| View previous topic :: View next topic |
| Author |
Message |
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
 Posted: Sun Aug 14, 2016 2:47 pm Post subject: Xen networking woes [SOLVED] |
 |
|
I've successfully set up a pfsense firewall under xen. The firewall routes properly, connects to the internet, and the hosts on my network route through it just fine... but not dom0. As far as dom0 is concerned, all IPv4 TCP traffic is failing to route outside of the local subnet. IPv6 TCP traffic appears to pass unimpeded, as does ICMP traffic. The firewall is not blocking (or even seeing) any traffic from dom0. My routing table looks right... I don't get it  | Code: | rich@gorgon /etc/postfix $ route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default efreet.warfares 0.0.0.0 UG 0 0 0 bridge0
10.4.12.0 0.0.0.0 255.255.255.0 U 425 0 0 bridge0
192.168.0.0 0.0.0.0 255.255.255.0 U 425 0 0 bridge1 |
| Code: | rich@gorgon /etc/postfix $ ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=43 time=26.3 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=43 time=27.0 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=43 time=23.6 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=43 time=24.2 ms |
However, when I try something simple, like telnetting to the IP address of a google server on port 80: | Code: | rich@gorgon /etc/postfix $ telnet 216.58.217.238 80
Trying 216.58.217.238...
telnet: connect to address 216.58.217.238: Connection timed out |
What gives? | Code: | rich@gorgon /etc/postfix $ ifconfig
bridge0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.4.12.19 netmask 255.255.255.0 broadcast 10.4.12.255
inet6 2602:100:3258:14b2::4 prefixlen 64 scopeid 0x0<global>
inet6 2602:100:3258:14b2::3 prefixlen 64 scopeid 0x0<global>
inet6 2602:100:3258:14b2::2 prefixlen 64 scopeid 0x0<global>
inet6 fe80::5c7d:6aff:fe5d:af62 prefixlen 64 scopeid 0x20<link>
ether d0:50:99:3b:c4:6d txqueuelen 1000 (Ethernet)
RX packets 1540634 bytes 381114575 (363.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1081731 bytes 1880764598 (1.7 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
bridge1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 ::d250:99ff:fe3b:c46c prefixlen 64 scopeid 0x0<global>
inet6 fe80::d250:99ff:fe3b:c46c prefixlen 64 scopeid 0x20<link>
ether d0:50:99:3b:c4:6c txqueuelen 1000 (Ethernet)
RX packets 59405 bytes 5101150 (4.8 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4884 bytes 1592871 (1.5 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
hdhrnet: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether d0:50:99:3b:c4:6c txqueuelen 1000 (Ethernet)
RX packets 5096270 bytes 6370579858 (5.9 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3696964 bytes 415084421 (395.8 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 20 memory 0xf0600000-f0620000
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1 (Local Loopback)
RX packets 583516 bytes 1781160460 (1.6 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 583516 bytes 1781160460 (1.6 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
network: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether d0:50:99:3b:c4:6d txqueuelen 1000 (Ethernet)
RX packets 3877138 bytes 487315760 (464.7 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 6340719 bytes 8079749900 (7.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device memory 0xf0400000-f047ffff
vif2.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether fe:ff:ff:ff:ff:ff txqueuelen 32 (Ethernet)
RX packets 5020313 bytes 1833887635 (1.7 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 3492310 bytes 405993324 (387.1 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vif2.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether fe:ff:ff:ff:ff:ff txqueuelen 32 (Ethernet)
RX packets 3692112 bytes 340130720 (324.3 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4981866 bytes 2042066996 (1.9 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
In this case, bridge0 is my LAN, and bridge1 is my WAN. The host (dom0) will not be attempting to use the WAN. The 192.168.0.1 address on bridge1 is leftover from a previous config, but I don't imagine it's hurting anything here. On the firewall, the LAN is configured to 10.4.12.10, and the WAN is configured with a proper address.
_________________
Life without passion is death in disguise
Last edited by KShots on Sat Aug 27, 2016 2:54 am; edited 1 time in total |
|
| Back to top |
|
 |
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Mon Aug 15, 2016 1:31 am Post subject: |
|
|
Interesting development... I managed to get a packet capture from the firewall showing that traffic is indeed getting that far: | Code: | 21:28:52.418673 d0:50:99:3b:c4:6d > 00:16:3e:ae:bd:cc, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.25 > 199.122.125.136.43075: Flags [S.], cksum 0x5b48 (incorrect -> 0xccc2), seq 2767088394, ack 3521664404, win 28960, options [mss 1460,sackOK,TS val 43610800 ecr 3365245249,nop,wscale 7], length 0
21:28:52.553856 00:16:3e:ae:bd:cc > d0:50:99:3b:c4:6d, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 50, id 60446, offset 0, flags [DF], proto TCP (6), length 60)
199.122.125.136.40042 > 10.4.12.19.25: Flags [S], cksum 0xec6f (correct), seq 3441599534, win 5840, options [mss 1460,sackOK,TS val 1100257853 ecr 0,nop,wscale 7], length 0
21:28:52.554037 d0:50:99:3b:c4:6d > 00:16:3e:ae:bd:cc, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.25 > 199.122.125.136.40042: Flags [S.], cksum 0x5b48 (incorrect -> 0x4aa1), seq 514393442, ack 3441599535, win 28960, options [mss 1460,sackOK,TS val 43610833 ecr 1100236853,nop,wscale 7], length 0
