WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-devel

Re: [Xen-devel] [PATCH] Prevent vif-bridge from adding user-created taps

To: Ian Campbell <Ian.Campbell@xxxxxxxxxx>
Subject: Re: [Xen-devel] [PATCH] Prevent vif-bridge from adding user-created taps to a bridge
From: Jim Fehlig <jfehlig@xxxxxxxx>
Date: Thu, 27 Oct 2011 09:13:22 -0600
Cc: xen-devel <xen-devel@xxxxxxxxxxxxxxxxxxx>
Delivery-date: Thu, 27 Oct 2011 08:33:23 -0700
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
In-reply-to: <1319706120.9436.68.camel@xxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:xen-devel-request@lists.xensource.com?subject=help>
List-id: Xen developer discussion <xen-devel.lists.xensource.com>
List-post: <mailto:xen-devel@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-devel>, <mailto:xen-devel-request@lists.xensource.com?subject=unsubscribe>
References: <4EA740EB.7030804@xxxxxxxx> <1319614636.16747.39.camel@xxxxxxxxxxxxxxxxxxxx> <4EA84DBA.6070901@xxxxxxxx> <4EA8EC01.2010904@xxxxxxxx> <1319706120.9436.68.camel@xxxxxxxxxxxxxxxxxxxxxx>
Sender: xen-devel-bounces@xxxxxxxxxxxxxxxxxxx
User-agent: Thunderbird 2.0.0.18 (X11/20081112)
Ian Campbell wrote:
> On Thu, 2011-10-27 at 06:28 +0100, Jim Fehlig wrote:
>   
>> Jim Fehlig wrote:
>>     
>>> Ian Campbell wrote:
>>>   
>>>       
>>>> On Wed, 2011-10-26 at 00:06 +0100, Jim Fehlig wrote:
>>>>   
>>>>     
>>>>         
>>>>> I previously sent this from my @suse.com mail address without having
>>>>> subscribed it.  Sending again now that I have done so...
>>>>>
>>>>> I received a report that vif-bridge adds any tap interface to a bridge,
>>>>> regardless if xen is running and who created the tap interface.  E.g.
>>>>>
>>>>> # tunctl -p -t tap42
>>>>>
>>>>> will cause vif-bridge to be executed as per the following rule in
>>>>> xen-backend.rules
>>>>>     
>>>>>       
>>>>>           
>>>> Oh dear.
>>>>
>>>>   
>>>>     
>>>>         
>>>>> SUBSYSTEM=="net", KERNEL=="tap*", ACTION=="add",
>>>>> RUN+="/etc/xen/scripts/vif-setup $env{ACTION} type_if=tap"
>>>>>
>>>>> I'm not sure how to improve the rule to prevent execution of vif-setup
>>>>> in this case.  But it seems better to handle it in vif-bridge anyhow, by
>>>>> not connecting the interface to a bridge if there is no corresponding
>>>>> info in xenstore.  Something along the lines of the attached quick
>>>>> patch.  Comments?
>>>>>     
>>>>>       
>>>>>           
>>>> I think overall your change is an improvement, some thoughts:
>>>>
>>>> For a tap device XENBUS_PATH is set in vif-common.sh:
>>>>         elif [ "$type_if" = tap ]; then
>>>>             # Check presence of compulsory args.
>>>>             : ${INTERFACE:?}
>>>>         
>>>>             # Get xenbus_path from device name.
>>>>             # The name is built like that: "tap${domid}.${devid}".
>>>>             dev_=${dev#tap}
>>>>             domid=${dev_%.*}
>>>>             devid=${dev_#*.}
>>>>         
>>>>             XENBUS_PATH="/local/domain/0/backend/vif/$domid/$devid"
>>>>         fi
>>>>
>>>> Could there be false positives from this?
>>>>     
>>>>         
>>> Hmm, yes, I think it is possible.
>>>   
>>>       
>> On second thought, maybe not.  A false positive would mean two tap
>> devices with the same name right?  AFAICT, that's not permitted.
>>     
>
> Oh right, we are given $dev aren't we.
>   
>>>   
>>>       
>>>>  Perhaps we should be more
>>>> aggressively checking for the tapX.Y, where X and Y are integers, format
>>>> as well? (that's not foolproof either though).
>>>>   
>>>>     
>>>>         
>>> Yeah, I don't think that buys us much.
>>>
>>>   
>>>       
>>>> Perhaps the toolstack could write something to xenstore containing the
>>>> literal tap device name which it asked qemu for? Then we can simply read
>>>> it back here, e.g. /libxl/tap/0/tapX.Y -> $XENBUS_PATH (0 being the
>>>> backend domain and the content being the xenbus path so we don't need to
>>>> magic it up).
>>>>     
>>>>         
>> The toolstack already writes something in xenstore, namely
>> $XENBUS_PATH/bridge.
>>     
>
> XENBUS_PATH here is really the vif backend path, not the tap path,
> although they in some way are aliased so in many cases that ok. I was
> just thinking it might be useful to have a backend space for the tap
> device only (since the guest can see the vif backend dir).
>   

So you prefer this approach to solving the problem?

>   
>>   IMO, the problem is in vif-bridge
>>
>> bridge=${bridge:-}
>> bridge=$(xenstore_read_default "$XENBUS_PATH/bridge" "$bridge")
>>
>> if [ -z "$bridge" ]
>> then
>>   bridge=$(brctl show | cut -d "
>> " -f 2 | cut -f 1)
>>
>>   if [ -z "$bridge" ]
>>   then
>>      fatal "Could not find bridge, and none was specified"
>>   fi
>> else
>>   ...
>>
>> If the toolstack hasn't written anything to xenstore, vif-bridge happily
>> connects the tap device to the first bridge it finds.  Shouldn't
>> vif-bridge just exit if no bridge is specified?
>>     
>
> I think that behaviour is historical (which isn't to say it's correct).
>   

Connecting the device to an arbitrary bridge seems dangerous to me. 
What if the bridge is on a sensitive VLAN?

> FWIW xl defaults to writing xenbr0. I don't know what xend does.
>   

xend writes nothing to that node if bridge is not specified in the vif
config :-(.  I suppose that is the reason for the hack in vif-bridge,
which was a bad fix IMO.

Thanks,
Jim
> Ian.
>
>   

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel