[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic

Hi,


>> This adds the same functions for ip6tables as the one for iptables.
>> The 'ip' variable can now contain ipv6s for the domain and add
>> appropriate rules
>>
>>  - If the 'ip' var is empty then both full IPv4 and IPv6 are allowed.
>>  - If only IPv4 ips are present, then IPv6 will be completely disallowed.
>>  - If only IPv6 ips are present, then IPv4 will be completely disallowed.
>>  - You can use ::0/0 or 0.0.0.0/0 to allow v6 or v4 globally but filter
>>    the other one.
>
> Sounds sensible. Can you give examples of the rulesets create in each
> case?

Yes, see below.

I also added the eui64 idea from jacek:
 - The ICMP Link Local messages are locked to the LL address derived
from the mac address
 - The 'ip' parameters also allow the special 'eui64' token to allow
any address with the lower 64 bits set to the EUI64 corresponding to
the MAC. (Filtering on the network part is not done and must be done
globally by the user if needed, or just manually specify the address
completely).


* ip=""

iptables:
 ACCEPT  all  0.0.0.0/0  0.0.0.0/0  PHYSDEV match --physdev-out
vif91.0 --physdev-is-bridged
 ACCEPT  all  0.0.0.0/0  0.0.0.0/0  PHYSDEV match --physdev-in
vif91.0 --physdev-is-bridged

ip6tables:
 DROP    udp    ::/0  ::/0  PHYSDEV match --physdev-in  vif91.0
--physdev-is-bridged udp spt:547 dpt:546
 DROP    icmpv6 ::/0  ::/0  PHYSDEV match --physdev-in  vif91.0
--physdev-is-bridged ipv6-icmptype 134
 ACCEPT  all    ::/0  ::/0  PHYSDEV match --physdev-out vif91.0
--physdev-is-bridged
 ACCEPT  all    ::/0  ::/0  PHYSDEV match --physdev-in  vif91.0
--physdev-is-bridged


* ip="192.168.0.254"

iptables:
 ACCEPT  udp  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-in
vif92.0 --physdev-is-bridged udp spt:68 dpt:67
 ACCEPT  all  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-out
vif92.0 --physdev-is-bridged
 ACCEPT  all  192.168.0.254  0.0.0.0/0  PHYSDEV match --physdev-in
vif92.0 --physdev-is-bridged

ip6tables:
 [nothing]


* ip="2001:aaaa:bbbb:cccc::1 eui64"

iptables:
 [nothing]

ip6tables:
 DROP    udp    ::/0                 ::/0
PHYSDEV match --physdev-in  vif94.0 --physdev-is-bridged udp spt:547
dpt:546
 DROP    icmpv6 ::/0                 ::/0
PHYSDEV match --physdev-in  vif94.0 --physdev-is-bridged ipv6-icmptype
134
 ACCEPT  udp    ::/0                 ::/0
PHYSDEV match --physdev-in  vif94.0 --physdev-is-bridged udp spt:546
dpt:547
 ACCEPT  all    fe80::216:3eff:fed0:da2d/128  ::/0
PHYSDEV match --physdev-in  vif94.0 --physdev-is-bridged
 ACCEPT  all    ::/0                 ::/0
PHYSDEV match --physdev-out vif94.0 --physdev-is-bridged
 ACCEPT  all    2001:aaaa:bbbb:cccc::1/128  ::/0
PHYSDEV match --physdev-in  vif94.0 --physdev-is-bridged
 ACCEPT  all    ::216:3eff:fed0:da2d/::ffff:ffff:ffff:ffff  ::/0
PHYSDEV match --physdev-in  vif94.0 --physdev-is-bridged


* ip="192.168.0.254 2001:aaaa:bbbb:cccc::1" (either ipv4 or ipv6 can
be replaced by the 0.0.0.0/0 or ::0/0 address to allow any, the
dhcp/nd rules might be redudant then).

iptables:
 ACCEPT  udp  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-in
vif95.0 --physdev-is-bridged udp spt:68 dpt:67
 ACCEPT  all  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-out
vif95.0 --physdev-is-bridged
 ACCEPT  all  192.168.0.254  0.0.0.0/0  PHYSDEV match --physdev-in
vif95.0 --physdev-is-bridged

ip6tables:
 DROP    udp    ::/0                 ::/0           PHYSDEV match
--physdev-in  vif95.0 --physdev-is-bridged udp spt:547 dpt:546
 DROP    icmpv6 ::/0                 ::/0           PHYSDEV match
--physdev-in  vif95.0 --physdev-is-bridged ipv6-icmptype 134
 ACCEPT  udp    ::/0                 ::/0           PHYSDEV match
--physdev-in  vif95.0 --physdev-is-bridged udp spt:546 dpt:547
 ACCEPT  all    fe80::216:3eff:fed0:da2d/128  ::/0  PHYSDEV match
--physdev-in  vif95.0 --physdev-is-bridged
 ACCEPT  all    ::/0                 ::/0           PHYSDEV match
--physdev-out vif95.0 --physdev-is-bridged




>> By default, domains aren't allows to send Router Advertisement
>> or DHCP responses, see the ipv6_allow_ra to enable them.
>
> How does one go about setting this?

Well ... I thought it would work just like  accel=  (which I'm using
in prod but that's with 'xm' on 4.1).
Turns out after a bit of googling that 'accel' might work just by luck
because somehow at some point passing that option was added to 'xm' in
2007 ...

I just retried now with 'xl' under 4.4 and indeed that doesn't work :(

So if I want to pass custom parameters to the vif-script, I have to
add it to libxl ?
And if yes, is that acceptable ? What would be the best way : add each
parameter independently, or add a single 'hotplug_extra' parameter
that would need to be parsed in the hotplug scripts themselves ?

(I'll wait until I fixed this before reposting obviously)


>> +##
>> +# Check if the given IP is IPv6 or not
>> +#
>> +is_ipv6()
>> +{
>> +        echo "$1" | perl -wane '/:/ && print "yes"'
>
> Annoyingly I don't think we currently require Perl in the runtime
> environment (it is used at build time). Luckily I think you can
> implement this as
>         case $addr in
>                 *:*) ipv6_addrs="$addrs $ipv6_addrs";;
>                 *) ipv4.... ;;
>         esac
>
> (probably inline in the handle_iptable function, no need for this helper
> in that case)


I fixed that using only 'awk'. I left it as a helper because it's used
in vif-route as well later and I find it nicer to have the test in a
single place.


Cheers,

    Sylvain

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.