21:28:52.598832 00:16:3e:ae:bd:cc > d0:50:99:3b:c4:6d, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 47, id 64916, offset 0, flags [DF], proto TCP (6), length 60)
198.245.93.77.54247 > 10.4.12.19.25: Flags [S], cksum 0x678e (correct), seq 2372823761, win 14600, options [mss 1460,sackOK,TS val 3996562072 ecr 0,nop,wscale 7], length 0
21:28:52.599007 d0:50:99:3b:c4:6d > 00:16:3e:ae:bd:cc, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.25 > 198.245.93.77.54247: Flags [S.], cksum 0x3a88 (incorrect -> 0xe162), seq 2274782285, ack 2372823762, win 28960, options [mss 1460,sackOK,TS val 43610845 ecr 3996555072,nop,wscale 7], length 0
21:28:54.273715 00:16:3e:ae:bd:cc > d0:50:99:3b:c4:6d, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 49, id 54779, offset 0, flags [DF], proto TCP (6), length 60)
66.231.81.45.58607 > 10.4.12.19.25: Flags [S], cksum 0x1b2c (correct), seq 2681868061, win 5840, options [mss 1460,sackOK,TS val 1294371506 ecr 0,nop,wscale 7], length 0
21:28:54.273748 d0:50:99:3b:c4:6d > 00:16:3e:ae:bd:cc, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.25 > 66.231.81.45.58607: Flags [S.], cksum 0xaa59 (incorrect -> 0x7ffd), seq 4286216706, ack 2681868062, win 28960, options [mss 1460,sackOK,TS val 43611263 ecr 1294326506,nop,wscale 7], length 0
21:28:55.810748 d0:50:99:3b:c4:6d > 00:16:3e:ae:bd:cc, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 5407, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.44336 > 107.14.166.73.25: Flags [S], cksum 0x279d (incorrect -> 0x9b05), seq 2323211039, win 29200, options [mss 1460,sackOK,TS val 43611648 ecr 0,nop,wscale 7], length 0
21:28:56.421633 00:16:3e:ae:bd:cc > d0:50:99:3b:c4:6d, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 50, id 50389, offset 0, flags [DF], proto TCP (6), length 60)
199.122.125.136.43075 > 10.4.12.19.25: Flags [S], cksum 0x5a5e (correct), seq 3521664403, win 5840, options [mss 1460,sackOK,TS val 3365266249 ecr 0,nop,wscale 7], length 0
21:28:56.421783 d0:50:99:3b:c4:6d > 00:16:3e:ae:bd:cc, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.25 > 199.122.125.136.43075: Flags [S.], cksum 0x5b48 (incorrect -> 0xc8da), seq 2767088394, ack 3521664404, win 28960, options [mss 1460,sackOK,TS val 43611800 ecr 3365245249,nop,wscale 7], length 0
21:28:56.598628 d0:50:99:3b:c4:6d > 00:16:3e:ae:bd:cc, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.25 > 198.245.93.77.54247: Flags [S.], cksum 0x3a88 (incorrect -> 0xdd7a), seq 2274782285, ack 2372823762, win 28960, options [mss 1460,sackOK,TS val 43611845 ecr 3996555072,nop,wscale 7], length 0
21:28:56.810673 d0:50:99:3b:c4:6d > 00:16:3e:ae:bd:cc, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 5408, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.44336 > 107.14.166.73.25: Flags [S], cksum 0x279d (incorrect -> 0x9a0b), seq 2323211039, win 29200, options [mss 1460,sackOK,TS val 43611898 ecr 0,nop,wscale 7], length 0
21:28:58.814675 d0:50:99:3b:c4:6d > 00:16:3e:ae:bd:cc, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 64, id 5409, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.44336 > 107.14.166.73.25: Flags [S], cksum 0x279d (incorrect -> 0x9816), seq 2323211039, win 29200, options [mss 1460,sackOK,TS val 43612399 ecr 0,nop,wscale 7], length 0
21:29:00.598693 00:16:3e:ae:bd:cc > d0:50:99:3b:c4:6d, ethertype IPv4 (0x0800), length 74: (tos 0x10, ttl 47, id 64917, offset 0, flags [DF], proto TCP (6), length 60)
198.245.93.77.54247 > 10.4.12.19.25: Flags [S], cksum 0x484e (correct), seq 2372823761, win 14600, options [mss 1460,sackOK,TS val 3996570072 ecr 0,nop,wscale 7], length 0
21:29:00.598795 d0:50:99:3b:c4:6d > 00:16:3e:ae:bd:cc, ethertype IPv4 (0x0800), length 74: (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.25 > 198.245.93.77.54247: Flags [S.], cksum 0x3a88 (incorrect -> 0xd992), seq 2274782285, ack 2372823762, win 28960, options [mss 1460,sackOK,TS val 43612845 ecr 3996555072,nop,wscale 7], length 0
|
The host 10.4.12.19 is my dom0 machine, the packet capture was taken from my domU pfsense firewall. The firewall insists it isn't blocking this traffic, though...
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
Atom2
Apprentice
Joined: 01 Aug 2011
Posts: 185
|
| Posted: Mon Aug 15, 2016 10:45 am Post subject: |
|
|
Kshots,
if you take a closer look at the packet capture you will notice that many packets have an incorrect checksum - and that's the source of your problem.
I am also running pfsense under XEN and have had the same issue (starting from pfsense 2.2 back in January 2015). At that time I did quiet a bit of investigation and have also come up with a solution to rectify the issue. I'll explain what I found out then and als try to provide a reasoning why I think it works that way for you to understand what I think is going on:
- It appears that any TCP traffic from a domU or the dom0 arriving at the pfSense domU through the XEN virtual netback/netfron vif interface xn0 displays an incorrect checksum. I also figured this through tcpdump within the pfSense domU listening on the (paravirtualized) xn0 interface.
- Interestingly enough, ICMP and UDP (e.g. DNS resolution) traffic was not affected and has always worked in my case.
- It appeared to me that the firewall system (probably the pf packet filter) silently dropped all TCP traffic with an incorrect checksum
- The reason why those packets arrive without a proper checksum lies within the paravirtualized XEN vif interfaces: Those are using shared memory between dom0 and the domUs (respectively between different domUs). As this is considered to be safe (there's no transfer over a probably faulty wire) the checksum calculation functionality is advertised by the driver, but in essence is just a null-function.
- This means that a normal domU / the dom0 does neither calculate the checksum when sending packets nor checks the checksum when receiving traffic through a paravirtualized vif interface. The pfSense system / the pf packet filter however seems to care about those seemingly incorrect checksum values and decides to silently drop packets without a proper checksum.
- Given the above I came to the conclusion that changing anything at the pfSense domU level would not make any sense as there was no option to just ignore the faulty checksum for received packets and accept the packet despite that error. In particular (and contrary to some advice found elsewhere) enabling "Disable hardware checksum offload" under System/Advanced/Networking on the pfSense menu can stay off (i.e. remain with offloading hardware checksum calculation to the NIC). This offloading (in terms of XEN) is only relevant for sending traffic from the pfSense firewall to any domU / the dom0 through the paravirtualized vif xn0 and neither of these recipients cares about the checksum arriving on a paravirtualized vif interface.
- The only issue remaining was to ensure that traffic arriving at the pfSense firewall through the xn0 interface had correct checksums. In the standard bridged setup this clearly could only be sorted in the dom0 backend vif connected to the frontend for the pfSense domU.
- Once I arrived at that conclusion I simply disabled the tx offload function for the backend connected to the pfSense domU within the dom0 machine:
| Code: | | /usr/sbin/ethtool --offload "$ifname" tx off |
where the variable ifname (I use this within a script) contains the name of the vif backend for the pfSense domU connected to the bridge xenbr0.
This has sorted my connection issues: All communication was back and everything worked again on that front. Furthermore it is only a small change which can easily be incorporated into the setup-script for the bridged setup for the vif to the pfSense domU through parameters in the xl configuration file for the pfSesne domU.
Also there's no need to do this for any (other) domU; it's only required for this single pfSense backend vif in dom0.
Regards Atom2 |
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Mon Aug 15, 2016 10:40 pm Post subject: |
|
|
| Atom2 wrote: | Kshots,
if you take a closer look at the packet capture you will notice that many packets have an incorrect checksum - and that's the source of your problem. |
Yeah, I had noticed that. I've never seen invalid checksums on normal TCP traffic before, it had me scratching my head... Good to see I'm not alone at least :/ | Atom2 wrote: | I am also running pfsense under XEN and have had the same issue (starting from pfsense 2.2 back in January 2015). At that time I did quiet a bit of investigation and have also come up with a solution to rectify the issue. I'll explain what I found out then and als try to provide a reasoning why I think it works that way for you to understand what I think is going on:
- It appears that any TCP traffic from a domU or the dom0 arriving at the pfSense domU through the XEN virtual netback/netfron vif interface xn0 displays an incorrect checksum. I also figured this through tcpdump within the pfSense domU listening on the (paravirtualized) xn0 interface.
- Interestingly enough, ICMP and UDP (e.g. DNS resolution) traffic was not affected and has always worked in my case.
- It appeared to me that the firewall system (probably the pf packet filter) silently dropped all TCP traffic with an incorrect checksum
- The reason why those packets arrive without a proper checksum lies within the paravirtualized XEN vif interfaces: Those are using shared memory between dom0 and the domUs (respectively between different domUs). As this is considered to be safe (there's no transfer over a probably faulty wire) the checksum calculation functionality is advertised by the driver, but in essence is just a null-function.
- This means that a normal domU / the dom0 does neither calculate the checksum when sending packets nor checks the checksum when receiving traffic through a paravirtualized vif interface. The pfSense system / the pf packet filter however seems to care about those seemingly incorrect checksum values and decides to silently drop packets without a proper checksum.
- Given the above I came to the conclusion that changing anything at the pfSense domU level would not make any sense as there was no option to just ignore the faulty checksum for received packets and accept the packet despite that error. In particular (and contrary to some advice found elsewhere) enabling "Disable hardware checksum offload" under System/Advanced/Networking on the pfSense menu can stay off (i.e. remain with offloading hardware checksum calculation to the NIC). This offloading (in terms of XEN) is only relevant for sending traffic from the pfSense firewall to any domU / the dom0 through the paravirtualized vif xn0 and neither of these recipients cares about the checksum arriving on a paravirtualized vif interface.
- The only issue remaining was to ensure that traffic arriving at the pfSense firewall through the xn0 interface had correct checksums. In the standard bridged setup this clearly could only be sorted in the dom0 backend vif connected to the frontend for the pfSense domU.
- Once I arrived at that conclusion I simply disabled the tx offload function for the backend connected to the pfSense domU within the dom0 machine:
| Code: | | /usr/sbin/ethtool --offload "$ifname" tx off |
where the variable ifname (I use this within a script) contains the name of the vif backend for the pfSense domU connected to the bridge xenbr0.
This has sorted my connection issues: All communication was back and everything worked again on that front. Furthermore it is only a small change which can easily be incorporated into the setup-script for the bridged setup for the vif to the pfSense domU through parameters in the xl configuration file for the pfSesne domU.
Also there's no need to do this for any (other) domU; it's only required for this single pfSense backend vif in dom0.
Regards Atom2 |
This makes a lot of sense to me. So the xen driver doesn't bother with a checksum function through the bridge interface because the checksum was already passed and accepted by the dom0 on the physical host, and unless you have faulty memory, it shouldn't be corrupted through the virtual interface to the domU. I get that.
