[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] [PATCH] Re: network-bridge script breaks network connectivity

This patch configures the bridge to *not* apply iptables filtering. This makes the virtual bridge more like a real bridge (in that ip-layer filter does not happen) and it makes the installation/configuration of xen from sources easier (at least on FC5). 

Submitted for your consideration...

- Mike


# HG changeset patch
# User root@xxxxxxxxxxxxxxxxxxx
# Node ID f0fa1126dae5f897eac9a162a6ccbb6ceca7f9b9
# Parent  a1c2cede77c78d2af99088d7dece8f74f2a27260
Disable iptables filtering of bridge traffic
Signed-off-by: Mike Freemon mfreemon@xxxxxxxxxxxxx

diff -r a1c2cede77c7 -r f0fa1126dae5 tools/examples/xen-network-common.sh
--- a/tools/examples/xen-network-common.sh      Mon Jul 10 15:01:49 2006 +0100
+++ b/tools/examples/xen-network-common.sh      Mon Jul 10 15:39:56 2006 -0500
@@ -127,6 +127,12 @@ create_bridge () {

     # Don't create the bridge if it already exists.
     if [ ! -e "/sys/class/net/${bridge}/bridge" ]; then
+        # use brctl to force initialization of bridge-nf
+        brctl show >/dev/null 2>&1
+        # disable iptables filtering in bridge
+        sysctl -w "net.bridge.bridge-nf-call-arptables=0"
+        sysctl -w "net.bridge.bridge-nf-call-ip6tables=0"
+        sysctl -w "net.bridge.bridge-nf-call-iptables=0"
        brctl addbr ${bridge}
        brctl stp ${bridge} off
        brctl setfd ${bridge} 0






At 7/8/2006 05:28 PM  Saturday, Mike Freemon wrote:
You are correct -- My short summary was technically accurate in only the most abstract of ways :-)
After some more digging, I found that the iptables rules were blocking traffic passing across the xenbr0 bridge (bridge-nf). I am using the same "fedora default" iptables rules as my other xen machines (dumped below), so I was confused as to why this machine was different. This happens to be the first machine I have compiled Xen from hg sources (to pull in the latest vt-x vmx stuff).
What I found was that the fedora distro of Xen contains the following lines in the create_bridge() method of /etc/xen/scripts/network-bridge: 

sysctl -w "net.bridge.bridge-nf-call-arptables=0"
sysctl -w "net.bridge.bridge-nf-call-ip6tables=0"
sysctl -w "net.bridge.bridge-nf-call-iptables=0"

This disables the iptables filtering on the bridge.
This seems like a reasonable default since bridges don't normally do IP-layer filtering.
What is the view of the Xen team on this? Are there reasons why this could not be included in the xen sources as well? 

- Mike


:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [8335:620449]
:RH-Firewall-1-INPUT - [0:0]
-A INPUT -j RH-Firewall-1-INPUT
-A FORWARD -j RH-Firewall-1-INPUT
-A RH-Firewall-1-INPUT -i lo -j ACCEPT
-A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
-A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
-A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
-A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
COMMIT




At 7/8/2006 10:47 AM  Saturday, Christian Limpach wrote:

On 7/7/06, Mike Freemon <mfreemon@xxxxxxxxxxxxx> wrote:

Hi All,

First, I wasn't sure whether to report this via bugzilla or the xen-devel
list.  Since this is against the current tip of xen-unstable, I went here
first.  I can move this to bugzilla if you want, just let me know.

Summary is -->  the "network-bridge start" script breaks all network
connectivity.  ICMP broken, DHCP fails, etc.  I am running current FC5
EM64T x86_64 VT-x with the latest xen-unstable.  Running "network-bridge
stop" restores network functionality.

Below is the relevant data -- before and after dumps, config files, and a
trace of the network-bridge script itself. Any help is appreciated. Thanks... 

What does your /etc/resolv.conf look like before/after network-bridge start?
Does ping with an IP address work?
You say that DHCP fails but the log looks like it succeeds and even
ping of your gateway address seems to work.

    christian

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

Attachment: bridge.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.