Re: [Xen-users] advanced bridging...

[Marc Patino Gómez <mpatino@xxxxxxxxxxxx>]

If you don't have a machine with more than 2 CPU's change the following 
in the domU config files :
cpu=3

for

cpu=0

I have a pretty cool pair of  Intel Xeon 5120 :p

Regards,

Marc


Marc Patino Gómez wrote:
> Hi again,
>
> this is the config of xen in my Debian Etch:
>
> /etc/xen/xend-config
>
> (network-script network-bridge-wrapper)
> (vif-script vif-bridge)
> (dom0-min-mem 196)
> (dom0-cpus 0)
> (vncpasswd '')
> --------------------------------------------------------------------------- 
>
> /etc/xen/scripts/network-bridge-wrapper
>
> /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
> /usr/sbin/brctl addbr xenbr1
> /sbin/ifconfig xenbr1 up
> ---------------------------------------------------------------------------- 
>
> the domu (Firewall)
>
> /etc/xen/firewall-config.sxp
>
>
> name="firewall"
> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
> root="/dev/hda1"
> cpu=3
> memory=256
> disk=['file:/xen1/firewall.img,hda1,w']
>
> vif=[ 
> 'mac=00:16:3e:70:21:02,bridge=xenbr0,vifname=firewall.eth0','mac=00:16:3e:70:32:02,bridge=xenbr1,vifname=firewall.eth1' 
> ]
> dhcp="off"
> ip="XX.XX.XX.XX"
> netmask="255.255.255.0"
> gateway="XX.XX.XX.XX"
> hostname="firewall.domain.com"
>
> extra="3"
>
> on_poweroff = 'destroy'
> on_reboot   = 'restart'
> on_crash    = 'restart'
> ------------------------------------------------------------------------------- 
>
> in this domU (the firewall) I have a bridge between eth1 and eth0, you 
> can do in CentOS way (inside the domain) ;)
>
> here is the config file of a domu behind the FW:
>
> /etc/xen/domu-config.sxp
> name="domu"
> kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
> root="/dev/hda1"
> cpu=3
> memory=92
> disk=['file:/xen1/domu.img,hda1,w']
>
> vif=[ 'bridge=xenbrFW , vifname=domu.eth0' ]
> dhcp="off"
> ip="XX.XX.XX.XX"
> netmask="255.255.255.0"
> gateway="XX.XX.XX.XX"
> hostname="domu.domain.com"
>
> extra="3"
>
> on_poweroff = 'destroy'
> on_reboot   = 'restart'
> on_crash    = 'restart'
> ---------------------------------------------------------------------------------------------------- 
>
>
> In the domU (firewall) I have the following iptables config:
> #!/bin/sh
> # /etc/network/if-pre-up.d/iptables-start
>
> iptables=/sbin/iptables
>
> $iptables -F
>
> $iptables -P INPUT ACCEPT
> $iptables -P FORWARD ACCEPT
> $iptables -P OUTPUT ACCEPT
>
> # Logs
> #$iptables -A INPUT -j LOG   --log-prefix="IPTABLES-INPUT: "
> #$iptables -A OUTPUT -j LOG  --log-prefix="IPTABLES-OUTPUT: "
> #$iptables -A FORWARD -j LOG --log-prefix="IPTABLES-FORWARD: "
>
> $iptables -A INPUT -i lo -j ACCEPT
>
> # Traffic control
> tc qdisc del dev eth0 parent root
> tc qdisc add dev eth0 parent root handle 1:0 htb default 40
> tc class add dev eth0 parent 1:0 classid 1:1 htb rate 10mbit
> tc class add dev eth0 parent 1:1 classid 1:10 htb rate 512kbit
> tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit
> tc class add dev eth0 parent 1:1 classid 1:30 htb rate 2mbit
> tc class add dev eth0 parent 1:1 classid 1:40 htb rate 5mbit
>
> tc qdisc del dev eth1 parent root
> tc qdisc add dev eth1 parent root handle 2:0 htb default 40
> tc class add dev eth1 parent 2:0 classid 2:1 htb rate 10mbit
> tc class add dev eth1 parent 2:1 classid 2:10 htb rate 512kbit
> tc class add dev eth1 parent 2:1 classid 2:20 htb rate 1mbit
> tc class add dev eth1 parent 2:1 classid 2:30 htb rate 2mbit
> tc class add dev eth1 parent 2:1 classid 2:40 htb rate 5mbit