In my case, I've tried your solution... and unless I'm doing something wrong (I'm not at all familiar with ethtool), it doesn't appear to resolve my problem. Relevant ifconfig information: | Code: | bridge0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.4.12.19 netmask 255.255.255.0 broadcast 10.4.12.255
inet6 2602:100:3258:14b2::4 prefixlen 64 scopeid 0x0<global>
inet6 2602:100:3258:14b2::3 prefixlen 64 scopeid 0x0<global>
inet6 2602:100:3258:14b2::2 prefixlen 64 scopeid 0x0<global>
inet6 fe80::3426:80ff:fecf:a8f1 prefixlen 64 scopeid 0x20<link>
ether d0:50:99:3b:c4:6d txqueuelen 1000 (Ethernet)
RX packets 750985 bytes 184511507 (175.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 172157 bytes 22716167 (21.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
bridge1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.0.1 netmask 255.255.255.0 broadcast 192.168.0.255
inet6 ::d250:99ff:fe3b:c46c prefixlen 64 scopeid 0x0<global>
inet6 fe80::d250:99ff:fe3b:c46c prefixlen 64 scopeid 0x20<link>
ether d0:50:99:3b:c4:6c txqueuelen 1000 (Ethernet)
RX packets 30438 bytes 2602040 (2.4 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 2505 bytes 811422 (792.4 KiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vif1.0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether fe:ff:ff:ff:ff:ff txqueuelen 32 (Ethernet)
RX packets 1928884 bytes 2253918937 (2.0 GiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1292832 bytes 152771659 (145.6 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
vif1.1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether fe:ff:ff:ff:ff:ff txqueuelen 32 (Ethernet)
RX packets 1518315 bytes 135183040 (128.9 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1985801 bytes 2624714838 (2.4 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 |
So given this setup, I should focus on the "vifx.y" interfaces for the ethtool command you provided. Further, the interface that my LAN would connect from would be the one with the larger TX packets value, as I've been watching Netflix recently and have downloaded more than I've uploaded, so the target should be vif1.1. However, when I run this command, it simply returns an exit code 0 (success) and I still can't pass TCP traffic. On the theory that maybe I'm misunderstanding and I've got the interfaces reversed, I also tried vif1.0, but had the same result.
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Fri Aug 26, 2016 9:45 pm Post subject: |
|
|
Ok, I've resolved the checksum issue as indicated by this new packet capture from pfsense: | Code: | 17:29:45.502581 IP (tos 0x10, ttl 64, id 24013, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.47274 > 64.233.177.113.80: Flags [S], cksum 0x8a54 (correct), seq 488576348, win 29200, options [mss 1460,sackOK,TS val 253970577 ecr 0,nop,wscale 7], length 0
17:29:46.502117 IP (tos 0x10, ttl 64, id 24014, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.47274 > 64.233.177.113.80: Flags [S], cksum 0x895a (correct), seq 488576348, win 29200, options [mss 1460,sackOK,TS val 253970827 ecr 0,nop,wscale 7], length 0
17:29:48.506135 IP (tos 0x10, ttl 64, id 24015, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.47274 > 64.233.177.113.80: Flags [S], cksum 0x8765 (correct), seq 488576348, win 29200, options [mss 1460,sackOK,TS val 253971328 ecr 0,nop,wscale 7], length 0
17:29:52.514100 IP (tos 0x10, ttl 64, id 24016, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.47274 > 64.233.177.113.80: Flags [S], cksum 0x837b (correct), seq 488576348, win 29200, options [mss 1460,sackOK,TS val 253972330 ecr 0,nop,wscale 7], length 0
17:30:00.538136 IP (tos 0x10, ttl 64, id 24017, offset 0, flags [DF], proto TCP (6), length 60)
10.4.12.19.47274 > 64.233.177.113.80: Flags [S], cksum 0x7ba5 (correct), seq 488576348, win 29200, options [mss 1460,sackOK,TS val 253974336 ecr 0,nop,wscale 7], length 0 |
... but it's still being silently dropped... I still see nothing in the firewall logs about it, and there's no reply. UDP also gets blocked entirely... but ICMP goes right through. I've set it up to automatically disable offloading by making a copy of /etc/xen/scripts/vif-bridge and adding the following bit into the copy: | Code: | | /usr/sbin/ethtool -K $vif tx off >/dev/null 2>&1 |
, and set the following in my xen cfg file: | Code: | | vif = [ 'mac=*hidden*,bridge=bridge0,script=/etc/xen/scripts/vif-bridge-pfsense', ... ] |
... which I've confirmed is disabling tx checksum offloading for my LAN interface. It appears the packets are going out successfully (maybe?), but I'm getting no reply nor any indication that anything's being blocked.
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
Atom2
Apprentice
Joined: 01 Aug 2011
Posts: 185
|
| Posted: Fri Aug 26, 2016 10:01 pm Post subject: |
|
|
It seems I have missed you previous reply, but I am currently online, so maybe we can try to resolve this together. Could you please describe your setup. Mine is as follows:
I do have a HVM pfSense setup with a PV vif interface that is connected to the bridge and, through the dom0 via the bridged NIC, to the internal LAN. Furthermore there is a PCI network card passed through to the pfSense domU which connects to the WAN and is used to route the internet traffic. This means there's no issue with checksums on the internet connection from pfSense outwards as this goes through a real NIC interface which does the calculation. All traffic destined to the internet from the LAN (including dom0 and all other domUs) is routed through the pfSense domU.
How about your setup?
Atom2 |
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Fri Aug 26, 2016 10:34 pm Post subject: |
|
|
| Atom2 wrote: | It seems I have missed you previous reply, but I am currently online, so maybe we can try to resolve this together. Could you please describe your setup. Mine is as follows:
I do have a HVM pfSense setup with a PV vif interface that is connected to the bridge and, through the dom0 via the bridged NIC, to the internal LAN. Furthermore there is a PCI network card passed through to the pfSense domU which connects to the WAN and is used to route the internet traffic. This means there's no issue with checksums on the internet connection from pfSense outwards as this goes through a real NIC interface which does the calculation. All traffic destined to the internet from the LAN (including dom0 and all other domUs) is routed through the pfSense domU.
How about your setup?
