[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Xen-bugs] [Bug 559] New: vif-bridge iptables problem for interfaces with predefined ip

http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=559

           Summary: vif-bridge iptables problem for interfaces with
                    predefined ip
           Product: Xen
           Version: 3.0.1
          Platform: All
        OS/Version: Linux-2.6
            Status: NEW
          Severity: major
          Priority: P2
         Component: Guest-OS
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: marko@xxxxxxxxxx


Hi!

Environment : RHEL4u2, xen-3.0.1-12.1_rhel4.1
I want explicitly allow to domU use of IP i gave him in configuration.
Vif definition in domU configfile : 
  vif = [ 'mac=00:16:3E:10:88:65,ip=10.0.1.10 10.0.1.11' ]
(interface with predefined mac address and 2 allowed ip to use)

vif-common.sh script, function handle_iptable teoretically must do it by adding
rule "-A FORWARD -s <IP> -m physdev  --physdev-in <vif> -j ACCEPT" for each IP,
but doing it only when 1 IP specified.

/var/log/messages with error:
Mar  7 17:22:56 leo logger: /etc/xen/scripts/vif-bridge: iptables -A FORWARD -m
physdev --physdev-in vif31.0 -s 10.0.1.10 10.0.1.11 -j ACCEPT failed. If you are
using iptables, this may affect networking for guest domains.

Problem is a loop definition. Fix :
-------------------------------------------------------------------------
--- vif-common.sh.sav   2006-03-07 17:16:16.000000000 +0200
+++ vif-common.sh       2006-03-07 17:19:35.000000000 +0200
@@ -103,7 +103,7 @@
   if [ "$ip" != "" ]
   then
       local addr
-      for addr in "$ip"
+      for addr in $ip
       do
         frob_iptable -s "$addr"
       done

----------------------------------------------------------------------

Problem #2 - on domain destroy vif-* scripts can't receive the mac,ip,bridge &
etc parameters from xenstore. Looks like all vif values are already wiped out on
this stage and code in vif-common.sh receives ip="" :
ip=${ip:-}
ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip")

Result of this - the removal of iptables rules for specifyed IPs could not be
performed.
If it's impossible not to clean xenstore before vif destroy ... i use now
following script (removes all rules from FORWARD chain with pys.dev equivalent
to vif name xen trying to shutdown):

if [ "$command" != "online" ] ; then
  iptables-save | egrep "^-A FORWARD +.*-m +physdev.* +${vif} +" | \
       while read RULE ; do
          log debug "Remove IPTables rule $RULE"
          iptables ${RULE//-A FORWARD/-D FORWARD}
       done
fi

-- 
Configure bugmail: 
http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

_______________________________________________
Xen-bugs mailing list
Xen-bugs@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-bugs

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.