[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-devel] bridge call iptables being forced

To: Xen-devel@xxxxxxxxxxxxx
From: Juan Rossi <juan@xxxxxxxxxxxxxxx>
Date: Thu, 19 Nov 2015 14:46:57 +1300
Cc: RimuHosting <support@xxxxxxxxxxxxxxx>
Delivery-date: Thu, 19 Nov 2015 01:47:20 +0000
List-id: Xen developer discussion <xen-devel.lists.xen.org>

Hi

I am sending this due the change of behaviour in some parts, and perhapsit needs some code amendments, unsure if the devel list is the bestplace, fell free to point me to the right place for this. Let me know ifI should load a bug instead.

Per the documentationhttp://wiki.xenproject.org/wiki/Network_Configuration_Examples_(Xen_4.1%2B)it is suggested to use:


net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

We use that setup currently, but we are experiencing the following sideeffects:

1. We manage the firewall in dom0 ourselves, and there seems not to be aparameter for the hotplug scripts to avoid the insertion of random rulesin iptables, or proper checks that will ensure populated iptables rulesare valid in the case they are needed. Why one will want FORWARD rulesto be populated that are not required for the above bridge settings?


2. After the change in the kernel:

http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/54334

There is no module loaded br_netfilter by default now, so the settingsfor net.bridge.bridge-nf-call-* do not exist and cannot be setup at/etc/sysctl.conf at boot time.

The vif-bridge hotplug script calls (via handle_iptable()frob_iptable() in vif-common.sh ) the for insertion of iptables rules inthe FORWARD chain with module physdev, that calls for the module loadbr_netfilter, when br_netfilter is loaded has as defaultsnet.bridge.bridge-nf-call-*=1. So we end up using iptables over a bridgewhen we do not want it.


So, to solve this I come up with the following solutions:

A. blacklist modules br_netfilter and xt_physdev, but perhaps not greatif there is some other uses for them

B. load br_netfilter at boot and set the right parametersnet.bridge.bridge-nf-call-* = 0 as it should and continue to ignore theiptables populated rules.

C. Add some proper code changes to handle the rules insertions, unsureif something like this is ok or if it is in the right place. I do notknow much about the other setups, like nat and routed.


I see there is not much around ip6tables either.

###############################

diff --git a/tools/hotplug/Linux/vif-bridge b/tools/hotplug/Linux/vif-bridge
index 3d72ca4..7fc6650 100644
--- a/tools/hotplug/Linux/vif-bridge
+++ b/tools/hotplug/Linux/vif-bridge
@@ -93,7 +93,16 @@ case "$command" in
         ;;
 esac

-handle_iptable
+brcalliptables=$(sysctl -n net.bridge.bridge-nf-call-iptables 2>/dev/null)
+brcalliptables=${brcalliptables:-0}
+

+brcallip6tables=$(sysctl -n net.bridge.bridge-nf-call-ip6tables2>/dev/null)

+brcallip6tables=${brcallip6tables:-0}
+
+if [ "$brcalliptables" -eq "1" -a "$brcallip6tables" -eq "1" ];
+then
+       handle_iptable
+fi

 call_hooks vif post


###############################

Thanks in advance


Regards.

Juan.-

http://ri.mu - Startups start here. Hosting; DNS; monitoring; backups;email; web programming


_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

Follow-Ups:
- Re: [Xen-devel] bridge call iptables being forced
  - From: Steven Haigh

Prev by Date: Re: [Xen-devel] [PATCH V8 3/7] libxl: add pvusb API
Next by Date: [Xen-devel] [qemu-mainline test] 64579: tolerable FAIL - PUSHED
Previous by thread: [Xen-devel] [seabios test] 64584: tolerable FAIL - PUSHED
Next by thread: Re: [Xen-devel] bridge call iptables being forced
Index(es):
- Date
- Thread

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.