Atom2 |
Mine matches yours with the exception of the real NIC on the WAN. Mine is another PV VIF connected to a bridge on my external (WAN) interface on dom0... of which (at the moment) only pfsense would utilize. I'm assuming you passed the PCI ID in your xen config so it could use the real driver for the interface, and left the dom0 unconfigured?
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
Atom2
Apprentice
Joined: 01 Aug 2011
Posts: 185
|
| Posted: Fri Aug 26, 2016 10:44 pm Post subject: |
|
|
| KShots wrote: | | Mine matches yours with the exception of the real NIC on the WAN. Mine is another PV VIF connected to a bridge on my external (WAN) interface on dom0... of which (at the moment) only pfsense would utilize. I'm assuming you passed the PCI ID in your xen config so it could use the real driver for the interface, and left the dom0 unconfigured? |
That's correct, there's no driver in dom0 and this approach requires vt-d support. But in my view that's the only secure approach, but that's another story.
If I understand your setup correctly, you are going through the dom0 twice and have two bridges. I have never tried that, but in this case you might probably also need to do something in the pfSense domU. Just to be on the safe side, could you post your pfSense config file and the script you are using to setup the vif interface correctly. My config file looks as follows: | Code: | builder = 'hvm'
cpus = '2-7'
vcpus = 2
cpu_weight = 512
memory = 640
name = 'pfsense'
disk = [ 'vdev=xvda,format=raw,access=rw,target=/etc/xen/guests/disk.d/pfsense.disk' ]
vif = [ 'mac=xx:xx:xx:xx:xx:xx,bridge=xenbr0,type=vif,vifname=pfsense.0,script=vif-bridge.noTXoffload' ]
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'destroy'
localtime = 0
boot = 'c'
vnc = 1
vnclisten = '127.0.0.1'
vncpasswd = ''
keymap = 'de'
nographic = 1
serial = 'pty'
nx = 1
pci = [ '04:00.0', '0a:08.0', '0a:0b.0' ] |
and the scipt named 'vif-bridge.noTXoffload' reads as follows: | Code: | #!/bin/bash
if ${0%.*} $* ; then
if [[ "$1" == "online" && $2 == "type_if=vif" ]] ; then
ifname=$(xenstore-read /local/domain/0/$XENBUS_PATH/vifname)
/usr/sbin/ethtool --offload "$ifname" tx off >/dev/null 2>&1
fi
fi |
|
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Fri Aug 26, 2016 10:49 pm Post subject: |
|
|
To clarify, here's my pfsense config: | Code: | memory = 256
maxmem = 1024
vcpus = 2
acpi = 1
apic = 1
name = "pfsense"
uuid = "*hidden*"
# PVHVM stuff
builder = "hvm"
firmware_override = "hvmloader"
boot = "c"
vif = [ 'mac=*hidden*,bridge=bridge0,script=/etc/xen/scripts/vif-bridge-pfsense', 'mac=*hidden*,bridge=bridge1' ]
disk = [ '/home/domu/pfsense.img,raw,hda,w' ]
device_model_version = 'qemu-xen-traditional'
# Necessary for getting the serial console in `xm console`
serial = "pty"
on_poweroff = 'destroy'
on_reboot = 'restart'
on_crash = 'destroy'
#pci = ['00:19.0'] |
Note that I just tried to pass the external NIC to pfsense, and the startup failed with: | Code: | Parsing config from /etc/xen/pfsense.cfg
libxl: error: libxl_create.c:852:initiate_domain_create: PCI device assignment for HVM guest failed due to PoD enabled |
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Fri Aug 26, 2016 10:53 pm Post subject: |
|
|
| Atom2 wrote: | | If I understand your setup correctly, you are going through the dom0 twice and have two bridges. I have never tried that, but in this case you might probably also need to do something in the pfSense domU. Just to be on the safe side, could you post your pfSense config file and the script you are using to setup the vif interface correctly |
Looks like we're posting right past each other. Just saw this one. My script simply adds one line to the existing default vif-bridge script as I described above, but here's the entirety of the script: | Code: | #!/bin/bash
#============================================================================
# ${XEN_SCRIPT_DIR}/vif-bridge
#
# Script for configuring a vif in bridged mode.
#
# Usage:
# vif-bridge (add|remove|online|offline)
#
# Environment vars:
# vif vif interface name (required).
# XENBUS_PATH path to this device's details in the XenStore (required).
#
# Read from the store:
# bridge bridge to add the vif to (optional). Defaults to searching for the
# bridge itself.
# ip list of IP networks for the vif, space-separated (optional).
#
# up:
# Enslaves the vif interface to the bridge and adds iptables rules
# for its ip addresses (if any).
#
# down:
# Removes the vif interface from the bridge and removes the iptables
# rules for its ip addresses (if any).
#============================================================================
dir=$(dirname "$0")
. "$dir/vif-common.sh"
/usr/sbin/ethtool -K $vif tx off >/dev/null 2>&1
bridge=${bridge:-}
bridge=$(xenstore_read_default "$XENBUS_PATH/bridge" "$bridge")
if [ -z "$bridge" ]
then
bridge=$(brctl show | awk 'NR==2{print$1}')
if [ -z "$bridge" ]
then
fatal "Could not find bridge, and none was specified"
fi
else
#
# Old style bridge setup with netloop, used to have a bridge name
# of xenbrX, enslaving pethX and vif0.X, and then configuring
# eth0.
#
# New style bridge setup does not use netloop, so the bridge name
# is ethX and the physical device is enslaved pethX
#
# So if...
#
# - User asks for xenbrX
# - AND xenbrX doesn't exist
# - AND there is a ethX device which is a bridge
#
# ..then we translate xenbrX to ethX
#
# This lets old config files work without modification
#
if [ ! -e "/sys/class/net/$bridge" ] && [ -z "${bridge##xenbr*}" ]
then
if [ -e "/sys/class/net/eth${bridge#xenbr}/bridge" ]
then
bridge="eth${bridge#xenbr}"
fi
fi
fi
RET=0
ip link show dev $bridge 1>/dev/null 2>&1 || RET=1
if [ "$RET" -eq 1 ]
then
fatal "Could not find bridge device $bridge"
fi
case "$command" in
online)
setup_virtual_bridge_port "$dev"
set_mtu $bridge $dev
add_to_bridge "$bridge" "$dev"
;;
offline)
do_without_error brctl delif "$bridge" "$dev"
do_without_error ifconfig "$dev" down
;;
add)
setup_virtual_bridge_port "$dev"
set_mtu $bridge $dev
add_to_bridge "$bridge" "$dev"
;;
esac
handle_iptable
call_hooks vif post
log debug "Successful vif-bridge $command for $dev, bridge $bridge."
if [ "$type_if" = vif -a "$command" = "online" ]
then
success
fi |
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
Atom2
Apprentice
Joined: 01 Aug 2011
Posts: 185
|
| Posted: Fri Aug 26, 2016 10:54 pm Post subject: |
|
|
| KShots wrote: | Note that I just tried to pass the external NIC to pfsense, and the startup failed with: | Code: | Parsing config from /etc/xen/pfsense.cfg
libxl: error: libxl_create.c:852:initiate_domain_create: PCI device assignment for HVM guest failed due to PoD enabled |
|
Have you excluded the PCI-id of the NIC on the XEN command line with | Code: | | xen-pciback.hide=(xx:yy:zz) |
on the grub "module" command line? This would require a reboot. |
|
| Back to top |
|
|
Atom2
Apprentice
Joined: 01 Aug 2011
Posts: 185
|
| Posted: Fri Aug 26, 2016 11:01 pm Post subject: |
|
|
| KShots wrote: | | My script simply adds one line to the existing default vif-bridge script as I described above, but here's the entirety of the script [snip] |
I am not sure, but I believe that the tx off needs to be run after the bridge is up. Yours seems to be doing that tight at the start, whereas my script makes sure it's done at the end: It first fires off the standard script. In case that worked, it then checks certain parameters (i.e. if we go "online" and the interface type is "vif") and if required sets the necessary parameter with the ethtool command.
Could you try my script instead. There should be no other change required at your end as the script gets the necessary info from xenstore. |
|
| Back to top |
|
|
Atom2
Apprentice
Joined: 01 Aug 2011
Posts: 185
|
| Posted: Fri Aug 26, 2016 11:07 pm Post subject: |
|
|
Before I forget: In case you use my script, you should revert the standard bridge script to its original state (i.e. delete any changes you have made). That approach also guarantees that you always use that latest script that ships with xen.
And you obviously need to change the script name in the pfSense configuration file to match my name. |
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Fri Aug 26, 2016 11:14 pm Post subject: |
|
|
| Atom2 wrote: | | KShots wrote: | | My script simply adds one line to the existing default vif-bridge script as I described above, but here's the entirety of the script [snip] |
I am not sure, but I believe that the tx off needs to be run after the bridge is up. Yours seems to be doing that tight at the start, whereas my script makes sure it's done at the end: It first fires off the standard script. In case that worked, it then checks certain parameters (i.e. if we go "online" and the interface type is "vif") and if required sets the necessary parameter with the ethtool command.
Could you try my script instead. There should be no other change required at your end as the script gets the necessary info from xenstore. |
Ouch... tried your script and it fork-bombed the poor machine. I think I'll simply move my line to the bottom of the script, just after it logs success.
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
Atom2
Apprentice
Joined: 01 Aug 2011
Posts: 185
|
| Posted: Fri Aug 26, 2016 11:22 pm Post subject: |
|
|
| KShots wrote: | | Ouch... tried your script and it fork-bombed the poor machine. I think I'll simply move my line to the bottom of the script, just after it logs success. |
Well sorry for that and it was definitely not my intention. It also doesn't make any sense as the only thing my script does is to take of the trailing bit starting with the last "." from $0 (i.e. the '.noTXoffload' from the name vif-bridge.noTXoffload to come up with vif-bridge) and then fires off the remainder of the command with that name (i.e. the vif-bridge script) passing all original parameters; in case the original script succeeds, it sets the right parameters with the ethtool command. That's very strange indeed ... and I am using this script on a number of machines without any issues whatsoever ....
Anyways, is there any progress? |
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Fri Aug 26, 2016 11:23 pm Post subject: |
|
|
| Atom2 wrote: | | KShots wrote: | Note that I just tried to pass the external NIC to pfsense, and the startup failed with: | Code: | Parsing config from /etc/xen/pfsense.cfg
libxl: error: libxl_create.c:852:initiate_domain_create: PCI device assignment for HVM guest failed due to PoD enabled |
|
Have you excluded the PCI-id of the NIC on the XEN command line with | Code: | | xen-pciback.hide=(xx:yy:zz) |
on the grub "module" command line? This would require a reboot. |
Nope, hadn't tried that... trying it now (mine's built-in rather than a module, and using an EFI stub rather than grub... but it's still doable).
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Fri Aug 26, 2016 11:26 pm Post subject: |
|
|
| Atom2 wrote: | | KShots wrote: | | Ouch... tried your script and it fork-bombed the poor machine. I think I'll simply move my line to the bottom of the script, just after it logs success. |
Well sorry for that and it was definitely not my intention. It also doesn't make any sense as the only thing my script does is to take of the trailing bit starting with the last "." from $0 (i.e. the '.noTXoffload' from the name vif-bridge.noTXoffload to come up with vif-bridge) and then fires off the remainder of the command with that name (i.e. the vif-bridge script) passing all original parameters; in case the original script succeeds, it sets the right parameters with the ethtool command. That's very strange indeed ... and I am using this script on a number of machines without any issues whatsoever ....
Anyways, is there any progress? |
About all I can think of is that I didn't name the script like you did... I called it /etc/xen/scripts/vif-bridge-pfsense2. Still not sure myself why it fork-bombed. Rebooting the machine now to get the PCI pass-thru working (fingers crossed)
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
Atom2
Apprentice
Joined: 01 Aug 2011
Posts: 185
|
| Posted: Fri Aug 26, 2016 11:31 pm Post subject: |
|
|
| KShots wrote: | | About all I can think of is that I didn't name the script like you did... I called it /etc/xen/scripts/vif-bridge-pfsense2. Still not sure myself why it fork-bombed. Rebooting the machine now to get the PCI pass-thru working (fingers crossed) |
Ah, that makes perfect sense then: As there was no "." in the name it recursively called itself - and the outcome was what you experienced. If you want to stick to the name you used you need to change my | Code: | | if ${0%.*} $* ; then |
to | Code: | | if ${0%-*} $* ; then |
In other words you need to change the "." to a "-" |
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Fri Aug 26, 2016 11:55 pm Post subject: |
|
|
| Atom2 wrote: | | KShots wrote: | Note that I just tried to pass the external NIC to pfsense, and the startup failed with: | Code: | Parsing config from /etc/xen/pfsense.cfg
libxl: error: libxl_create.c:852:initiate_domain_create: PCI device assignment for HVM guest failed due to PoD enabled |
|
Have you excluded the PCI-id of the NIC on the XEN command line with | Code: | | xen-pciback.hide=(xx:yy:zz) |
on the grub "module" command line? This would require a reboot. |
No dice... pciback hides it successfully: | Code: | gorgon ~ # dmesg | grep 00:19.0
[ 0.000000] Kernel command line: quiet splash xen-pciback.hide=(00:19.0)
[ 19.112001] pci 0000:00:19.0: [8086:153a] type 00 class 0x020000
[ 19.112035] pci 0000:00:19.0: reg 0x10: [mem 0xf0600000-0xf061ffff]
[ 19.112046] pci 0000:00:19.0: reg 0x14: [mem 0xf0634000-0xf0634fff]
[ 19.112058] pci 0000:00:19.0: reg 0x18: [io 0xf060-0xf07f]
[ 19.112128] pci 0000:00:19.0: PME# supported from D0 D3hot D3cold
[ 19.112154] pci 0000:00:19.0: System wakeup disabled by ACPI
[ 19.153550] pciback 0000:00:19.0: seizing device
[ 19.293336] pciback 0000:00:19.0: enabling device (0002 -> 0003) |
Note "pciback: seizing device", and the host (dom0) no longer sees the NIC. However, I still get the same error when attempting to use that PCI ID: | Code: | gorgon ~ # xl create /etc/xen/pfsense.cfg
Parsing config from /etc/xen/pfsense.cfg
libxl: error: libxl_create.c:852:initiate_domain_create: PCI device assignment for HVM guest failed due to PoD enabled |
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Fri Aug 26, 2016 11:57 pm Post subject: |
|
|
| Atom2 wrote: | | KShots wrote: | | About all I can think of is that I didn't name the script like you did... I called it /etc/xen/scripts/vif-bridge-pfsense2. Still not sure myself why it fork-bombed. Rebooting the machine now to get the PCI pass-thru working (fingers crossed) |
Ah, that makes perfect sense then: As there was no "." in the name it recursively called itself - and the outcome was what you experienced. If you want to stick to the name you used you need to change my | Code: | | if ${0%.*} $* ; then |
to | Code: | | if ${0%-*} $* ; then |
In other words you need to change the "." to a "-" |
Ah, now I understand what it's doing. I don't think changing the '.' to a '-' would be sufficient, as the first '-' it encounters is -bridge-pfsense2, which would strip that section out... leaving /etc/xen/scripts/vif... which is not a script. I like what you're doing, though... I'll adopt your naming scheme and adjust.
EDIT: spoke too soon... got the following: | Code: | gorgon scripts # xl create /etc/xen/pfsense.cfg
Parsing config from /etc/xen/pfsense.cfg
xenstore-read: couldn't read path /local/domain/0/backend/vif/1/0/vifname
libxl: error: libxl_exec.c:118:libxl_report_child_exitstatus: /etc/xen/scripts/vif-bridge.noTXoffload online [2104] exited with error status 1
libxl: error: libxl_create.c:1384:domcreate_attach_vtpms: unable to add nic devices
libxl: error: libxl.c:1610:libxl__destroy_domid: non-existant domain 1
libxl: error: libxl.c:1568:domain_destroy_callback: unable to destroy guest with domid 1
libxl: error: libxl.c:1495:domain_destroy_cb: destruction of domain 1 failed |
xenstored is running... | Code: | gorgon scripts # systemctl status xenstored
● xenstored.service - The Xen xenstore
Loaded: loaded (/usr/lib64/systemd/system/xenstored.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2016-08-26 19:49:47 EDT; 12min ago
Process: 925 ExecStartPre=/bin/mkdir -p /run/xen (code=exited, status=0/SUCCESS)
Process: 921 ExecStartPre=/bin/rm -f /var/lib/lib/xenstored/tdb* (code=exited, status=0/SUCCESS)
Process: 903 ExecStartPre=/bin/grep -q control_d /proc/xen/capabilities (code=exited, status=0/SUCCESS)
Main PID: 929 (xenstored)
CGroup: /system.slice/xenstored.service
└─929 /usr/sbin/xenstored --no-fork
Aug 26 19:49:46 gorgon systemd[1]: Starting The Xen xenstore...
Aug 26 19:49:47 gorgon xenstored[929]: Checking store ...
Aug 26 19:49:47 gorgon xenstored[929]: Checking store complete.
Aug 26 19:49:47 gorgon xenstored[929]: Checking store ...
Aug 26 19:49:47 gorgon xenstored[929]: Checking store complete.
Aug 26 19:49:47 gorgon sh[929]: xenstored is ready
Aug 26 19:49:47 gorgon systemd[1]: Started The Xen xenstore. |
_________________
Life without passion is death in disguise
Last edited by KShots on Sat Aug 27, 2016 12:02 am; edited 1 time in total |
|
| Back to top |
|
|
Atom2
Apprentice
Joined: 01 Aug 2011
Posts: 185
|
| Posted: Sat Aug 27, 2016 12:02 am Post subject: |
|
|
| KShots wrote: | | Ah, now I understand what it's doing. I don't think changing the '.' to a '-' would be sufficient, as the first '-' it encounters is -bridge-pfsense2, which would strip that section out... leaving /etc/xen/scripts/vif... which is not a script. I like what you're doing, though... I'll adopt your naming scheme and adjust. |
It is sufficient as the parsing starts from the end and strips off anything including the first "-" it encounters when moving from the end of the string to the start of the string. |
|
| Back to top |
|
|
Atom2
Apprentice
Joined: 01 Aug 2011
Posts: 185
|
| Posted: Sat Aug 27, 2016 12:13 am Post subject: |
|
|
| KShots wrote: | EDIT: spoke too soon... got the following: | Code: | gorgon scripts # xl create /etc/xen/pfsense.cfg
Parsing config from /etc/xen/pfsense.cfg
xenstore-read: couldn't read path /local/domain/0/backend/vif/1/0/vifname
libxl: error: libxl_exec.c:118:libxl_report_child_exitstatus: /etc/xen/scripts/vif-bridge.noTXoffload online [2104] exited with error status 1
libxl: error: libxl_create.c:1384:domcreate_attach_vtpms: unable to add nic devices
libxl: error: libxl.c:1610:libxl__destroy_domid: non-existant domain 1
libxl: error: libxl.c:1568:domain_destroy_callback: unable to destroy guest with domid 1
libxl: error: libxl.c:1495:domain_destroy_cb: destruction of domain 1 failed |
|
It appears that's most likely triggered from the fact that you did not give the vif interface a name. That's one parameter you can add in the config file for the domU like so: | Code: | | vif = [ 'mac=xx:xx:xx:xx:xx:xx,bridge=xenbr0,type=vif,vifname=pfsense.0,script=vif-bridge.noTXoffload' ] |
I usually name my vifs according to the name of the domU with an added sequentially increasing number in order to easily distinguish and link those to domUs when I use ifconfig in dom0. |
|
| Back to top |
|
|
Atom2
Apprentice
Joined: 01 Aug 2011
Posts: 185
|
| Posted: Sat Aug 27, 2016 12:20 am Post subject: |
|
|
To be honest, I am more concerned about that PoD thing.
| KShots wrote: | | Code: | gorgon ~ # xl create /etc/xen/pfsense.cfg
Parsing config from /etc/xen/pfsense.cfg
libxl: error: libxl_create.c:852:initiate_domain_create: PCI device assignment for HVM guest failed due to PoD enabled |
|
I have no clue what PoD is about. What card are you trying to pass through to the domU? |
|
| Back to top |
|
|
KShots
Guru
Joined: 09 Oct 2003
Posts: 591
Location: Florida
|
| Posted: Sat Aug 27, 2016 12:31 am Post subject: |
|
|
| Atom2 wrote: | | KShots wrote: | EDIT: spoke too soon... got the following: | Code: | gorgon scripts # xl create /etc/xen/pfsense.cfg
Parsing config from /etc/xen/pfsense.cfg
xenstore-read: couldn't read path /local/domain/0/backend/vif/1/0/vifname
libxl: error: libxl_exec.c:118:libxl_report_child_exitstatus: /etc/xen/scripts/vif-bridge.noTXoffload online [2104] exited with error status 1
libxl: error: libxl_create.c:1384:domcreate_attach_vtpms: unable to add nic devices
libxl: error: libxl.c:1610:libxl__destroy_domid: non-existant domain 1
libxl: error: libxl.c:1568:domain_destroy_callback: unable to destroy guest with domid 1
libxl: error: libxl.c:1495:domain_destroy_cb: destruction of domain 1 failed |
|
It appears that's most likely triggered from the fact that you did not give the vif interface a name. That's one parameter you can add in the config file for the domU like so: | Code: | | vif = [ 'mac=xx:xx:xx:xx:xx:xx,bridge=xenbr0,type=vif,vifname=pfsense.0,script=vif-bridge.noTXoffload' ] |
I usually name my vifs according to the name of the domU with an added sequentially increasing number in order to easily distinguish and link those to domUs when I use ifconfig in dom0. |
Ok, easily fixed and that part's working properly now... | Atom2 wrote: | To be honest, I am more concerned about that PoD thing.
KShots wrote:
Code:
gorgon ~ # xl create /etc/xen/pfsense.cfg
Parsing config from /etc/xen/pfsense.cfg
libxl: error: libxl_create.c:852:initiate_domain_create: PCI device assignment for HVM guest failed due to PoD enabled
I have no clue what PoD is about. What card are you trying to pass through to the domU? |
It's an Intel e1000... but I've likely found the issue here. When I was configuring the kernel, I should have enabled the Intel IOMMU. Looking specifically for that option, I found it was hidden because I hadn't enabled PCI MSI support. Now that I've enabled both (and set the Intel IOMMU to be enabled by default), I'm going to reboot and see what happens... I note at this point (before rebooting), I get the following when I query xen for what devices are assignable: | Code: | gorgon linux # xl pci-assignable-list
0000:00:19.0 |
So it looks like it's almost working...
_________________
Life without passion is death in disguise |
|
| Back to top |
|
|
Atom2
Apprentice
Joined: 01 Aug 2011
Posts: 185
|
| Posted: Sat Aug 27, 2016 12:34 am Post subject: |
|
|
| KShots wrote: | | It's an Intel e1000... |
I know that card is working, so let's wait for your reboot |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Other Things Gentoo
