-dummy)
  (network-script ''network-nat netdev=eth1'')
  (vif-script ''vif-nat dhcp=yes'')
  (dom0-min-mem 512)
  (dom0-cpus 0)
  (vnc-listen ''0.0.0.0'')

## DomU xen-etch.cfg from an example:
  kernel  = ''/boot/vmlinuz-2.6.18-6-xen-vserver-686''
  ramdisk = ''/boot/initrd.img-2.6.18-6-xen-vserver-686''
  memory  = ''512''
  root    = ''/dev/sda1 ro''
  disk    [
''file:/home/xen/domains/xen-etch/disk.img,sda1,w'',''file:/home/xen/domains/xen-etch/swap.img,sda2,w''
]
  name    = ''xen-etch''
  dhcp = ''dhcp''
  vif  = [ '''' ]
  on_poweroff = ''destroy''
  on_reboot   = ''restart''
  on_crash    = ''restart''

## DomU win.cfg from an example:
  kernel = ''/usr/lib/xen-3.2-1/boot/hvmloader''
  builder = ''hvm''
  memory = ''512''
  device_model=''/usr/lib/xen-3.2-1/bin/qemu-dm''
disk=[
''file:/root/win_vm.img,ioemu:hda,w'',''file:/root/WINXP.iso,ioemu:hdc:cdrom,r''
]
  name = ''win01''         
  vif = [''type=ioemu, vifname=wif_win'']
  dhcp = ''dhcp''
  usbdevice="tablet"
  boot=''d''
  vnc=1
  vncviewer=1
  vncunused=0
  sdl=0

I''ve commented out qemu-ifup because of NAT:
#ifconfig $1 0.0.0.0 up
#brctl addif $2 $1


After DomUs starting this is my iptables -L shown:
Chain INPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED 
ACCEPT     0    --  anywhere             anywhere            state NEW 

Chain FORWARD (policy DROP)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED 
ACCEPT     0    --  anywhere             anywhere            state NEW 
ACCEPT     0    --  10.0.0.0/16          anywhere            PHYSDEV
match --physdev-in vif8.0 
ACCEPT     udp  --  anywhere             anywhere            PHYSDEV
match --physdev-in vif8.0 udp spt:bootpc dpt:bootps 
ACCEPT     0    --  10.0.0.0/16          anywhere            PHYSDEV
match --physdev-in wif_win 
ACCEPT     udp  --  anywhere             anywhere            PHYSDEV
match --physdev-in wif_win udp spt:bootpc dpt:bootps 

Chain OUTPUT (policy DROP)
target     prot opt source               destination         
ACCEPT     0    --  anywhere             anywhere            state
RELATED,ESTABLISHED 
ACCEPT     0    --  anywhere             anywhere            state NEW 

my iptables -t nat -L is the same as previuos.
Finally this is my ifconfig:
eth0      Link encap:Ethernet  HWaddr 00:1D:92:3D:XX:XX  
          inet addr:192.168.1.254  Bcast:192.168.1.255
Mask:255.255.255.0
          inet6 addr: fe80::21d:92ff:fe3d:c74b/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:1484885 errors:0 dropped:0 overruns:0 frame:0
          TX packets:2058483 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:412365010 (393.2 MiB)  TX bytes:1104053767 (1.0 GiB)
          Interrupt:17 Base address:0x6000 

eth1      Link encap:Ethernet  HWaddr 00:0D:88:CD:XX:XX  
          inet addr:192.168.0.1  Bcast:192.168.0.255  Mask:255.255.255.0
          inet6 addr: fe80::20d:88ff:fecd:6634/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:2033285 errors:0 dropped:0 overruns:0 frame:0
          TX packets:1459103 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:1098654659 (1.0 GiB)  TX bytes:412892888 (393.7 MiB)
          Interrupt:16 Base address:0xec00 

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:16436  Metric:1
          RX packets:9321 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9321 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:1387261 (1.3 MiB)  TX bytes:1387261 (1.3 MiB)

vif8.0    Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF  
          inet addr:10.0.8.128  Bcast:0.0.0.0  Mask:255.255.255.255
          inet6 addr: fe80::fcff:ffff:feff:ffff/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:44 errors:0 dropped:0 overruns:0 frame:0
          TX packets:17 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:8384 (8.1 KiB)  TX bytes:3200 (3.1 KiB)

wif_win   Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF  
          inet addr:10.0.9.128  Bcast:0.0.0.0  Mask:255.255.255.255
          UP BROADCAST MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          RX bytes:0 (0.0 b)  TX bytes:0 (0.0 b)

# ROUTE output:
Destination     Gateway         Genmask         Flags Metric Ref    Use
Iface
10.0.10.1       0.0.0.0         255.255.255.255 UH    0      0        0
wif_win
10.0.8.1        0.0.0.0         255.255.255.255 UH    0      0        0
vif8.0
192.168.1.0     0.0.0.0         255.255.255.0   U     0      0        0
eth0
192.168.0.0     0.0.0.0         255.255.255.0   U     0      0        0
eth1
0.0.0.0         192.168.1.1     0.0.0.0         UG    0      0        0
eth0


NOW, my DomU etch is working well, I can access Internet and machine on
the local network whitout problems.
The DomU win is up with a network card but is unable to gain access to
Dom0.
I think Xen is doing the correct working by inserting correct rules and
correct host declaration in dhcpd.conf.

The only thing I''ve noticed is with a ps auxwwwwwwwwww:
root     11492  3.7  0.3  26040  3592 ?        Sl   14:40
0:00 /usr/lib/xen-3.2-1/bin/qemu-dm -d 10 -domain-name win01 -vnc
0.0.0.0:0 -vcpus 1 -boot d -acpi -usbdevice tablet -net
nic,vlan=1,macaddr=00:16:3e:2a:f3:ea,model=rtl8139 -net
tap,vlan=1,bridge=xenbr0 -M xenfv

I see xen passed a bridge... but I''ve commented it out from win.cfg..
It''s not strange? Is this a bug?
Someone else have my same configuration working?

Thanks,
Michele


_______________________________________________
Xen-users mailing list
Xen-users@lists.xensource.com
http://lists.xensource.com/xen-users