On Wed, Apr 27, 2011 at 10:56 AM, Andrew McGlashan
<andrew.mcglashan@xxxxxxxxxxxxxxxxxxxxx> wrote:
> Hi Teck,
>
> Teck Choon Giam wrote:
>>
>> On Tue, Apr 26, 2011 at 8:19 PM, Andrew McGlashan
>>>
>>> That caused me issues and those settings were in place due to
>>> "anti-spoofing" setup.
>>>
>>> I dropped anti-spoofing to "fix" my setup somewhat. Until I did that, I
>>> couldn't get to the DomU machines directly via the bridged interface.
>>>
>>> Now I can get through, but there are still issues that are not resolved
>>> [1]
>>> -- sometimes I connect, sometimes I don't; I really need a fix for this.
>>>
>>> [1] http://comments.gmane.org/gmane.comp.emulators.xen.user/66214
>>>
>>
>> Are you looking for a patch to support anti-spoof feature for tap
>> devices? If so, which xen version you are looking for? I have
>> patches to support tap devices when anti-spoof feature is enabled.
>
> Perhaps, do you think that will help in this situation?
>
> # cat /etc/debian_version
> 6.0.1
>
>
> # dpkg-query -l|grep xen|awk '{print $1,$2,$3}'
> ii libxenstore3.0 4.0.1-2
> ii linux-image-2.6.32-5-xen-amd64 2.6.32-31
> ii xen-hypervisor-4.0-amd64 4.0.1-2
> ii xen-tools 4.2-1
> ii xen-utils-4.0 4.0.1-2
> ii xen-utils-common 4.0.0-1
> ii xenstore-utils 4.0.1-2
>
>
> How would the patch be implemented?
>
> Thanks.
>
> --
> Kind Regards
> AndrewM
>
> Andrew McGlashan
> Broadband Solutions now including VoIP
>
>
Sorry, I don't use debian and my patch are against the source. I
assume you are using xen-4.0. The following patch should apply
cleanly for xen-4.0 if not let me know:
diff -urN a/tools/hotplug/Linux/network-bridge
b/tools/hotplug/Linux/network-bridge
--- a/tools/hotplug/Linux/network-bridge 2010-12-18 01:57:33.000000000
+0800
+++ b/tools/hotplug/Linux/network-bridge 2010-12-18 07:42:29.000000000
+0800
@@ -188,11 +188,23 @@
# Set the default forwarding policy for $dev to drop.
# Allow forwarding to the bridge.
antispoofing () {
- iptables -P FORWARD DROP
- iptables -F FORWARD
+ local isforwardpolicydrop=`iptables -L FORWARD |grep policy|grep
DROP|grep -v grep`
+ if [ "x$isforwardpolicydrop" == "x" ] ; then
+ iptables -P FORWARD DROP
+ iptables -F FORWARD
+ fi
iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT
}
+# Set the default forwarding policy for $dev to accept
+disable_antispoofing () {
+ local isforwardpolicydrop=`iptables -L FORWARD |grep policy|grep
DROP|grep -v grep`
+ if [ "x$isforwardpolicydrop" != "x" ] ; then
+ iptables -P FORWARD ACCEPT
+ iptables -F FORWARD
+ fi
+}
+
# Usage: show_status dev bridge
# Print ifconfig and routes.
show_status () {
@@ -283,6 +295,10 @@
brctl delbr ${tdev}
+ if [ ${antispoof} = 'yes' ] ; then
+ disable_antispoofing
+ fi
+
release_lock "network-bridge"
}
diff -urN a/tools/hotplug/Linux/vif-common.sh
b/tools/hotplug/Linux/vif-common.sh
--- a/tools/hotplug/Linux/vif-common.sh 2010-12-18 01:57:33.000000000 +0800
+++ b/tools/hotplug/Linux/vif-common.sh 2010-12-18 07:46:01.000000000 +0800
@@ -63,12 +63,33 @@
vif="$vifname"
fi
+pre_frob_iptable_delay()
+{
+ local tapif=`echo $vif | sed 's/vif/tap/'`
+ # for xm create
+ local checktapif=`cat /proc/net/dev | grep "${tapif}:" | grep -v grep`
+
+ if [ ! -n "$checktapif" ] ; then
+ # Implement ${MYTAPDELAY} environment variable for delay in
seconds sleep to wait
+ # for brctl add tap devices as sometimes tap devices not being up on time.
+ # default is 3 seconds
+ # Such environment set in /etc/xen/scripts/hotplugpath.sh
+ if [ ! -n "$MYTAPDELAY" ] ; then
+ MYTAPDELAY=3
+ else
+ # Necessary in order to make sure it is in numberic
+ MYTAPDELAY=`echo "$MYTAPDELAY" | bc`
+ fi
+ sleep ${MYTAPDELAY}
+ fi
+}
frob_iptable()
{
if [ "$command" == "online" ]
then
local c="-I"
+ pre_frob_iptable_delay
else
local c="-D"
fi
@@ -78,6 +99,24 @@
iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$vif" \
-j ACCEPT 2>/dev/null
+ # Added support for tap network devices in iptables FORWARD chain as this
+ # is required if antispoof is enabled or otherwise all packets to/from tap
+ # devices will be dropped.
+ # Start adding by Giam Teck Choon.
+ local tapif=`echo $vif | sed 's/vif/tap/'`
+ # for xm create
+ local checktapif=`cat /proc/net/dev | grep "${tapif}:" | grep -v grep`
+ # for xm shutdown
+ local checktapstate=`iptables -L -n | grep "state
RELATED,ESTABLISHED PHYSDEV match --physdev-out ${tapif}"`
+
+ if [ -n "$checktapif" ] || [ -n "$checktapstate" ] ; then
+ iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in \
+ "$tapif" "$@" -j ACCEPT 2>/dev/null &&
+ iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
+ --physdev-is-bridged --physdev-out "$tapif" -j ACCEPT 2>/dev/null
+ fi
+ # End adding by Giam Teck Choon.
+
if [ "$command" == "online" -a $? -ne 0 ]
then
log err "iptables setup failed. This may affect guest networking."
@@ -114,7 +153,10 @@
done
# Always allow the domain to talk to a DHCP server.
- frob_iptable -p udp --sport 68 --dport 67
+ # Such environment set in /etc/xen/scripts/hotplugpath.sh
+ if [ ! -n ${MYDHCPDISABLE} ] ; then
+ frob_iptable -p udp --sport 68 --dport 67
+ fi
else
# No IP addresses have been specified, so allow anything.
frob_iptable
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
|
Home