[Pkg-xen-devel] Bug#430778: xen-utils-common: NAT scripts not generic enough, and made for DHCP ?

Olivier Berger olivier.berger at int-edu.eu
Wed Jun 27 11:00:41 UTC 2007 

Package: xen-utils-common
Version: 3.0.3-0-2
Severity: normal

I cannot find a use the network-nat and vif-nat provided in the general case, where I'd like to NAT between vifx.0 
and ethx interfaces.

I have setup the following in /etc/xen/xend-config.sxp :

## Use the following if network traffic is routed with NAT, as an alternative
# to the settings for bridged networking given above.
(network-script 'network-nat netdev=eth1')
(vif-script     vif-nat)

(in my setup, eth1 is my wired link to the net gateway)

After the domU is started, I get :

# iptables -v -L -n
Chain INPUT (policy ACCEPT 39178 packets, 45M bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy DROP 245 packets, 20580 bytes)
 pkts bytes target     prot opt in     out     source               destination
    0     0 ACCEPT     0    --  *      *       192.168.2.100        0.0.0.0/0           PHYSDEV match --physdev-in vif3.0
    0     0 ACCEPT     udp  --  *      *       0.0.0.0/0            0.0.0.0/0           PHYSDEV match --physdev-in vif3.0 udp spt:68 dpt:67

Chain OUTPUT (policy ACCEPT 24821 packets, 1643K bytes)
 pkts bytes target     prot opt in     out     source               destination

and :
# iptables -v -L -n -t nat
Chain PREROUTING (policy ACCEPT 863 packets, 104K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain POSTROUTING (policy ACCEPT 55 packets, 3593 bytes)
 pkts bytes target     prot opt in     out     source               destination
    2   125 MASQUERADE  0    --  *      eth1    0.0.0.0/0            0.0.0.0/0

Chain OUTPUT (policy ACCEPT 611 packets, 38296 bytes)
 pkts bytes target     prot opt in     out     source               destination

However, the masquerade doesn't work :(

I think that the "PHYSDEV match --physdev-in vifx.0" declaration in the FORWARD rule doesn't work.

I find it a bit strange also that the provided scripts seem to be producing iptables rules suited for DHCP, with open ports 67 and 68 somehow... even if no dhcp option is set in the scripts parameters.


I tried a more standard iptables setup like this which give much better results :
# iptables -F FORWARD
# iptables -A FORWARD -d 192.168.2.100/32 -m state --state ESTABLISHED,RELATED -j ACCEPT
# iptables -A FORWARD -s 192.168.2.100/32 -j ACCEPT
# iptables -A FORWARD -j LOG

(In my setup, the domU is configured for IP 192.168.2.100)

Any comments ?

Hope this helps,


-- System Information:
Debian Release: lenny/sid
  APT prefers testing
  APT policy: (500, 'testing'), (500, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.18-4-xen-686 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages xen-utils-common depends on:
ii  lsb-base                      3.1-23.1   Linux Standard Base 3.1 init scrip
ii  udev                          0.105-4    /dev/ and hotplug management daemo

xen-utils-common recommends no packages.

-- no debconf information

More information about the Pkg-xen-devel mailing list