Hi Everyone, In my HVM guest''s config file, I have given my guest 3 interface. I have called them fw1, fw2 and fw3. I have joined each interface to a bridge on the Dom0. This does appear when I do a "brctl show". However, there are 3 other interfaces also added called tapx.0,tapx.1 and tapx.2 (Where x is the domain ID for the guest). Furthermore, I am only able to run tcpdump on the tap interfaces; if I run tcpdump on the fw1,fw2 or fw3 interfaces, no packets are detected. This is a major issue when creating my firewall rules, as I wish to filter by interface, and I''m not entirely sure how to script it if the domain ID keep changing.... What is the point of the fw1-3 interfaces? Any help is appreciated Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Tue, Jul 27, 2010 at 2:40 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> Hi Everyone, > > In my HVM guest''s config file, I have given my guest 3 interface. I have > called them fw1, fw2 and fw3. I have joined each interface to a bridge on > the Dom0. This does appear when I do a "brctl show". However, there are 3 > other interfaces also added called tapx.0,tapx.1 and tapx.2 (Where x is the > domain ID for the guest). Furthermore, I am only able to run tcpdump on the > tap interfaces; if I run tcpdump on the fw1,fw2 or fw3 interfaces, no > packets are detected.tap interfaces -> qemu-emulated NICs (realtek model by default), used when no PV drivers installed (using OS'' own driver for that model) vif interfaces (the one that you can rename) -> xen network frontend NICs, used when you have PV drivers installed (like GPLPV, http://meadowcourt.org/downloads/) -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: Fajar A. Nugraha [mailto:fajar@fajar.net] Sent: Tue 27/07/2010 08:58 To: Jonathan Tripathy Cc: Xen-users@lists.xensource.com Subject: Re: [Xen-users] HVM Network Interfaces On Tue, Jul 27, 2010 at 2:40 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> Hi Everyone, > > In my HVM guest''s config file, I have given my guest 3 interface. I have > called them fw1, fw2 and fw3. I have joined each interface to a bridge on > the Dom0. This does appear when I do a "brctl show". However, there are 3 > other interfaces also added called tapx.0,tapx.1 and tapx.2 (Where x is the > domain ID for the guest). Furthermore, I am only able to run tcpdump on the > tap interfaces; if I run tcpdump on the fw1,fw2 or fw3 interfaces, no > packets are detected.tap interfaces -> qemu-emulated NICs (realtek model by default), used when no PV drivers installed (using OS'' own driver for that model) vif interfaces (the one that you can rename) -> xen network frontend NICs, used when you have PV drivers installed (like GPLPV, http://meadowcourt.org/downloads/) -- Fajar -------------------------------------------------------------------------------------------------------------------------------------- Hi Fajar, What is the point of Xen showing the vif interfaces then for HVM guests? Is there any way to fix the name of the tap interfaces? There are some iptables rules that I need to script when starting PV guests, but they need to know the HVM guest''s tap name. BTW, my HVM guest is a FreeBSD firewall, so GPLPV isn''t an option :( Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On Tue, Jul 27, 2010 at 3:14 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> What is the point of Xen showing the vif interfaces then for HVM guests?Because that''s the interface that will be used if your HVM domU has PV drivers> Is there any way to fix the name of the tap interfaces?Not that I know of.> There are some iptables rules that I need to script when starting PV guests, but they need to know the HVM guest''s tap name. > > BTW, my HVM guest is a FreeBSD firewall, so GPLPV isn''t an option :(You might be able convert it to PV guest. From Google: http://forums.freebsd.org/showthread.php?t=10268 http://wiki.freebsd.org/FreeBSD/Xen -- Fajar _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
