Re: [Xen-users] vif-common.sh and iptables

[Teck Choon Giam <giamteckchoon@xxxxxxxxx>]

On Wed, Apr 27, 2011 at 10:56 AM, Andrew McGlashan
<andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Hi Teck,
>
> Teck Choon Giam wrote:
>>
>> On Tue, Apr 26, 2011 at 8:19 PM, Andrew McGlashan
>>>
>>> That caused me issues and those settings were in place due to
>>> "anti-spoofing" setup.
>>>
>>> I dropped anti-spoofing to "fix" my setup somewhat.  Until I did that, I
>>> couldn't get to the DomU machines directly via the bridged interface.
>>>
>>> Now I can get through, but there are still issues that are not resolved
>>> [1]
>>> -- sometimes I connect, sometimes I don't; I really need a fix for this.
>>>
>>> [1]  http://comments.gmane.org/gmane.comp.emulators.xen.user/66214
>>>
>>
>> Are you looking for a patch to support anti-spoof feature for tap
>> devices?  If so, which xen version you are looking for?  I have
>> patches to support tap devices when anti-spoof feature is enabled.
>
> Perhaps, do you think that will help in this situation?
>
> #  cat /etc/debian_version
> 6.0.1
>
>
> #  dpkg-query -l|grep xen|awk '{print $1,$2,$3}'
> ii libxenstore3.0 4.0.1-2
> ii linux-image-2.6.32-5-xen-amd64 2.6.32-31
> ii xen-hypervisor-4.0-amd64 4.0.1-2
> ii xen-tools 4.2-1
> ii xen-utils-4.0 4.0.1-2
> ii xen-utils-common 4.0.0-1
> ii xenstore-utils 4.0.1-2
>
>
> How would the patch be implemented?
>
> Thanks.
>
> --
> Kind Regards
> AndrewM
>
> Andrew McGlashan
> Broadband Solutions now including VoIP
>
>

Sorry, I don't use debian and my patch are against the source.  I
assume you are using xen-4.0.  The following patch should apply
cleanly for xen-4.0 if not let me know:

diff -urN a/tools/hotplug/Linux/network-bridge
b/tools/hotplug/Linux/network-bridge
--- a/tools/hotplug/Linux/network-bridge        2010-12-18 01:57:33.000000000 
+0800
+++ b/tools/hotplug/Linux/network-bridge        2010-12-18 07:42:29.000000000 
+0800
@@ -188,11 +188,23 @@
 # Set the default forwarding policy for $dev to drop.
 # Allow forwarding to the bridge.
 antispoofing () {
-    iptables -P FORWARD DROP
-    iptables -F FORWARD
+    local isforwardpolicydrop=`iptables -L FORWARD |grep policy|grep
DROP|grep -v grep`
+    if [ "x$isforwardpolicydrop" == "x" ] ; then
+        iptables -P FORWARD DROP
+        iptables -F FORWARD
+    fi
     iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
 }

+# Set the default forwarding policy for $dev to accept
+disable_antispoofing () {
+    local isforwardpolicydrop=`iptables -L FORWARD |grep policy|grep
DROP|grep -v grep`
+    if [ "x$isforwardpolicydrop" != "x" ] ; then
+        iptables -P FORWARD ACCEPT
+        iptables -F FORWARD
+    fi
+}
+
 # Usage: show_status dev bridge
 # Print ifconfig and routes.
 show_status () {
@@ -283,6 +295,10 @@

     brctl delbr ${tdev}

+    if [ ${antispoof} = 'yes' ] ; then
+       disable_antispoofing
+    fi
+
     release_lock "network-bridge"
 }

diff -urN a/tools/hotplug/Linux/vif-common.sh
b/tools/hotplug/Linux/vif-common.sh
--- a/tools/hotplug/Linux/vif-common.sh 2010-12-18 01:57:33.000000000 +0800
+++ b/tools/hotplug/Linux/vif-common.sh 2010-12-18 07:46:01.000000000 +0800
@@ -63,12 +63,33 @@
   vif="$vifname"
 fi

+pre_frob_iptable_delay()
+{
+  local tapif=`echo $vif | sed 's/vif/tap/'`
+  # for xm create
+  local checktapif=`cat /proc/net/dev | grep "${tapif}:" | grep -v grep`
+
+  if [ ! -n "$checktapif" ] ; then
+    # Implement ${MYTAPDELAY} environment variable for delay in
seconds sleep to wait
+    # for brctl add tap devices as sometimes tap devices not being up on time.
+    # default is 3 seconds
+    # Such environment set in /etc/xen/scripts/hotplugpath.sh
+    if [ ! -n "$MYTAPDELAY" ] ; then
+      MYTAPDELAY=3
+    else
+      # Necessary in order to make sure it is in numberic
+      MYTAPDELAY=`echo "$MYTAPDELAY" | bc`
+    fi
+    sleep ${MYTAPDELAY}
+  fi
+}

 frob_iptable()
 {
   if [ "$command" == "online" ]
   then
     local c="-I"
+    pre_frob_iptable_delay
   else
     local c="-D"
   fi
@@ -78,6 +99,24 @@
   iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$vif" \
     -j ACCEPT 2>/dev/null

+  # Added support for tap network devices in iptables FORWARD chain as this
+  # is required if antispoof is enabled or otherwise all packets to/from tap
+  # devices will be dropped.
+  # Start adding by Giam Teck Choon.
+  local tapif=`echo $vif | sed 's/vif/tap/'`
+  # for xm create
+  local checktapif=`cat /proc/net/dev | grep "${tapif}:" | grep -v grep`
+  # for xm shutdown
+  local checktapstate=`iptables -L -n | grep "state
RELATED,ESTABLISHED PHYSDEV match --physdev-out ${tapif}"`
+
+  if [ -n "$checktapif" ] || [ -n "$checktapstate" ] ; then
+    iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in \
+      "$tapif" "$@" -j ACCEPT 2>/dev/null &&
+    iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
+      --physdev-is-bridged --physdev-out "$tapif" -j ACCEPT 2>/dev/null
+  fi
+  # End adding by Giam Teck Choon.
+
   if [ "$command" == "online" -a $? -ne 0 ]
   then
     log err "iptables setup failed. This may affect guest networking."
@@ -114,7 +153,10 @@
       done

       # Always allow the domain to talk to a DHCP server.
-      frob_iptable -p udp --sport 68 --dport 67
+      # Such environment set in /etc/xen/scripts/hotplugpath.sh
+      if [ ! -n ${MYDHCPDISABLE} ] ; then
+        frob_iptable -p udp --sport 68 --dport 67
+      fi
   else
       # No IP addresses have been specified, so allow anything.
       frob_iptable

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users