Pkg xen devel - Oct 2009 - Bug#550692: Script network-bridge in lenny may break network/firewall configuration

Package: xen-utils-common
Version: 3.2.0-2

Hello

We used the script "network-bridge" on our Xen servers based on
"etch" (xen-utils-common 3.0.3-0-2)
to setup bridge configuration. This script created a bridge "xenbr0",
renamed "eth0" to "peth0",
renamed "veth0" to "eth0" and added "peth0" and
"vif0.0" to the bridge.
For firewalling, we had to create rules to filter on "xenbr0"
(FORWARD) and
"eth0" (INPUT/OUTPUT).

The resulting configuration is as follows:

peth0 <------> Bridge xenbr0 <----------> vifx.x/eth0  (DomU)
                        ^
                        |
                        v
                  vif0.0/eth0
                       Dom0


Since XEN 3.2, the script network-bridge creates a bridge "eth0"
instead of "xenbr0"
and doesn't use "vif0.0"/"veth0" anymore. That is,
"eth0" is now a bridge and an interface
for Dom0 in one. This behaviour breaks our firewall rules.

The resulting configuration is as follows:

peth0 <------> Bridge eth0 <----------> vifx.x/eth0  (DomU)
                      Dom0

vif0.0, veth0: not used


As work-around, we still use the scripts "network-bridge" and
"xen-network-common.sh"
from XEN 3.0 to get back the old behaviour.

For firewalling, we use Shorewall. The setup and rules required for Shorewall
are described at http://shorewall.net/4.2/XenMyWay.html. This setup assumes
there's a bridge "xenbr0" and an interface "eth0" for
Dom0, that is, it assumes
the behaviour from XEN 3.0.

I think this change of configuration by the new scripts might break firewalling
rules of
other people, too. So there should be a way to re-activiate the old behaviour of
the scripts,
or get a smooth transition to the new way of configuration.


A similar problem is described in Bug #511579
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511579

And also here:
http://lists.xensource.com/archives/html/xen-users/2008-09/msg00261.html
https://systemausfall.org/wikis/howto/XenUpgrade3.2

Currently, we continue using the old network configuration scheme from XEN 3.0.
We might
consider to switch to the new configuration scheme in the future. We propose to
add
the old network-bridge scripts from XEN 3.0 as an alternative to the new
configuration
scheme (e. g. named network-bridge-3.0, xen-network-common-3.0.sh).

Regards,
Daniel Lutz


-- 
-- Daniel Lutz
-- Logintas AG, Sonnhaldenstrasse 87, CH-6331 H?nenberg, +41 41 783 21 21

On Mon, Oct 12, 2009 at 11:33:20AM +0200, Daniel Lutz
wrote:
> We used the script "network-bridge" on our Xen servers based on
"etch" (xen-utils-common 3.0.3-0-2)
> to setup bridge configuration. 
Don't use this script if you have special needs. See
/usr/share/doc/bridge-utils/ how to do that the Debian way.
> I think this change of configuration by the new scripts might break
firewalling rules of
> other people, too. So there should be a way to re-activiate the old
behaviour of the scripts,
> or get a smooth transition to the new way of configuration.
It is documented in the changelog and follows upstream.

Bastian

-- 
One does not thank logic.
		-- Sarek, "Journey to Babel", stardate 3842.4

Your message dated Sun, 6 May 2012 15:53:00 +0200
with message-id <20120506135300.GC12056 at wavehammer.waldi.eu.org>
and subject line network-bridge not supported
has caused the Debian Bug report #550692,
regarding Script network-bridge in lenny may break network/firewall
configuration
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner at bugs.debian.org
immediately.)


-- 
550692: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550692
Debian Bug Tracking System
Contact owner at bugs.debian.org with problems
-------------- next part --------------
An embedded message was scrubbed...
From: Daniel Lutz <daniel.lutz at logintas.ch>
Subject: Script network-bridge in lenny may break network/firewall configuration
Date: Mon, 12 Oct 2009 11:33:20 +0200
Size: 4638
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120506/8f0125b4/attachment.mht>
-------------- next part --------------
An embedded message was scrubbed...
From: Bastian Blank <waldi at debian.org>
Subject: network-bridge not supported
Date: Sun, 6 May 2012 15:53:00 +0200
Size: 1492
URL:
<http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120506/8f0125b4/attachment-0001.mht>