Xen users - Oct 2013 - Direct network traffic to Mini-OS domU

Hi,

i''ll try to be as clear as possible even though my bad english.
I''m using Xen release 3.8.0 and Ubuntu 13.04 as dom0.

I created a domU in which Mini-OS (with lwip) is run. I need to direct all
the outbond network traffic to Mini-OS.

I''m using bridge configuration, so dom0 has the following interfaces:

eth0 IP: 10.20.205.233
virbr0: 192.168.122.1
vif1.0

In Mini-OS domain i only have eth0, with 192.168.122.100 as IP and it''s
obviously bounded to the virbr0 bridge (I set in domain_config:
vif=["bridge=virbr0, ip=192.168.122.100).

When a different domU bounded to the same bridge sends packets to Mini-OS,
they reach the destination.
Now i want that every packet that reaches dom0 is redirected to Mini-OS.
I''m trying to use iptables, but i can''t make it work.

Have you got any suggestions? Is bridge configuration the better one in
this case?
Thank you a lot.


_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users

Luca Giacomoni wrote:
> I created a domU in which Mini-OS (with lwip) is run. I need to direct all
the outbond network traffic to Mini-OS.
Are you trying to use this Mini-OS guest as a firewall ?
The easy way to do it is to create two bridges - lets call them brint and brext.

brext will have two attached devices - eth0 of the host, and eth0 of the Mini-OS
guest. The host does not need an IP address in this bridge if you don''t
need to it directly access the outside world.

brint will have an IP address for the host, and eth1 of the Mini-OS guest. You
configure the Mini-OS as a two-port firewall and do all the routing, NAT,
filtering there.
For all your other guests, attach them only to brint, and set their default
gateway to be the internal address of the Mini-OS guest. All their traffic now
goes through the firewall.

As an alternative, instead of setting up brext, you could use PCI-passthrough to
make eth0 of the host directly accessible to the guest. That way, external
traffic doesn''t go through the host at all - apart from the low level
PCIback virtualisation code. This is the setup I ran at home for some time -
it''s now slightly different as I use PPPoE on the firewall virtual
machine.

Thank you Simon, you''ve been very clear. But actually, i wanted all
traffic
been forwarded from dom0 to domu. In my Mini-OS there''s just one
application which counts packets with a particular signature, nothing else.

You mentioned PCI-passthrough which would be usefull, i think. My goal now
is not forwarding all packets from dom0 to domu anymore, but using mini-os
as a sort of sniffer. It should count all packets with a determined
signature (for example: tcp packets port 80) leading to dom0 passing
through phyisical interface eth0.

I was trying to find out if Linux bridge implement a sort of port
mirroring. But even if it does, all vif attached to it have the same mac
address (fe:ff:ff:ff:ff:ff), so i wouldn''t know hot to set it.

Is PCI-passthrough usefull for my intent? How can i realize it?

Thank you again.


2013/10/3 Simon Hobson <linux@thehobsons.co.uk>
> Luca Giacomoni wrote:
> > I created a domU in which Mini-OS (with lwip) is run. I need to direct
> all the outbond network traffic to Mini-OS.
>
> Are you trying to use this Mini-OS guest as a firewall ?
> The easy way to do it is to create two bridges - lets call them brint and
> brext.
>
> brext will have two attached devices - eth0 of the host, and eth0 of the
> Mini-OS guest. The host does not need an IP address in this bridge if you
> don''t need to it directly access the outside world.
>
> brint will have an IP address for the host, and eth1 of the Mini-OS guest.
> You configure the Mini-OS as a two-port firewall and do all the routing,
> NAT, filtering there.
> For all your other guests, attach them only to brint, and set their
> default gateway to be the internal address of the Mini-OS guest. All their
> traffic now goes through the firewall.
>
> As an alternative, instead of setting up brext, you could use
> PCI-passthrough to make eth0 of the host directly accessible to the guest.
> That way, external traffic doesn''t go through the host at all -
apart from
> the low level PCIback virtualisation code. This is the setup I ran at home
> for some time - it''s now slightly different as I use PPPoE on the
firewall
> virtual machine.
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@lists.xen.org
> http://lists.xen.org/xen-users
>

_______________________________________________
Xen-users mailing list
Xen-users@lists.xen.org
http://lists.xen.org/xen-users