On Thu, Oct 26, 2006 at 05:17:50PM +0100, Daniel P. Berrange wrote:
> After a little debugging, I came across a couple of separate issues with
> the vif-route script which all conspire to block off-host networking from
> working as expected
>
> - The iptables rule is only added to the FORWARD rule - it also needs
> to be added to the INPUT rule, otherwise Dom0 firwall rules will hit
> DomU traffic too
>
> - The iptables rule is added to the end of the FORWARD rule, so if you
> have an existing catch all DENY/REJECT rule already, the Xen rule
> will never get matched
>
> - The rule is using '-m physdev --physdev-in $vif' to match guest traffic.
> The 'physdev' module rules, however, only match on interfaces which are
> part of a network bridge - obviously not the case for routed networking
> config, so even at the correct location in FORWARD they don't match
>
> - While the guest can transmit, it never receives anything back because
> the remote hosts can't do ARP lookups for the guest's IP address. The
> vif-route script turns on proxy_arp on the $vif, but the proxy_arp setting
> is also needed on the Dom0's public interface (eg eth0)
>
> Based on this it would seem we need to change the current
>
> iptables -A FORWARD --source $ip -m physdev --physdev-in $vif -j ACCEPT
>
> To instead do
>
> iptables -I INPUT --source $ip -i $vif -j ACCEPT
> iptables -I FORWARD --source $ip -i $vif -j ACCEPT
>
> Since this stuff is dealt with in vif-common.sh it looks like we'll need to
> remove that commonality between route & bridge scripts.
I'm attaching a patch which does 3 things to the IPTables rules:
- Use -I instead of -A so that rules get inserted at start
of chain - avoiding other custom rules such as a catch-all -j REJECT
- Use -i $vif instead of --physdev-in $vif for routed / nat based
networking. Bridged networking still uses --physdev-in
- Adds the rules to both FORWARD & INPUT chains instead of just
FORWARD chain
This fixes up the IPTables bit of the routed networking
> And add some logic to network-route which does
>
> dev=....discover primary public interface...
> sysctl -w net.ipv4.conf.$dev.proxy_arp = 1
I've not sorted out a patch to discover the primary interface, so for now
I'm testing with 'echo 1 >/proc/sys/net/ipv4/conf/all/proxy_arp' which enables
proxy_arp for all interfaces. I could submit a patch for this, but I think
it is overkill, so want to get the correct patch.
Signed-off-by: Daniel P. Berrange <berrange@xxxxxxxxxx>
Regards,
Dan.
--
|=- Red Hat, Engineering, Emerging Technologies, Boston. +1 978 392 2496 -=|
|=- Perl modules: http://search.cpan.org/~danberr/ -=|
|=- Projects: http://freshmeat.net/~danielpb/ -=|
|=- GnuPG: 7D3B9505 F3C9 553F A1DA 4AC2 5648 23C1 B3DF F742 7D3B 9505 -=|
xen-network-route-iptables.patch
Description: Text document
_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel
|
Home