Xen project Mailing List

Re: [Xen-devel] [PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering

To: Sylvain Munaut <s.munaut@xxxxxxxxxxxxxxxxxxxx>

From: Ian Campbell <Ian.Campbell@xxxxxxxxxx>

Date: Mon, 20 May 2013 17:12:10 +0100

Cc: George Dunlap <george.dunlap@xxxxxxxxxxxxx>, "xen-devel@xxxxxxxxxxxxx" <xen-devel@xxxxxxxxxxxxx>

Delivery-date: Mon, 20 May 2013 16:12:31 +0000

List-id: Xen developer discussion <xen-devel.lists.xen.org>

On Mon, 2013-05-13 at 14:55 +0100, Sylvain Munaut wrote: > The vif-common.sh hotplug script doesn't support ipv6 iptables > filtering setup. The attached patch adds basic filtering capability so > that if an IPv6 is specified, it's added to the 'authorized' source > list. > Basically the same behavior as for ipv4. > > I've been using this patch for some time on xen 4.1 and I've just > forward ported it to xen master (it applied cleanly and didn't see any > changes that would matter). Thanks, this looks plausible, at least as far as I am able to tell. Is there anyone around who could review this from the ipv6/iptables PoV? WRT the release, we are now frozen for 4.3 and I'd be concerned about introducing a subtle (or not so subtle) networking regression. George what do you think? I notice you use --physdev-out -- I got the impression that this wasn't supported any more (occasional bug reports about a warning message). TBH I don't know enough about what it does to say one way or the other. One minor niggle, you've spelt "explicitly" as "explicitely". > > Cheers, > > Sylvain > From c6561a403a2c8b1afaf5f336d2df95aceb362cbc Mon Sep 17 00:00:00 2001 > From: Sylvain Munaut <s.munaut@xxxxxxxxxxxxxxxxxxxx> > Date: Mon, 13 May 2013 15:52:14 +0200 > Subject: [PATCH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering > > By default DomU are not allow to send router-advertisement > message. Set the ipv6_allow_ra config option to yet to allow it. > > Signed-off-by: Sylvain Munaut <s.munaut@xxxxxxxxxxxxxxxxxxxx> > --- > tools/hotplug/Linux/vif-common.sh | 103 > ++++++++++++++++++++++++++++++++++++-- > 1 file changed, 99 insertions(+), 4 deletions(-) > > diff --git a/tools/hotplug/Linux/vif-common.sh > b/tools/hotplug/Linux/vif-common.sh > index 73ee241..d5c51e7 100644 > --- a/tools/hotplug/Linux/vif-common.sh > +++ b/tools/hotplug/Linux/vif-common.sh > @@ -121,8 +121,11 @@ fi > ip=${ip:-} > ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip") > > +ipv6_allow_ra=$(xenstore_read_default "$XENBUS_PATH/ipv6_allow_ra" "false") > + > frob_iptable() > { > + # Add or remove > if [ "$command" == "online" ] > then > local c="-I" > @@ -130,6 +133,7 @@ frob_iptable() > local c="-D" > fi > > + # Main rules > iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \ > "$@" -j ACCEPT 2>/dev/null && > iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" > \ > @@ -139,6 +143,61 @@ frob_iptable() > then > log err "iptables setup failed. This may affect guest networking." > fi > + > + # Always allow the domain to talk to a DHCP server. > + if [ -n "$1" ] > + then > + iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in > "$dev" \ > + -p udp --sport 68 --dport 67 -j ACCEPT 2>/dev/null > + fi > + > + if [ "$command" == "online" -a $? -ne 0 ] > + then > + log err "iptables setup failed. This may affect guest networking." > + fi > +} > + > +frob_ip6table() > +{ > + # Add or remove > + if [ "$command" == "online" ] > + then > + local c="-I" > + else > + local c="-D" > + fi > + > + # Main rules > + ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" > \ > + "$@" -j ACCEPT 2>/dev/null && > + ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out > "$dev" \ > + -j ACCEPT 2>/dev/null > + > + if [ "$command" == "online" -a $? -ne 0 ] > + then > + log err "ip6tables setup failed. This may affect guest networking." > + fi > + > + # Filter out RA if not explicitely allowed > + if [ "$ipv6_allow_ra" != "true" ] > + then > + ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in > "$dev" \ > + -p icmpv6 --icmpv6-type router-advertisement -j DROP 2>/dev/null > + fi > + > + if [ "$command" == "online" -a $? -ne 0 ] > + then > + log err "ip6tables setup failed. This may affect guest networking." > + fi > +} > + > + > +## > +# Check if the given IP is IPv6 or not > +# > +is_ipv6() > +{ > + echo "$1" | perl -wane '/:/ && print "yes"' > } > > > @@ -167,14 +226,17 @@ handle_iptable() > local addr > for addr in $ip > do > - frob_iptable -s "$addr" > + result=$(is_ipv6 "${addr}") > + if [ -z "${result}" ] ; then > + frob_iptable -s "$addr" > + else > + frob_ip6table -s "$addr" > + fi > done > - > - # Always allow the domain to talk to a DHCP server. > - frob_iptable -p udp --sport 68 --dport 67 > else > # No IP addresses have been specified, so allow anything. > frob_iptable > + frob_ip6table > fi > > release_lock "iptables" > @@ -213,3 +275,36 @@ dom0_ip() > fi > echo "$result" > } > + > + > +## > +# ip6_of interface > +# > +# Print the first IPv6 address currently in use at the given interface, or > nothing if > +# the interface is not up. > +# > +ip6_of() > +{ > + ip -6 addr show primary dev "$1" | perl -wane '/scope global/ && > /inet6 (([0-9a-f]+:*)+)/ && print $1;' > +} > + > + > +## > +# dom0_ip6 > +# > +# Print the IPv6 address of the interface in dom0 through which we are > routing. > +# This is the IP address on the interface specified as "netdev" as a > parameter > +# to these scripts, or eth0 by default. This function will call fatal if no > +# such interface could be found. > +# > +dom0_ip6() > +{ > + local nd=${netdev:-eth0} > + local result=$(ip6_of "$nd") > + if [ -z "$result" ] > + then > + "" > + else > + echo "$result" > + fi > +} > -- > 1.8.1.5 _______________________________________________ Xen-devel mailing list Xen-devel@xxxxxxxxxxxxx http://lists.xen.org/xen-devel

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.