[Xen-devel] [PATCH] Re: network-bridge script breaks network connectivity

[Mike Freemon <mfreemon@xxxxxxxxxxxxx>]

This patch configures the bridge to *not* apply iptables filtering.  This 
makes the virtual bridge more like a real bridge (in that ip-layer filter 
does not happen) and it makes the installation/configuration of xen from 
sources easier (at least on FC5).
Submitted for your consideration...

- Mike


# HG changeset patch
# User root@xxxxxxxxxxxxxxxxxxx
# Node ID f0fa1126dae5f897eac9a162a6ccbb6ceca7f9b9
# Parent  a1c2cede77c78d2af99088d7dece8f74f2a27260
Disable iptables filtering of bridge traffic
Signed-off-by: Mike Freemon mfreemon@xxxxxxxxxxxxx

diff -r a1c2cede77c7 -r f0fa1126dae5 tools/examples/xen-network-common.sh
--- a/tools/examples/xen-network-common.sh      Mon Jul 10 15:01:49 2006 +0100
+++ b/tools/examples/xen-network-common.sh      Mon Jul 10 15:39:56 2006 -0500
@@ -127,6 +127,12 @@ create_bridge () {

     # Don't create the bridge if it already exists.
     if [ ! -e "/sys/class/net/${bridge}/bridge" ]; then
+        # use brctl to force initialization of bridge-nf
+        brctl show >/dev/null 2>&1
+        # disable iptables filtering in bridge
+        sysctl -w "net.bridge.bridge-nf-call-arptables=0"
+        sysctl -w "net.bridge.bridge-nf-call-ip6tables=0"
+        sysctl -w "net.bridge.bridge-nf-call-iptables=0"
        brctl addbr ${bridge}
        brctl stp ${bridge} off
        brctl setfd ${bridge} 0






At 7/8/2006 05:28 PM  Saturday, Mike Freemon wrote:
> You are correct -- My short summary was technically accurate in only the 
> most abstract of ways  :-)
> After some more digging, I found that the iptables rules were blocking 
> traffic passing across the xenbr0 bridge (bridge-nf).  I am using the same 
> "fedora default" iptables rules as my other xen machines (dumped below), 
> so I was confused as to why this machine was different.  This happens to 
> be the first machine I have compiled Xen from hg sources (to pull in the 
> latest vt-x vmx stuff).
> What I found was that the fedora distro of Xen contains the following 
> lines in the create_bridge() method of /etc/xen/scripts/network-bridge:
> sysctl -w "net.bridge.bridge-nf-call-arptables=0"
> sysctl -w "net.bridge.bridge-nf-call-ip6tables=0"
> sysctl -w "net.bridge.bridge-nf-call-iptables=0"
>
> This disables the iptables filtering on the bridge.
>
> This seems like a reasonable default since bridges don't normally do 
> IP-layer filtering.
> What is the view of the Xen team on this?  Are there reasons why this 
> could not be included in the xen sources as well?
> - Mike
>
>
> :INPUT ACCEPT [0:0]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [8335:620449]
> :RH-Firewall-1-INPUT - [0:0]
> -A INPUT -j RH-Firewall-1-INPUT
> -A FORWARD -j RH-Firewall-1-INPUT
> -A RH-Firewall-1-INPUT -i lo -j ACCEPT
> -A RH-Firewall-1-INPUT -p icmp -m icmp --icmp-type any -j ACCEPT
> -A RH-Firewall-1-INPUT -p ipv6-crypt -j ACCEPT
> -A RH-Firewall-1-INPUT -p ipv6-auth -j ACCEPT
> -A RH-Firewall-1-INPUT -d 224.0.0.251 -p udp -m udp --dport 5353 -j ACCEPT
> -A RH-Firewall-1-INPUT -p udp -m udp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m tcp --dport 631 -j ACCEPT
> -A RH-Firewall-1-INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A RH-Firewall-1-INPUT -p tcp -m state --state NEW -m tcp --dport 22 -j ACCEPT
> -A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibited
> COMMIT
>
>
>
>
> At 7/8/2006 10:47 AM  Saturday, Christian Limpach wrote:
> > On 7/7/06, Mike Freemon <mfreemon@xxxxxxxxxxxxx> wrote:
> > > Hi All,
> > >
> > > First, I wasn't sure whether to report this via bugzilla or the xen-devel
> > > list.  Since this is against the current tip of xen-unstable, I went here
> > > first.  I can move this to bugzilla if you want, just let me know.
> > >
> > > Summary is -->  the "network-bridge start" script breaks all network
> > > connectivity.  ICMP broken, DHCP fails, etc.  I am running current FC5
> > > EM64T x86_64 VT-x with the latest xen-unstable.  Running "network-bridge
> > > stop" restores network functionality.
> > >
> > > Below is the relevant data -- before and after dumps, config files, and a
> > > trace of the network-bridge script itself.  Any help is 
> > > appreciated.  Thanks...
> > What does your /etc/resolv.conf look like before/after network-bridge start?
> > Does ping with an IP address work?
> > You say that DHCP fails but the log looks like it succeeds and even
> > ping of your gateway address seems to work.
> >
> >     christian
> >
> > _______________________________________________
> > Xen-devel mailing list
> > Xen-devel@xxxxxxxxxxxxxxxxxxx
> > http://lists.xensource.com/xen-devel
> _______________________________________________
> Xen-devel mailing list
> Xen-devel@xxxxxxxxxxxxxxxxxxx
> http://lists.xensource.com/xen-devel

bridge.patch
Description: Binary data

_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-devel