________________________________ From: Fajar A. Nugraha [mailto:fajar@fajar.net] Sent: Tue 27/07/2010 09:51 To: Jonathan Tripathy Cc: Xen-users@lists.xensource.com Subject: Re: [Xen-users] HVM Network Interfaces On Tue, Jul 27, 2010 at 3:14 PM, Jonathan Tripathy <jonnyt@abpni.co.uk> wrote:> What is the point of Xen showing the vif interfaces then for HVM guests?Because that''s the interface that will be used if your HVM domU has PV drivers> Is there any way to fix the name of the tap interfaces?Not that I know of.> There are some iptables rules that I need to script when starting PV guests, but they need to know the HVM guest''s tap name. > > BTW, my HVM guest is a FreeBSD firewall, so GPLPV isn''t an option :(You might be able convert it to PV guest. From Google: http://forums.freebsd.org/showthread.php?t=10268 http://wiki.freebsd.org/FreeBSD/Xen -- Fajar ----------------------------------------------------------------------------------------------------------- I guess when using iptables --physdev, I could use a regular expression to say that the output interface starts with tap* - I guess that would work? There is no way for traffic to "jump" bridges in the Dom0 is there (assume no iptables rules)? Thanks _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
On 27/07/10 11:49, Jonathan Tripathy wrote:> ------------------------------------------------------------------------ > *From:* Fajar A. Nugraha [mailto:fajar@fajar.net] > *Sent:* Tue 27/07/2010 09:51 > *To:* Jonathan Tripathy > *Cc:* Xen-users@lists.xensource.com > *Subject:* Re: [Xen-users] HVM Network Interfaces > > On Tue, Jul 27, 2010 at 3:14 PM, Jonathan Tripathy > <jonnyt@abpni.co.uk> wrote: > > What is the point of Xen showing the vif interfaces then for HVM guests? > > Because that''s the interface that will be used if your HVM domU has PV > drivers > > > Is there any way to fix the name of the tap interfaces? > > Not that I know of. > > > There are some iptables rules that I need to script when starting PV > guests, but they need to know the HVM guest''s tap name. > > > > BTW, my HVM guest is a FreeBSD firewall, so GPLPV isn''t an option :( > > You might be able convert it to PV guest. From Google: > http://forums.freebsd.org/showthread.php?t=10268 > http://wiki.freebsd.org/FreeBSD/Xen >Is there any way to create iptables rule upon HVM boot then (With rules matching by tap interface)? _______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Jonathan, You can correct that with the qemu vif script. It is located in /etc/xen/scripts/qemu-ifup for newer XEN version (don''t know about older ones, but it should exist there, too) and controls the setup of the tapX.X device. You can put your network setup code in that script, too, and both interfaces will be set up with your bridge / routing / whatever scenario. Note that I did not find a way to change the qemu-ifdown script, but you could add code to the xen vif script, that also brings down the tap device (if necessary). It is possible to rename the tap device to the vif''s name after renaming the vif to something else, but there are only rare cases where this is necessary. In server environments or for Windows Server domUs, I would also recommend the pv_ops drivers, because they are really faster than emulated network devices (same for disks, btw). Regards, Felix Am 27.07.2010 19:33, schrieb Jonathan Tripathy:> > On 27/07/10 11:49, Jonathan Tripathy wrote: >> ------------------------------------------------------------------------ >> *From:* Fajar A. Nugraha [mailto:fajar@fajar.net] >> *Sent:* Tue 27/07/2010 09:51 >> *To:* Jonathan Tripathy >> *Cc:* Xen-users@lists.xensource.com >> *Subject:* Re: [Xen-users] HVM Network Interfaces >> >> On Tue, Jul 27, 2010 at 3:14 PM, Jonathan Tripathy >> <jonnyt@abpni.co.uk> wrote: >> > What is the point of Xen showing the vif interfaces then for HVM >> guests? >> >> Because that''s the interface that will be used if your HVM domU has >> PV drivers >> >> > Is there any way to fix the name of the tap interfaces? >> >> Not that I know of. >> >> > There are some iptables rules that I need to script when starting >> PV guests, but they need to know the HVM guest''s tap name. >> > >> > BTW, my HVM guest is a FreeBSD firewall, so GPLPV isn''t an option :( >> >> You might be able convert it to PV guest. From Google: >> http://forums.freebsd.org/showthread.php?t=10268 >> http://wiki.freebsd.org/FreeBSD/Xen >> > Is there any way to create iptables rule upon HVM boot then (With > rules matching by tap interface)? > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hi Felix, Good to hear from you I''m using Xen 3.4.2, and I don''t seem to have the qemu-ifup script. Is there another script that is used? The tap device must be getting set up from somewhere... Many Thanks Jonathan On 27/07/10 21:23, Felix Kuperjans wrote:> Hi Jonathan, > > You can correct that with the qemu vif script. It is located in > /etc/xen/scripts/qemu-ifup for newer XEN version (don''t know about > older ones, but it should exist there, too) and controls the setup of > the tapX.X device. You can put your network setup code in that script, > too, and both interfaces will be set up with your bridge / routing / > whatever scenario. Note that I did not find a way to change the > qemu-ifdown script, but you could add code to the xen vif script, that > also brings down the tap device (if necessary). > > It is possible to rename the tap device to the vif''s name after > renaming the vif to something else, but there are only rare cases > where this is necessary. > > In server environments or for Windows Server domUs, I would also > recommend the pv_ops drivers, because they are really faster than > emulated network devices (same for disks, btw). > > Regards, > Felix > > Am 27.07.2010 19:33, schrieb Jonathan Tripathy: >> >> On 27/07/10 11:49, Jonathan Tripathy wrote: >>> ------------------------------------------------------------------------ >>> *From:* Fajar A. Nugraha [mailto:fajar@fajar.net] >>> *Sent:* Tue 27/07/2010 09:51 >>> *To:* Jonathan Tripathy >>> *Cc:* Xen-users@lists.xensource.com >>> *Subject:* Re: [Xen-users] HVM Network Interfaces >>> >>> On Tue, Jul 27, 2010 at 3:14 PM, Jonathan Tripathy >>> <jonnyt@abpni.co.uk> wrote: >>> > What is the point of Xen showing the vif interfaces then for HVM >>> guests? >>> >>> Because that''s the interface that will be used if your HVM domU has >>> PV drivers >>> >>> > Is there any way to fix the name of the tap interfaces? >>> >>> Not that I know of. >>> >>> > There are some iptables rules that I need to script when starting >>> PV guests, but they need to know the HVM guest''s tap name. >>> > >>> > BTW, my HVM guest is a FreeBSD firewall, so GPLPV isn''t an option :( >>> >>> You might be able convert it to PV guest. From Google: >>> http://forums.freebsd.org/showthread.php?t=10268 >>> http://wiki.freebsd.org/FreeBSD/Xen >>> >> Is there any way to create iptables rule upon HVM boot then (With >> rules matching by tap interface)? >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
Hmm ok I found a file called qemu-ifup in /etc/xen/ #!/bin/sh #. /etc/rc.d/init.d/functions #ulimit -c unlimited echo ''config qemu network with xen bridge for '' $* bridge=$2 # # Old style bridge setup with netloop, used to have a bridge name # of xenbrX, enslaving pethX and vif0.X, and then configuring # eth0. # # New style bridge setup does not use netloop, so the bridge name # is ethX and the physical device is enslaved pethX # # So if... # # - User asks for xenbrX # - AND xenbrX doesn''t exist # - AND there is a ethX device which is a bridge # # ..then we translate xenbrX to ethX # # This lets old config files work without modification # if [ ! -e "/sys/class/net/$bridge" ] && [ -z "${bridge##xenbr*}" ] then if [ -e "/sys/class/net/eth${bridge#xenbr}/bridge" ] then bridge="eth${bridge#xenbr}" fi fi ifconfig $1 0.0.0.0 up brctl addif $bridge $1 || true Not sure what to do with it though. Is this the correct script? Thanks On 27/07/10 23:44, Jonathan Tripathy wrote:> Hi Felix, > > Good to hear from you > > I''m using Xen 3.4.2, and I don''t seem to have the qemu-ifup script. Is > there another script that is used? The tap device must be getting set > up from somewhere... > > Many Thanks > > Jonathan > > On 27/07/10 21:23, Felix Kuperjans wrote: >> Hi Jonathan, >> >> You can correct that with the qemu vif script. It is located in >> /etc/xen/scripts/qemu-ifup for newer XEN version (don''t know about >> older ones, but it should exist there, too) and controls the setup of >> the tapX.X device. You can put your network setup code in that >> script, too, and both interfaces will be set up with your bridge / >> routing / whatever scenario. Note that I did not find a way to change >> the qemu-ifdown script, but you could add code to the xen vif script, >> that also brings down the tap device (if necessary). >> >> It is possible to rename the tap device to the vif''s name after >> renaming the vif to something else, but there are only rare cases >> where this is necessary. >> >> In server environments or for Windows Server domUs, I would also >> recommend the pv_ops drivers, because they are really faster than >> emulated network devices (same for disks, btw). >> >> Regards, >> Felix >> >> Am 27.07.2010 19:33, schrieb Jonathan Tripathy: >>> >>> On 27/07/10 11:49, Jonathan Tripathy wrote: >>>> ------------------------------------------------------------------------ >>>> *From:* Fajar A. Nugraha [mailto:fajar@fajar.net] >>>> *Sent:* Tue 27/07/2010 09:51 >>>> *To:* Jonathan Tripathy >>>> *Cc:* Xen-users@lists.xensource.com >>>> *Subject:* Re: [Xen-users] HVM Network Interfaces >>>> >>>> On Tue, Jul 27, 2010 at 3:14 PM, Jonathan Tripathy >>>> <jonnyt@abpni.co.uk> wrote: >>>> > What is the point of Xen showing the vif interfaces then for HVM >>>> guests? >>>> >>>> Because that''s the interface that will be used if your HVM domU has >>>> PV drivers >>>> >>>> > Is there any way to fix the name of the tap interfaces? >>>> >>>> Not that I know of. >>>> >>>> > There are some iptables rules that I need to script when starting >>>> PV guests, but they need to know the HVM guest''s tap name. >>>> > >>>> > BTW, my HVM guest is a FreeBSD firewall, so GPLPV isn''t an option :( >>>> >>>> You might be able convert it to PV guest. From Google: >>>> http://forums.freebsd.org/showthread.php?t=10268 >>>> http://wiki.freebsd.org/FreeBSD/Xen >>>> >>> Is there any way to create iptables rule upon HVM boot then (With >>> rules matching by tap interface)? >>> >>> >>> _______________________________________________ >>> Xen-users mailing list >>> Xen-users@lists.xensource.com >>> http://lists.xensource.com/xen-users >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users
It seems to be the correct one, looks quite similar to the script in XEN 4.0 (and it is called qemu-ifup, which it also is in KVM or plain QEMU). Seems that it has been moved in XEN 4.0, but it should work the same way. Am 28.07.2010 00:47, schrieb Jonathan Tripathy:> Hmm ok I found a file called qemu-ifup in /etc/xen/ > > #!