This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
Home Products Support Community News


[Xen-bugs] [Bug 559] New: vif-bridge iptables problem for interfaces wit

To: xen-bugs@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-bugs] [Bug 559] New: vif-bridge iptables problem for interfaces with predefined ip
From: bugzilla-daemon@xxxxxxxxxxxxxxxxxxx
Date: Tue, 07 Mar 2006 15:47:26 +0000
Delivery-date: Tue, 07 Mar 2006 15:48:20 +0000
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-bugs-request@lists.xensource.com?subject=help>
List-id: Xen Bugzilla <xen-bugs.lists.xensource.com>
List-post: <mailto:xen-bugs@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/cgi-bin/mailman/listinfo/xen-bugs>, <mailto:xen-bugs-request@lists.xensource.com?subject=unsubscribe>
Reply-to: bugs@xxxxxxxxxxxxxxxxxx
Sender: xen-bugs-bounces@xxxxxxxxxxxxxxxxxxx

           Summary: vif-bridge iptables problem for interfaces with
                    predefined ip
           Product: Xen
           Version: 3.0.1
          Platform: All
        OS/Version: Linux-2.6
            Status: NEW
          Severity: major
          Priority: P2
         Component: Guest-OS
        AssignedTo: xen-bugs@xxxxxxxxxxxxxxxxxxx
        ReportedBy: marko@xxxxxxxxxx


Environment : RHEL4u2, xen-3.0.1-12.1_rhel4.1
I want explicitly allow to domU use of IP i gave him in configuration.
Vif definition in domU configfile : 
  vif = [ 'mac=00:16:3E:10:88:65,ip=' ]
(interface with predefined mac address and 2 allowed ip to use)

vif-common.sh script, function handle_iptable teoretically must do it by adding
rule "-A FORWARD -s <IP> -m physdev  --physdev-in <vif> -j ACCEPT" for each IP,
but doing it only when 1 IP specified.

/var/log/messages with error:
Mar  7 17:22:56 leo logger: /etc/xen/scripts/vif-bridge: iptables -A FORWARD -m
physdev --physdev-in vif31.0 -s -j ACCEPT failed. If you are
using iptables, this may affect networking for guest domains.

Problem is a loop definition. Fix :
--- vif-common.sh.sav   2006-03-07 17:16:16.000000000 +0200
+++ vif-common.sh       2006-03-07 17:19:35.000000000 +0200
@@ -103,7 +103,7 @@
   if [ "$ip" != "" ]
       local addr
-      for addr in "$ip"
+      for addr in $ip
         frob_iptable -s "$addr"


Problem #2 - on domain destroy vif-* scripts can't receive the mac,ip,bridge &
etc parameters from xenstore. Looks like all vif values are already wiped out on
this stage and code in vif-common.sh receives ip="" :
ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip")

Result of this - the removal of iptables rules for specifyed IPs could not be
If it's impossible not to clean xenstore before vif destroy ... i use now
following script (removes all rules from FORWARD chain with pys.dev equivalent
to vif name xen trying to shutdown):

if [ "$command" != "online" ] ; then
  iptables-save | egrep "^-A FORWARD +.*-m +physdev.* +${vif} +" | \
       while read RULE ; do
          log debug "Remove IPTables rule $RULE"
          iptables ${RULE//-A FORWARD/-D FORWARD}

Configure bugmail: 
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

Xen-bugs mailing list

<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-bugs] [Bug 559] New: vif-bridge iptables problem for interfaces with predefined ip, bugzilla-daemon <=