Forwarding, ARP proxy, Lenny, XEN & route.
Hello,
After a dom0 upgrade to lenny I can not reach anymore my debian based
domU from another site (exept from dom0) as well as reach another
site ( exept dom0 ) from the domU.
Both dom0 and domU have public IP address (x.x.y.38 and x.x.z.148) & I
use xen routing mode.
An overview :
#
# The dom0 :
#
A Lenny recently upgrade from etch.
Linux B 2.6.26-1-xen-amd64 #1 SMP Sat Jan 10 20:39:26 UTC 2009 x86_64
GNU/Linux
# dpkg -l xen :
libxenstore3.0
linux-image-2.6.26-1-xen-amd64
linux-modules-2.6.26-1-xen-amd64
xen-hypervisor-3.2-1-amd64
xen-linux-system-2.6.26-1-xen-amd64
xen-shell
xen-tools
xen-utils-3.2-1
xen-utils-common
xenstore-utils
xenwatch
# The primary network interface
iface eth0 inet static
address x.x.y.38
netmask 255.255.255.0
network x.x.y.0
broadcast x.x.y.255
gateway x.x.y.1
# grep -v # /etc/xen/xend-config.sxp | cat -s
(network-script 'network-route netdev=eth0')
(vif-script vif-route)
(dom0-min-mem 520)
# route -n
x.x.z.148 0.0.0.0 255.255.255.255 UH 0 0 0
vif1.0
x.x.y.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
0.0.0.0 x.x.y.1 0.0.0.0 UG 0 0 0 eth0
# sysctl -a
net.ipv4.conf.eth0.proxy_arp = 1
net.ipv4.conf.vif1/0.proxy_arp = 1
# iptables -L ( the table nat is empty )
Chain INPUT (policy ACCEPT) empty
Chain OUTPUT (policy ACCEPT) empty
Chain FORWARD (policy ACCEPT)
target prot opt source destination
ACCEPT all -- x.x.z.148 anywhere PHYSDEV match --
physdev-in vif1.0
ACCEPT udp -- anywhere anywhere PHYSDEV
match --physdev-in vif1.0 udp spt:bootpc dpt:bootps
# xm list
Name ID Mem VCPUs State
Time(s)
Domain-0 0 256 1
r----- 24.7
C 1 1408 1
-b---- 11.9
#
# The domU: an etch
#
kernel = '/boot/vmlinuz-2.6.18-6-xen-amd64'
disk = [ 'phy:vg00/www-disk,sda1,w', 'phy:vg00/www-swap,sda2,w' ]
name = 'C'
vif = [ 'mac=00:16:3e:52:6a:df, ip=x.x.z.148' ]
netmask = "255.255.255.0"
gateway = "x.x.y.38"
# The primary network interface
auto eth0
iface eth0 inet static
address x.x.z.148
netmask 255.255.255.255
up route add -host x.x.y.38 dev eth0
up route add -net 0.0.0.0 netmask 0.0.0.0 gw x.x.y.38 dev eth0
down route del -net 0.0.0.0 netmask 0.0.0.0 gw x.x.y.38 dev
eth0
down route del -host x.x.y.38 dev eth0
#
# Scenario :
#
From dom0 : ping domU ok
From domU: ping dom0 ok
I did a ping from a server in another site ( server "A”) to the domU
“C”, which is the virtualised guest running on server “B”.
I tcpdumped on the server B and i saw the classical icmp’s paquets
request & reply But… the reply never reach the server A. Packets are
like dropped by the domU.
It seems that i have forgoten something... but WHAT
In the table "filter", the chain FORWARD seems sufficiant for me.
Thanks for your time,
J.
Reply to: