how to setup NAT for domU?

how to setup NAT for domU?

[aq]

hello,

I want my domU to use NAT, so it can access the internet with private
IP address, but dont know how to do that. I looked at the Xen user
manual, but it doesnt mention the solution for this problem either.

Thank you a lot,
AQ


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

Re: how to setup NAT for domU?

[Grzegorz Milos]

[-- Attachment #1: Type: text/plain, Size: 1050 bytes --]

I've created scripts to do that. Should they be included in the repositories 
(Ian, Keir)?
Here are they again.

(configure your xend-config.sxp to use them instead of the default ones, place 
them at /etc/xen/scripts)

Cheers
Gregor

> hello,
>
> I want my domU to use NAT, so it can access the internet with private
> IP address, but dont know how to do that. I looked at the Xen user
> manual, but it doesnt mention the solution for this problem either.
>
> Thank you a lot,
> AQ
>
>
> -------------------------------------------------------
> This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> Tool for open source databases. Create drag-&-drop reports. Save time
> by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/xen-devel

-- 
Quidquid latine dictum sit, altum viditur --- Anon

[-- Attachment #2: nat.tar.gz --]
[-- Type: application/x-tgz, Size: 3264 bytes --]

Re: how to setup NAT for domU?

[Grzegorz Milos]

[-- Attachment #1: Type: text/plain, Size: 1234 bytes --]

For those who prefer patching instead of coping the files from the archive the 
patchfile is attached to the email.

Cheers
Gregor
> I've created scripts to do that. Should they be included in the
> repositories (Ian, Keir)?
> Here are they again.
>
> (configure your xend-config.sxp to use them instead of the default ones,
> place them at /etc/xen/scripts)
>
> Cheers
> Gregor
>
> > hello,
> >
> > I want my domU to use NAT, so it can access the internet with private
> > IP address, but dont know how to do that. I looked at the Xen user
> > manual, but it doesnt mention the solution for this problem either.
> >
> > Thank you a lot,
> > AQ
> >
> >
> > -------------------------------------------------------
> > This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> > Tool for open source databases. Create drag-&-drop reports. Save time
> > by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> > Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@lists.sourceforge.net
> > https://lists.sourceforge.net/lists/listinfo/xen-devel

-- 
Quidquid latine dictum sit, altum viditur --- Anon

[-- Attachment #2: nat-patch --]
[-- Type: text/x-diff, Size: 9516 bytes --]

diff -Nru a/linux-2.6.10-xen-sparse/arch/xen/configs/xen0_defconfig b/linux-2.6.10-xen-sparse/arch/xen/configs/xen0_defconfig
--- a/linux-2.6.10-xen-sparse/arch/xen/configs/xen0_defconfig	2005-01-23 13:28:24 +00:00
+++ b/linux-2.6.10-xen-sparse/arch/xen/configs/xen0_defconfig	2005-01-27 11:48:16 +00:00
@@ -501,7 +501,7 @@
 # CONFIG_IP_NF_QUEUE is not set
 CONFIG_IP_NF_IPTABLES=m
 # CONFIG_IP_NF_MATCH_LIMIT is not set
-# CONFIG_IP_NF_MATCH_IPRANGE is not set
+CONFIG_IP_NF_MATCH_IPRANGE=m
 # CONFIG_IP_NF_MATCH_MAC is not set
 # CONFIG_IP_NF_MATCH_PKTTYPE is not set
 # CONFIG_IP_NF_MATCH_MARK is not set
@@ -524,11 +524,20 @@
 # CONFIG_IP_NF_MATCH_SCTP is not set
 # CONFIG_IP_NF_MATCH_COMMENT is not set
 # CONFIG_IP_NF_MATCH_HASHLIMIT is not set
-# CONFIG_IP_NF_FILTER is not set
+CONFIG_IP_NF_FILTER=m
+CONFIG_IP_NF_TARGET_REJECT=m
 # CONFIG_IP_NF_TARGET_LOG is not set
 # CONFIG_IP_NF_TARGET_ULOG is not set
 # CONFIG_IP_NF_TARGET_TCPMSS is not set
-# CONFIG_IP_NF_NAT is not set
+CONFIG_IP_NF_NAT=m
+CONFIG_IP_NF_NAT_NEEDED=y
+CONFIG_IP_NF_TARGET_MASQUERADE=m
+# CONFIG_IP_NF_TARGET_REDIRECT is not set
+# CONFIG_IP_NF_TARGET_NETMAP is not set
+# CONFIG_IP_NF_TARGET_SAME is not set
+# CONFIG_IP_NF_NAT_LOCAL is not set
+# CONFIG_IP_NF_NAT_SNMP_BASIC is not set
+CONFIG_IP_NF_NAT_FTP=m
 # CONFIG_IP_NF_MANGLE is not set
 # CONFIG_IP_NF_RAW is not set
 # CONFIG_IP_NF_ARPTABLES is not set
diff -Nru a/tools/examples/network-nat b/tools/examples/network-nat
--- /dev/null	Wed Dec 31 16:00:00 196900
+++ b/tools/examples/network-nat	2005-01-27 11:48:16 +00:00
@@ -0,0 +1,77 @@
+#!/bin/sh
+#============================================================================
+# Default Xen network start/stop script.
+# Xend calls a network script when it starts.
+# The script name to use is defined in /etc/xen/xend-config.sxp
+# in the network-script field.
+#
+# Usage:
+#
+# network-route (start|stop|status) {VAR=VAL}*
+#
+# Vars:
+#
+# netdev     The gateway interface (default eth0).
+# antispoof  Whether to use iptables to prevent spoofing (default yes).
+#
+#============================================================================
+
+
+
+# Exit if anything goes wrong.
+set -e 
+
+# First arg is the operation.
+OP=$1
+shift
+
+# Pull variables in args in to environment.
+for arg ; do export "${arg}" ; done
+
+netdev=${netdev:-eth0}
+# antispoofing not yet implemented
+antispoof=${antispoof:-yes}
+
+echo "network-nat $OP netdev=$netdev antispoof=$antispoof"
+
+
+op_start() {
+	echo 1 >/proc/sys/net/ipv4/ip_forward
+	iptables -t nat -A POSTROUTING -o ${netdev} -j MASQUERADE
+}
+
+
+op_stop() {
+	iptables -t nat -D POSTROUTING -o ${netdev} -j MASQUERADE
+}
+
+
+show_status() {
+    echo '============================================================'
+    ifconfig
+    echo ' '
+    ip route list
+    echo ' '
+    route -n
+    echo '============================================================'
+
+}
+
+case ${OP} in
+    start)
+        op_start
+        ;;
+    
+    stop)
+        op_stop
+        ;;
+
+    status)
+        show_status
+       ;;
+
+    *)
+       echo 'Unknown command: ' ${OP}
+       echo 'Valid commands are: start, stop, status'
+       exit 1
+esac
diff -Nru a/tools/examples/vif-nat b/tools/examples/vif-nat
--- /dev/null	Wed Dec 31 16:00:00 196900
+++ b/tools/examples/vif-nat	2005-01-27 11:48:16 +00:00
@@ -0,0 +1,66 @@
+#!/bin/sh
+#============================================================================
+# /etc/xen/vif-nat
+#
+# Script for configuring a vif in routed-nat mode.
+# Xend calls a vif script when bringing a vif up or down.
+# This script is the default - but it can be configured for each vif.
+#
+# Example invocation:
+#
+# vif-nat up domain=VM1 vif=vif1.0 ip="192.168.0.10/31"
+#
+# Usage:
+# vif-nat (up|down) {VAR=VAL}*
+#
+# Vars:
+#
+# domain  name of the domain the interface is on (required).
+# vif     vif interface name (required).
+# ip      list of IP networks for the vif, space-separated (required).
+#============================================================================
+
+# Exit if anything goes wrong
+set -e 
+
+echo "vif-nat $*"
+
+# Operation name.
+OP=$1
+shift
+
+# Pull variables in args into environment
+for arg ; do export "${arg}" ; done
+
+# Required parameters. Fail if not set.
+domain=${domain:?}
+vif=${vif:?}
+ip=${ip:?} 
+
+# better way to strip /netmask from the ip?
+vif_ip=`echo ${ip} | awk -F. '{print $1"."$2"."$3"."$4}'`
+
+main_ip=`ifconfig eth0 | grep "inet addr:" | sed -e 's/.*inet addr:\(\w\w*\.\w\w*\.\w\w*\.\w\w*\).*/\1/'`
+
+# Are we going up or down?
+case $OP in
+    up)
+        ifconfig ${vif} ${vif_ip} netmask 255.255.255.0 up
+        echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp
+        iptcmd='-A'
+        ipcmd='a'
+        ;;
+    down)
+        ifconfig ${vif} down
+        iptcmd='-D'
+        ipcmd='d'
+        ;;
+    *)
+        echo 'Invalid command: ' $OP
+        echo 'Valid commands are: up, down'
+        exit 1
+        ;;
+esac
+
+ip r ${ipcmd} ${ip} dev ${vif} src ${main_ip}
+#    iptables ${iptcmd} FORWARD -m physdev --physdev-in ${vif} -p udp --sport 68 --dport 67 -j ACCEPT
diff -Nru a/tools/examples/xmexample3 b/tools/examples/xmexample3
--- /dev/null	Wed Dec 31 16:00:00 196900
+++ b/tools/examples/xmexample3	2005-01-27 11:48:17 +00:00
@@ -0,0 +1,120 @@
+#  -*- mode: python; -*-
+#============================================================================
+# Example Python setup script for 'xm create'.
+# This script sets the parameters used when a domain is created using 'xm create'.
+#
+# This is a relatively advanced script that uses a parameter, vmid, to control
+# the settings. So this script can be used to start a set of domains by
+# setting the vmid parameter on the 'xm create' command line. For example:
+#
+# xm create vmid=1
+# xm create vmid=2
+# xm create vmid=3
+#
+# The vmid is purely a script variable, and has no effect on the the domain
+# id assigned to the new domain.
+#============================================================================
+
+# Define script variables here.
+# xm_vars is defined automatically, use xm_vars.var() to define a variable.
+
+# This function checks that 'vmid' has been given a valid value.
+# It is called automatically by 'xm create'.
+def vmid_check(var, val):
+    val = int(val)
+    if val <= 0:
+        raise ValueError
+    return val
+
+# Define the 'vmid' variable so that 'xm create' knows about it.
+xm_vars.var('vmid',
+            use="Virtual machine id. Integer greater than 0.",
+            check=vmid_check)
+
+# Check the defined variables have valid values..
+xm_vars.check()
+
+#----------------------------------------------------------------------------
+# Kernel image file.
+kernel = "/path/to/domU/kernel"
+
+# Optional ramdisk.
+#ramdisk = "/boot/initrd.gz"
+
+# The domain build function. Default is 'linux'.
+#builder='linux'
+
+# Initial memory allocation (in megabytes) for the new domain.
+memory = 64
+
+# A name for the new domain. All domains have to have different names,
+# so we use the vmid to create a name.
+name = "VM%d" % vmid
+
+# Which CPU to start domain on? 
+#cpu = -1   # leave to Xen to pick
+cpu = vmid  # set based on vmid (mod number of CPUs)
+
+#----------------------------------------------------------------------------
+# Define network interfaces.
+
+# Number of network interfaces. Default is 1.
+#nics=1
+
+# Optionally define mac and/or bridge for the network interfaces.
+# Random MACs are assigned if not given.
+
+vif = [ 'ip=192.168.%d.1/24' % (vmid)]
+
+#----------------------------------------------------------------------------
+# Define the disk devices you want the domain to have access to, and
+# what you want them accessible as.
+# Each disk entry is of the form phy:UNAME,DEV,MODE
+# where UNAME is the device, DEV is the device name the domain will see,
+# and MODE is r for read-only, w for read-write.
+
+# This makes the disk device depend on the vmid - assuming
+# tHat devices sda7, sda8 etc. exist. The device is exported
+# to all domains as sda1.
+# All domains get sda6 read-only (to use for /usr, see below).
+disk = [ 'phy:hda%d,hda1,w' % (vmid)]
+
+#----------------------------------------------------------------------------
+# Set the kernel command line for the new domain.
+# You only need to define the IP parameters and hostname if the domain's
+# IP config doesn't, e.g. in ifcfg-eth0 or via DHCP.
+# You can use 'extra' to set the runlevel and custom environment
+# variables used by custom rc scripts (e.g. VMID=, usr= ).
+
+# Set if you want dhcp to allocate the IP address.
+dhcp="off"
+ip="192.168.%d.2" % (vmid)
+# Set netmask.
+netmask="255.255.255.0"
+# Set default gateway.
+gateway="192.168.%d.1" % (vmid)
+# Set the hostname.
+hostname= "domain-%d.xeno" % vmid
+
+# Set root device.
+root = "/dev/hda1 ro"
+
+# Root device for nfs.
+#root = "/dev/nfs"
+# The nfs server.
+#nfs_server = "10.212.4.103"
+# Root directory on the nfs server.
+#nfs_root   = "/path/to/root/filesystem"
+
+# Sets runlevel 4 and the device for /usr.
+extra = "4 VMID=%d" % vmid
+
+#----------------------------------------------------------------------------
+# Set according to whether you want the domain restarted when it exits.
+# The default is 'onreboot', which restarts the domain when it shuts down
+# with exit code reboot.
+# Other values are 'always', and 'never'.
+
+#restart = 'onreboot'
+
+#============================================================================

Re: how to setup NAT for domU?

[Andrew Theurer]

Gregor, in your xmexample script you have:

vif = [ 'ip=192.168.%d.1/24' % (vmid)]

I have a much simpler config file, which has:

vif = [ 'ip=192.168.2.1/24']

...which I tried to use but I get an error from xm create.  Looking at 
create.py (xen-unstable) , I don't see a provision to parse assignment 
for ip= for vif:

gopts.var('vif', val="mac=MAC,bridge=BRIDGE,script=SCRIPT,backend=DOM",

Am I missing something, or is it possible you are using this on an 
unreleased build?

Thanks,

Andrew Theurer

Grzegorz Milos wrote:

>I've created scripts to do that. Should they be included in the repositories 
>(Ian, Keir)?
>Here are they again.
>
>(configure your xend-config.sxp to use them instead of the default ones, place 
>them at /etc/xen/scripts)
>
>Cheers
>Gregor
>
>  
>
>>hello,
>>
>>I want my domU to use NAT, so it can access the internet with private
>>IP address, but dont know how to do that. I looked at the Xen user
>>manual, but it doesnt mention the solution for this problem either.
>>
>>Thank you a lot,
>>AQ
>>
>>
>>-------------------------------------------------------
>>This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
>>Tool for open source databases. Create drag-&-drop reports. Save time
>>by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
>>Download a FREE copy at http://www.intelliview.com/go/osdn_nl
>>_______________________________________________
>>Xen-devel mailing list
>>Xen-devel@lists.sourceforge.net
>>https://lists.sourceforge.net/lists/listinfo/xen-devel
>>    
>>
>
>  
>



-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

Re: how to setup NAT for domU?

[Gregor Milos]

> Gregor, in your xmexample script you have:
>
> vif = [ 'ip=192.168.%d.1/24' % (vmid)]

The way the default setup (xmexample) works is as follows:
in domain 0 - vif gets ip = 192.168.vmid.1
in domU - eth0 gets ip = 192.168.vmid.2
this way we can easily update the routing tables in dom0. 
There can be up to 255 unprivileged domains (which is plenty).

> I have a much simpler config file, which has:
>
> vif = [ 'ip=192.168.2.1/24']

This way all the virtual interfaces in dom0 would be getting the same ip, 
which will not work for more then one domU.

> ...which I tried to use but I get an error from xm create.  Looking at

What is the error? Does it happen when you are trying to set up the first 
unprivileged domain or any subsequent ones. What IP address do you give to 
eth0 in domU?

> create.py (xen-unstable) , I don't see a provision to parse assignment
> for ip= for vif:
>
> gopts.var('vif', val="mac=MAC,bridge=BRIDGE,script=SCRIPT,backend=DOM",

The whole 'ip=192.168.whatever.1' gets passed to vif-nat script 
(/etc/xen/scripts/vif-nat) which then uses it in to bring the vif up.

> Am I missing something, or is it possible you are using this on an
> unreleased build?

That should work for both the unstable and testing trees. Maybe you have not 
reinstalled the tools, and the vif-nat and network-nat scripts did not get 
copied to /etc/xen/scripts? Have you modified xend-config.sxp to use the new 
scripts?

Cheers
Gregor

> Thanks,
>
> Andrew Theurer
>
> Grzegorz Milos wrote:
> >I've created scripts to do that. Should they be included in the
> > repositories (Ian, Keir)?
> >Here are they again.
> >
> >(configure your xend-config.sxp to use them instead of the default ones,
> > place them at /etc/xen/scripts)
> >
> >Cheers
> >Gregor
> >
> >>hello,
> >>
> >>I want my domU to use NAT, so it can access the internet with private
> >>IP address, but dont know how to do that. I looked at the Xen user
> >>manual, but it doesnt mention the solution for this problem either.
> >>
> >>Thank you a lot,
> >>AQ
> >>
> >>
> >>-------------------------------------------------------
> >>This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
> >>Tool for open source databases. Create drag-&-drop reports. Save time
> >>by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
> >>Download a FREE copy at http://www.intelliview.com/go/osdn_nl
> >>_______________________________________________
> >>Xen-devel mailing list
> >>Xen-devel@lists.sourceforge.net
> >>https://lists.sourceforge.net/lists/listinfo/xen-devel

-- 
Quidquid latine dictum sit, altum viditur --- Anon


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl

Re: how to setup NAT for domU?

[Andrew Theurer]

Gregor Milos wrote:

>>Gregor, in your xmexample script you have:
>>
>>vif = [ 'ip=192.168.%d.1/24' % (vmid)]
>>    
>>
>
>The way the default setup (xmexample) works is as follows:
>in domain 0 - vif gets ip = 192.168.vmid.1
>in domU - eth0 gets ip = 192.168.vmid.2
>this way we can easily update the routing tables in dom0. 
>There can be up to 255 unprivileged domains (which is plenty).
>  
>

OK, that's exactly what I wanted to do.

>  
>
>>I have a much simpler config file, which has:
>>
>>vif = [ 'ip=192.168.2.1/24']
>>    
>>
>
>This way all the virtual interfaces in dom0 would be getting the same ip, 
>which will not work for more then one domU.
>  
>
Actually I have a diferent file for each vmid, generated by bash 
scripts, with have a different 192.168.vmid.1, so I think our intent is 
the same, just different implemtations.  My way was driven by my lack of 
python experience :)

>  
>
>>...which I tried to use but I get an error from xm create.  Looking at
>>    
>>
>
>What is the error? Does it happen when you are trying to set up the first 
>unprivileged domain or any subsequent ones. What IP address do you give to 
>eth0 in domU?
>  
>
I don't have the error recordred, but I think it was a python parsing 
error.  Perhaps I just didn't get the format correctly.  I cannot 
reproduce at the moment, because apparantly I have really screwed 
somthing up by trying the unstable tree, and so far I have not been able 
to get 2.0-testing or 2.0.1 running again (and 2.0.3 has always stuck at 
"Scrubbing memory.."). 

I'll try to get back where I started, 2.0.1 with the error reproduced.  
Hopefully it's just an error on my part.  Thanks for your help!

-Andrew Theurer


-------------------------------------------------------
This SF.Net email is sponsored by: IntelliVIEW -- Interactive Reporting
Tool for open source databases. Create drag-&-drop reports. Save time
by over 75%! Publish reports on the web. Export to DOC, XLS, RTF, etc.
Download a FREE copy at http://www.intelliview.com/go/osdn_nl