[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] network-bridge script breaks network connectivity

You are correct -- My short summary was technically accurate in only the most abstract of ways :-)
After some more digging, I found that the iptables rules were blocking traffic passing across the xenbr0 bridge (bridge-nf). I am using the same "fedora default" iptables rules as my other xen machines (dumped below), so I was confused as to why this machine was different. This happens to be the first machine I have compiled Xen from hg sources (to pull in the latest vt-x vmx stuff).
What I found was that the fedora distro of Xen contains the following lines in the create_bridge() method of /etc/xen/scripts/network-bridge: 

sysctl -w "net.bridge.bridge-nf-call-arptables=0"
sysctl -w "net.bridge.bridge-nf-call-ip6tables=0"
sysctl -w "net.bridge.bridge-nf-call-iptables=0"

This disables the iptables filtering on the bridge.
This seems like a reasonable default since bridges don't normally do IP-layer filtering.
What is the view of the Xen team on this? Are there reasons why this could not be included in the xen sources as well? 

- Mike


:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8335:620449]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT




At 7/8/2006 10:47 AM  Saturday, Christian Limpach wrote:

On 7/7/06, Mike Freemon <mfreemon@xxxxxxxxxxxxx> wrote:

Hi All,

First, I wasn't sure whether to report this via bugzilla or the xen-devel
list.  Since this is against the current tip of xen-unstable, I went here
first.  I can move this to bugzilla if you want, just let me know.

Summary is -->  the "network-bridge start" script breaks all network
connectivity.  ICMP broken, DHCP fails, etc.  I am running current FC5
EM64T x86_64 VT-x with the latest xen-unstable.  Running "network-bridge
stop" restores network functionality.

Below is the relevant data -- before and after dumps, config files, and a
trace of the network-bridge script itself. Any help is appreciated. Thanks... 

What does your /etc/resolv.conf look like before/after network-bridge start?
Does ping with an IP address work?
You say that DHCP fails but the log looks like it succeeds and even
ping of your gateway address seems to work.

    christian

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.