[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] Problems with network-route/vif-route scripts

On Thu, Oct 26, 2006 at 05:17:50PM +0100, Daniel P. Berrange wrote:
> After a little debugging, I came across a couple of separate issues with
> the vif-route script which all conspire to block off-host networking from
> working as expected
> 
>  - The iptables rule is only added to the FORWARD rule - it also needs
>    to be added to the INPUT rule, otherwise Dom0 firwall rules will hit
>    DomU traffic too
> 
>  - The iptables rule is added to the end of the FORWARD rule, so if you
>    have an existing catch all DENY/REJECT rule already, the Xen rule
>    will never get matched
> 
>  - The rule is using '-m physdev --physdev-in $vif' to match guest traffic.
>    The 'physdev' module rules, however, only match on interfaces which are
>    part of a network bridge - obviously not the case for routed networking
>    config, so even at the correct location in FORWARD they don't match
> 
>  - While the guest can transmit, it never receives anything back because
>    the remote hosts can't do ARP lookups for the guest's IP address. The
>    vif-route script turns on proxy_arp on the $vif, but the proxy_arp setting
>    is also needed on the Dom0's public interface (eg eth0)
> 
> Based on this it would seem we need to change the current
> 
>  iptables -A FORWARD --source $ip -m physdev --physdev-in $vif -j ACCEPT
> 
> To instead do
> 
>  iptables -I INPUT --source $ip -i $vif -j ACCEPT
>  iptables -I FORWARD --source $ip -i $vif -j ACCEPT
> 
> Since this stuff is dealt with in vif-common.sh it looks like we'll need to
> remove that commonality between route & bridge scripts.

I'm attaching a patch which does 3 things to the IPTables rules:

 - Use -I instead of -A  so that rules get inserted at start
   of chain - avoiding other custom rules such as a catch-all -j REJECT

 - Use -i $vif instead of --physdev-in $vif  for routed / nat based 
   networking. Bridged networking still uses --physdev-in
 
 - Adds the rules to both FORWARD & INPUT chains instead of just
   FORWARD chain

This fixes up the IPTables bit of the routed networking

> And add some logic to network-route which does
> 
>   dev=....discover primary public interface...
>   sysctl -w net.ipv4.conf.$dev.proxy_arp = 1

I've not sorted out a patch to discover the primary interface, so for now
I'm testing with 'echo 1 >/proc/sys/net/ipv4/conf/all/proxy_arp' which enables
proxy_arp for all interfaces. I could submit a patch for this, but I think
it is overkill, so want to get the correct patch.

  Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>

Regards,
Dan.
-- 
|=- Red Hat, Engineering, Emerging Technologies, Boston.  +1 978 392 2496 -=|
|=-           Perl modules: http://search.cpan.org/~danberr/              -=|
|=-               Projects: http://freshmeat.net/~danielpb/               -=|
|=-  GnuPG: 7D3B9505   F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505  -=|

Attachment: xen-network-route-iptables.patch
Description: Text document

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.