[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-users] advanced bridging...



ok i now have a domu with 2 (apparent)ethernet interfaces, which is a
good start.
How do i now get all ethernet frames to be passed to eth0 on my firewall
domu ?
I then will be setting the firewall up with a caching DNS , NAT, and
dhcp on its eth1 to serve all the rest of my domU's usig nprivate 192.168.

Question though., how should i configure an IP for use by dom0??

Thanks
R

Marc Patino Gómez wrote:
Hi again,

this is the config of xen in my Debian Etch:

/etc/xen/xend-config

(network-script network-bridge-wrapper)
(vif-script vif-bridge)
(dom0-min-mem 196)
(dom0-cpus 0)
(vncpasswd '')
---------------------------------------------------------------------------

/etc/xen/scripts/network-bridge-wrapper

/etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
/usr/sbin/brctl addbr xenbr1
/sbin/ifconfig xenbr1 up
----------------------------------------------------------------------------

the domu (Firewall)

/etc/xen/firewall-config.sxp


name="firewall"
kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
root="/dev/hda1"
cpu=3
memory=256
disk=['file:/xen1/firewall.img,hda1,w']

vif=[ 'mac=00:16:3e:70:21:02,bridge=xenbr0,vifname=firewall.eth0','mac=00:16:3e:70:32:02,bridge=xenbr1,vifname=firewall.eth1' ]
dhcp="off"
ip="XX.XX.XX.XX"
netmask="255.255.255.0"
gateway="XX.XX.XX.XX"
hostname="firewall.domain.com"

extra="3"

on_poweroff = 'destroy'
on_reboot   = 'restart'
on_crash    = 'restart'
-------------------------------------------------------------------------------

in this domU (the firewall) I have a bridge between eth1 and eth0, you can do in CentOS way (inside the domain) ;)


here is the config file of a domu behind the FW:

/etc/xen/domu-config.sxp
name="domu"
kernel="/boot/vmlinuz-2.6.16.33-xenU-x86_64"
root="/dev/hda1"
cpu=3
memory=92
disk=['file:/xen1/domu.img,hda1,w']

vif=[ 'bridge=xenbrFW , vifname=domu.eth0' ]
dhcp="off"
ip="XX.XX.XX.XX"
netmask="255.255.255.0"
gateway="XX.XX.XX.XX"
hostname="domu.domain.com"

extra="3"

on_poweroff = 'destroy'
on_reboot   = 'restart'
on_crash    = 'restart'
----------------------------------------------------------------------------------------------------


In the domU (firewall) I have the following iptables config:
#!/bin/sh
# /etc/network/if-pre-up.d/iptables-start

iptables=/sbin/iptables

$iptables -F

$iptables -P INPUT ACCEPT
$iptables -P FORWARD ACCEPT
$iptables -P OUTPUT ACCEPT

# Logs
#$iptables -A INPUT -j LOG   --log-prefix="IPTABLES-INPUT: "
#$iptables -A OUTPUT -j LOG  --log-prefix="IPTABLES-OUTPUT: "
#$iptables -A FORWARD -j LOG --log-prefix="IPTABLES-FORWARD: "

$iptables -A INPUT -i lo -j ACCEPT

# Traffic control
tc qdisc del dev eth0 parent root
tc qdisc add dev eth0 parent root handle 1:0 htb default 40
tc class add dev eth0 parent 1:0 classid 1:1 htb rate 10mbit
tc class add dev eth0 parent 1:1 classid 1:10 htb rate 512kbit
tc class add dev eth0 parent 1:1 classid 1:20 htb rate 1mbit
tc class add dev eth0 parent 1:1 classid 1:30 htb rate 2mbit
tc class add dev eth0 parent 1:1 classid 1:40 htb rate 5mbit

tc qdisc del dev eth1 parent root
tc qdisc add dev eth1 parent root handle 2:0 htb default 40
tc class add dev eth1 parent 2:0 classid 2:1 htb rate 10mbit
tc class add dev eth1 parent 2:1 classid 2:10 htb rate 512kbit
tc class add dev eth1 parent 2:1 classid 2:20 htb rate 1mbit
tc class add dev eth1 parent 2:1 classid 2:30 htb rate 2mbit
tc class add dev eth1 parent 2:1 classid 2:40 htb rate 5mbit

$iptables -t mangle -A POSTROUTING -d XX.XX.XX.XX -j CLASSIFY --set-class 2:20 $iptables -t mangle -A POSTROUTING -s XX.XX.XX.XX -j CLASSIFY --set-class 1:20


Sustitute XX.XX.XX.XX by your ip 's ;)

There is an issue with the traffic control in one way, the rate is multiplied by 2, I don't know the reason :(, I have tested this tc config with another box without XEN and it works great.

Don't forget to do this:

echo "0" >/proc/sys/net/bridge/bridge-nf-call-iptables

see the post " iptables and state matches (established, related)" in this mail list. You can put it in your sysctl.conf.

So... that's all (I hope :) ) if you need anything else.... tell me

Regards,

Marc


Ronan wrote:
Marc
thats exactly what i require...
any of your config would be really helpful!

many thanks in advance!

Ronan
Hi Ronan,

do you want to do something like this (see the image) ?

After reading a lot of stuff I made a wrapper of network-bridge, that I call network-bridge-wrapper, here is it:

#!/bin/sh
/etc/xen/scripts/network-bridge start bridge=xenbr0 vifnum=0
/usr/sbin/brctl addbr xenbr1
/sbin/ifconfig xenbr1 up

I changed the line in xend-config.sxp that calls, network-bridge to call network-bridge-wrapper ...

If you want I can post more info about this config (my domu config files, iptables, ebtables....). I'm using Debian, so... I hope scripts in CentOS are so close to Debian.

Regards,

Marc


Ronan wrote:
My situation:
Running centos5 on a machine directly connected to internet.
I have a paravirtualised centos5 core machine in domu1 with only 1 eth configured eth0 dy dhcp.

What I want:
to configure the dom0 bridge to simply route all traffic at ethernet level to dom1(firewall/router) and have dom1 then nat if out to my other domu's and machines on my private 192.168 network using dhcpd configured on eth1 on the machine.

My difficulties:
setting up the dom0 bridging to do what i want ie xenbr0 to eth0 on domu1 and then xenbr1 to eth1 on domu1

I then intend to remove / lock dom0 down and only use the domu's as dhcp configured servers.

There are a couple of URLs i've looked at
http://lists.xensource.com/archives/html/xen-users/2006-02/msg00602.html

etc but there aren't any specific configuration information.
Can i get some pointers as to where to look, or even example configs?

thanks

Ronan

(ps if this is the 3rd like message of mine today i apologise, I can tell if the other two messages i send actually did...)


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


------------------------------------------------------------------------



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users



_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users


 


Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.