/bin/sh > > #. /etc/rc.d/init.d/functions > #ulimit -c unlimited > > echo ''config qemu network with xen bridge for '' $* > > bridge=$2 > > # > # Old style bridge setup with netloop, used to have a bridge name > # of xenbrX, enslaving pethX and vif0.X, and then configuring > # eth0. > # > # New style bridge setup does not use netloop, so the bridge name > # is ethX and the physical device is enslaved pethX > # > # So if... > # > # - User asks for xenbrX > # - AND xenbrX doesn''t exist > # - AND there is a ethX device which is a bridge > # > # ..then we translate xenbrX to ethX > # > # This lets old config files work without modification > # > if [ ! -e "/sys/class/net/$bridge" ] && [ -z "${bridge##xenbr*}" ] > then > if [ -e "/sys/class/net/eth${bridge#xenbr}/bridge" ] > then > bridge="eth${bridge#xenbr}" > fi > fi > > ifconfig $1 0.0.0.0 up > brctl addif $bridge $1 || true > > > Not sure what to do with it though. Is this the correct script? > > Thanks > On 27/07/10 23:44, Jonathan Tripathy wrote: >> Hi Felix, >> >> Good to hear from you >> >> I''m using Xen 3.4.2, and I don''t seem to have the qemu-ifup script. >> Is there another script that is used? The tap device must be getting >> set up from somewhere... >> >> Many Thanks >> >> Jonathan >> >> On 27/07/10 21:23, Felix Kuperjans wrote: >>> Hi Jonathan, >>> >>> You can correct that with the qemu vif script. It is located in >>> /etc/xen/scripts/qemu-ifup for newer XEN version (don''t know about >>> older ones, but it should exist there, too) and controls the setup >>> of the tapX.X device. You can put your network setup code in that >>> script, too, and both interfaces will be set up with your bridge / >>> routing / whatever scenario. Note that I did not find a way to >>> change the qemu-ifdown script, but you could add code to the xen vif >>> script, that also brings down the tap device (if necessary). >>> >>> It is possible to rename the tap device to the vif''s name after >>> renaming the vif to something else, but there are only rare cases >>> where this is necessary. >>> >>> In server environments or for Windows Server domUs, I would also >>> recommend the pv_ops drivers, because they are really faster than >>> emulated network devices (same for disks, btw). >>> >>> Regards, >>> Felix >>> >>> Am 27.07.2010 19:33, schrieb Jonathan Tripathy: >>>> >>>> On 27/07/10 11:49, Jonathan Tripathy wrote: >>>>> ------------------------------------------------------------------------ >>>>> *From:* Fajar A. Nugraha [mailto:fajar@fajar.net] >>>>> *Sent:* Tue 27/07/2010 09:51 >>>>> *To:* Jonathan Tripathy >>>>> *Cc:* Xen-users@lists.xensource.com >>>>> *Subject:* Re: [Xen-users] HVM Network Interfaces >>>>> >>>>> On Tue, Jul 27, 2010 at 3:14 PM, Jonathan Tripathy >>>>> <jonnyt@abpni.co.uk> wrote: >>>>> > What is the point of Xen showing the vif interfaces then for HVM >>>>> guests? >>>>> >>>>> Because that''s the interface that will be used if your HVM domU >>>>> has PV drivers >>>>> >>>>> > Is there any way to fix the name of the tap interfaces? >>>>> >>>>> Not that I know of. >>>>> >>>>> > There are some iptables rules that I need to script when >>>>> starting PV guests, but they need to know the HVM guest''s tap name. >>>>> > >>>>> > BTW, my HVM guest is a FreeBSD firewall, so GPLPV isn''t an option :( >>>>> >>>>> You might be able convert it to PV guest. From Google: >>>>> http://forums.freebsd.org/showthread.php?t=10268 >>>>> http://wiki.freebsd.org/FreeBSD/Xen >>>>> >>>> Is there any way to create iptables rule upon HVM boot then (With >>>> rules matching by tap interface)? >>>> >>>> >>>> _______________________________________________ >>>> Xen-users mailing list >>>> Xen-users@lists.xensource.com >>>> http://lists.xensource.com/xen-users >>> >>> >>> _______________________________________________ >>> Xen-users mailing list >>> Xen-users@lists.xensource.com >>> http://lists.xensource.com/xen-users >> >> >> _______________________________________________ >> Xen-users mailing list >> Xen-users@lists.xensource.com >> http://lists.xensource.com/xen-users > > > _______________________________________________ > Xen-users mailing list > Xen-users@lists.xensource.com > http://lists.xensource.com/xen-users_______________________________________________ Xen-users mailing list Xen-users@lists.xensource.com http://lists.xensource.com/xen-users