>
> $iptables -t mangle -A POSTROUTING -d XX.XX.XX.XX -j CLASSIFY 
> --set-class 2:20
> $iptables -t mangle -A POSTROUTING -s XX.XX.XX.XX -j CLASSIFY 
> --set-class 1:20
>
> Sustitute XX.XX.XX.XX by your ip 's ;)
>
> There is an issue with the traffic control in one way, the rate is 
> multiplied by 2, I don't know the reason :(, I have tested this tc 
> config with another box without XEN and it works great.
> Don't forget to do this:
>
> echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables
>
> see the post " iptables and state matches (established, related)" in 
> this mail list. You can put it in your sysctl.conf.
> So... that's all (I hope :) ) if you need anything else.... tell me
>
> Regards,
>
> Marc
>
>
> Ronan wrote:
> > Marc
> > thats exactly what i require...
> > any of your config would be really helpful!
> >
> > many thanks in advance!
> >
> > Ronan
> > > Hi Ronan,
> > >
> > > do you want to do something like this (see the image) ?
> > >
> > > After reading a lot of stuff I made a wrapper of network-bridge, 
> > > that I call network-bridge-wrapper, here is it:
> > > #!/bin/sh
> > > /etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
> > > /usr/sbin/brctl addbr xenbr1
> > > /sbin/ifconfig xenbr1 up
> > >
> > > I changed the line in xend-config.sxp that calls, network-bridge to 
> > > call network-bridge-wrapper ...
> > > If you want I can post more info about this config (my domu config 
> > > files, iptables, ebtables....). I'm using Debian, so... I hope 
> > > scripts  in CentOS are so close to Debian.
> > > Regards,
> > >
> > > Marc
> > >
> > >
> > > Ronan wrote:
> > > > My situation:
> > > > Running centos5 on a machine directly connected to internet.
> > > > I have a paravirtualised centos5 core machine in domu1 with only 1 
> > > > eth configured eth0 dy dhcp.
> > > > What I want:
> > > > to configure the dom0 bridge to simply route all traffic at 
> > > > ethernet level to dom1(firewall/router) and have dom1 then nat if 
> > > > out to my other domu's and machines on my private 192.168 network 
> > > > using dhcpd configured on eth1 on the machine.
> > > > My difficulties:
> > > > setting up the dom0 bridging to do what i want ie xenbr0 to eth0 on 
> > > > domu1 and then xenbr1 to eth1 on domu1
> > > > I then intend to remove / lock dom0 down and only use the domu's as 
> > > > dhcp configured servers.
> > > > There are a couple of URLs i've looked at
> > > > http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html 
> > > >
> > > > etc but there aren't any specific configuration information.
> > > > Can i get some pointers as to where to look, or even example configs?
> > > >
> > > > thanks
> > > >
> > > > Ronan
> > > >
> > > > (ps if this is the 3rd like message of mine today i apologise, I 
> > > > can tell if the other two messages i send actually did...)
> > > >
> > > > _______________________________________________
> > > > Xen-users mailing list
> > > > Xen-users@xxxxxxxxxxxxxxxxxxx
> > > > http://lists.xensource.com/xen-users
> > >
> > > ------------------------------------------------------------------------ 
> >
> > _______________________________________________
> > Xen-users mailing list
> > Xen-users@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-users
>
> _______________________________________________
> Xen-users mailing list
> Xen-users@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-users

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users