
How to get network going
------------------------

Right now xenner supports only one mode for networking, and that one
is bridging.  It doesn't do any of the bridging setup though.  Thus
networking needs some setup, it does NOT "just work" out of the box.

When using libvirt it should be easy as libvirt will handle all the
bridging and network setup and management part for you and you can
stop reading now ;)

xenner's -network command line switch takes a MAC address and a bridge
interface.  xenner then will create a tap device.  The tap device is
hooked into the bridge and connected to the virtual nic of the guest.

What needs to be done is setting up the bridge device in advance.

You can hook the physical host nic into that bridge.  This is what Xen
does by default and it makes the guests show up on the hosts network.

You also can keep the bridge separate.  This is what I am doing, setup
is described below.  Main advantage is that it works better with a
notebook which can connect to the network using different interfaces.
Even when unconnected the guests can at least talk to other guests and
the host.


My Fedora setup
---------------

This file creates the bridge device at boot time and configures it for
the 172.31.6.0/24 network.

----- /etc/sysconfig/networking/devices/ifcfg-br0 -----
DEVICE=br0
TYPE=Bridge
#MACADDR=00:00:11:22:33:44
BOOTPROTO=none
NETMASK=255.255.255.0
IPADDR=172.31.6.1
ONBOOT=yes
USERCTL=no
IPV6INIT=no
PEERDNS=no
----- cut here -----

If you don't want to assign static IP addresses to your guests you can
setup a dhcp server like this:

----- /etc/sysconfig/dhcpd -----
# Command line options here
DHCPDARGS="br0"
----- cut here -----

----- /etc/dhcpd.conf -----
ddns-update-style none;
ignore client-updates;

subnet 172.31.6.0 netmask 255.255.255.0 {
        option routers                  172.31.6.1;
        option subnet-mask              255.255.255.0;
        option domain-name              "travel.kraxel.org";
        option domain-name-servers      172.31.6.1;

        range dynamic-bootp 172.31.6.128 172.31.6.254;
        default-lease-time 600;
        max-lease-time 3600;

        # tftp
        next-server                     172.31.6.1;
        filename                        "pxelinux.0";
}
----- cut here -----

I have also a local named running, so the host can act as domain name
server too (as indicated by the dhcpd config).  You might want to try
dnsmasq instead of a full-featured named and dhcpd setup.

If you want allow your guests talk to the outside world (assuming the
host has a connection of course) you have to enable ip forwarding (in
/etc/sysctl.conf) and setup some firewall rules.  Here is my iptables
script (called from /etc/rc.d/rc.local):

----- /root/bin/vnet-fw -----
#!/bin/sh

INTERFACES="${1-br0}"


###############################################################
# init

# setup queues
iptables -t filter -N vnet-filter-in  &&  iptables -t filter -I INPUT   -j vnet-filter-in
iptables -t filter -N vnet-filter-fw  &&  iptables -t filter -I FORWARD -j vnet-filter-fw
iptables -t mangle -N vnet-mangle-fw  &&  iptables -t mangle -I FORWARD -j vnet-mangle-fw
iptables -t nat    -N vnet-nat        &&  iptables -t nat    -I POSTROUTING -j vnet-nat

# flush queues
iptables -t filter -F vnet-filter-in
iptables -t filter -F vnet-filter-fw
iptables -t mangle -F vnet-mangle-fw
iptables -t nat    -F vnet-nat


###############################################################
# setup rules

for if in $INTERFACES; do
  iptables -t filter -A vnet-filter-in -i ${if} -j ACCEPT
  iptables -t filter -A vnet-filter-fw -o ${if} \
        -m state --state ESTABLISHED,RELATED -j ACCEPT
  iptables -t mangle -A vnet-mangle-fw -i ${if} -p icmp -j MARK --set-mark 1
  iptables -t mangle -A vnet-mangle-fw -i ${if} -p tcp  -j MARK --set-mark 1
done
iptables -t mangle -A vnet-mangle-fw -m mark --mark 1 -p tcp \
        --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -t filter -A vnet-filter-fw -m mark --mark 1 -p tcp \
        --tcp-flags SYN,RST SYN -j LOG --log-prefix "vnet-fw-tcp: "
iptables -t filter -A vnet-filter-fw -m mark --mark 1 -j ACCEPT
iptables -t nat    -A vnet-nat       -m mark --mark 1 -j MASQUERADE

----- cut here -----

HTH,
  Gerd
