WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 		  
Home Products Support Community News
 
   
 

xen-bugs

[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[Xen-bugs] [Bug 559] New: vif-bridge iptables problem for interfaces wit

from [bugzilla-daemon] [Permanent Link][Original]
To: xen-bugs@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-bugs] [Bug 559] New: vif-bridge iptables problem for interfaces with predefined ip
From: bugzilla-daemon@xxxxxxxxxxxxxxxxxxx
Date: Tue, 07 Mar 2006 15:47:26 +0000
Delivery-date: Tue, 07 Mar 2006 15:48:20 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-bugs-request@lists.xensource.com?subject=help>
List-id: Xen Bugzilla <xen-bugs.lists.xensource.com>
List-post: <mailto:xen-bugs@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=unsubscribe>
Reply-to: bugs@xxxxxxxxxxxxxxxxxx
Sender: xen-bugs-bounces@xxxxxxxxxxxxxxxxxxx 
http://bugzilla.xensource.com/bugzilla/show_bug.cgi?id=559

           Summary: vif-bridge iptables problem for interfaces with
                    predefined ip
           Product: Xen
           Version: 3.0.1
          Platform: All
        OS/Version: Linux-2.6
            Status: NEW
          Severity: major
          Priority: P2
         Component: Guest-OS
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: marko@xxxxxxxxxx


Hi!

Environment : RHEL4u2, xen-3.0.1-12.1_rhel4.1
I want explicitly allow to domU use of IP i gave him in configuration.
Vif definition in domU configfile : 
  vif = [ 'mac=00:16:3E:10:88:65,ip=10.0.1.10 10.0.1.11' ]
(interface with predefined mac address and 2 allowed ip to use)

vif-common.sh script, function handle_iptable teoretically must do it by adding
rule "-A FORWARD -s <IP> -m physdev  --physdev-in <vif> -j ACCEPT" for each IP,
but doing it only when 1 IP specified.

/var/log/messages with error:
Mar  7 17:22:56 leo logger: /etc/xen/scripts/vif-bridge: iptables -A FORWARD -m
physdev --physdev-in vif31.0 -s 10.0.1.10 10.0.1.11 -j ACCEPT failed. If you are
using iptables, this may affect networking for guest domains.

Problem is a loop definition. Fix :
-------------------------------------------------------------------------
--- vif-common.sh.sav   2006-03-07 17:16:16.000000000 +0200
+++ vif-common.sh       2006-03-07 17:19:35.000000000 +0200
@@ -103,7 +103,7 @@
   if [ "$ip" != "" ]
   then
       local addr
-      for addr in "$ip"
+      for addr in $ip
       do
         frob_iptable -s "$addr"
       done

----------------------------------------------------------------------

Problem #2 - on domain destroy vif-* scripts can't receive the mac,ip,bridge &
etc parameters from xenstore. Looks like all vif values are already wiped out on
this stage and code in vif-common.sh receives ip="" :
ip=${ip:-}
ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip")

Result of this - the removal of iptables rules for specifyed IPs could not be
performed.
If it's impossible not to clean xenstore before vif destroy ... i use now
following script (removes all rules from FORWARD chain with pys.dev equivalent
to vif name xen trying to shutdown):

if [ "$command" != "online" ] ; then
  iptables-save | egrep "^-A FORWARD +.*-m +physdev.* +${vif} +" | \
       while read RULE ; do
          log debug "Remove IPTables rule $RULE"
          iptables ${RULE//-A FORWARD/-D FORWARD}
       done
fi

-- 
Configure bugmail: 
http://bugzilla.xensource.com/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

_______________________________________________
Xen-bugs mailing list
Xen-bugs@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-bugs
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-bugs] [Bug 559] New: vif-bridge iptables problem for interfaces with predefined ip, bugzilla-daemon <=
Previous by Date:  [Xen-bugs] [Bug 554] PCI delegation works, access to the delegated NIC doesn't, bugzilla-daemon
Next by Date:  [Xen-bugs] [Bug 559] vif-bridge iptables problem for interfaces with predefined ip, bugzilla-daemon
Previous by Thread:  [Xen-bugs] [Bug 558] HVM-dom0 crash during new xm-test 13_create_multinic_pos.test case, bugzilla-daemon
Next by Thread:  [Xen-bugs] [Bug 559] vif-bridge iptables problem for interfaces with predefined ip, bugzilla-daemon
Indexes:  [Date] [Thread] [Top] [All Lists]
 
   

Copyright , Citrix Systems Inc. All rights reserved. Legal and Privacy