Daniel Lutz
2009-Oct-12 09:33 UTC
[Pkg-xen-devel] Bug#550692: Script network-bridge in lenny may break network/firewall configuration
Package: xen-utils-common Version: 3.2.0-2 Hello We used the script "network-bridge" on our Xen servers based on "etch" (xen-utils-common 3.0.3-0-2) to setup bridge configuration. This script created a bridge "xenbr0", renamed "eth0" to "peth0", renamed "veth0" to "eth0" and added "peth0" and "vif0.0" to the bridge. For firewalling, we had to create rules to filter on "xenbr0" (FORWARD) and "eth0" (INPUT/OUTPUT). The resulting configuration is as follows: peth0 <------> Bridge xenbr0 <----------> vifx.x/eth0 (DomU) ^ | v vif0.0/eth0 Dom0 Since XEN 3.2, the script network-bridge creates a bridge "eth0" instead of "xenbr0" and doesn't use "vif0.0"/"veth0" anymore. That is, "eth0" is now a bridge and an interface for Dom0 in one. This behaviour breaks our firewall rules. The resulting configuration is as follows: peth0 <------> Bridge eth0 <----------> vifx.x/eth0 (DomU) Dom0 vif0.0, veth0: not used As work-around, we still use the scripts "network-bridge" and "xen-network-common.sh" from XEN 3.0 to get back the old behaviour. For firewalling, we use Shorewall. The setup and rules required for Shorewall are described at http://shorewall.net/4.2/XenMyWay.html. This setup assumes there's a bridge "xenbr0" and an interface "eth0" for Dom0, that is, it assumes the behaviour from XEN 3.0. I think this change of configuration by the new scripts might break firewalling rules of other people, too. So there should be a way to re-activiate the old behaviour of the scripts, or get a smooth transition to the new way of configuration. A similar problem is described in Bug #511579 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511579 And also here: http://lists.xensource.com/archives/html/xen-users/2008-09/msg00261.html https://systemausfall.org/wikis/howto/XenUpgrade3.2 Currently, we continue using the old network configuration scheme from XEN 3.0. We might consider to switch to the new configuration scheme in the future. We propose to add the old network-bridge scripts from XEN 3.0 as an alternative to the new configuration scheme (e. g. named network-bridge-3.0, xen-network-common-3.0.sh). Regards, Daniel Lutz -- -- Daniel Lutz -- Logintas AG, Sonnhaldenstrasse 87, CH-6331 H?nenberg, +41 41 783 21 21
Bastian Blank
2009-Oct-12 11:03 UTC
[Pkg-xen-devel] Bug#550692: Bug#550692: Script network-bridge in lenny may break network/firewall configuration
On Mon, Oct 12, 2009 at 11:33:20AM +0200, Daniel Lutz wrote:> We used the script "network-bridge" on our Xen servers based on "etch" (xen-utils-common 3.0.3-0-2) > to setup bridge configuration.Don't use this script if you have special needs. See /usr/share/doc/bridge-utils/ how to do that the Debian way.> I think this change of configuration by the new scripts might break firewalling rules of > other people, too. So there should be a way to re-activiate the old behaviour of the scripts, > or get a smooth transition to the new way of configuration.It is documented in the changelog and follows upstream. Bastian -- One does not thank logic. -- Sarek, "Journey to Babel", stardate 3842.4
Debian Bug Tracking System
2012-May-06 13:54 UTC
[Pkg-xen-devel] Bug#550692: marked as done (Script network-bridge in lenny may break network/firewall configuration)
Your message dated Sun, 6 May 2012 15:53:00 +0200 with message-id <20120506135300.GC12056 at wavehammer.waldi.eu.org> and subject line network-bridge not supported has caused the Debian Bug report #550692, regarding Script network-bridge in lenny may break network/firewall configuration to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner at bugs.debian.org immediately.) -- 550692: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=550692 Debian Bug Tracking System Contact owner at bugs.debian.org with problems -------------- next part -------------- An embedded message was scrubbed... From: Daniel Lutz <daniel.lutz at logintas.ch> Subject: Script network-bridge in lenny may break network/firewall configuration Date: Mon, 12 Oct 2009 11:33:20 +0200 Size: 4638 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120506/8f0125b4/attachment.mht> -------------- next part -------------- An embedded message was scrubbed... From: Bastian Blank <waldi at debian.org> Subject: network-bridge not supported Date: Sun, 6 May 2012 15:53:00 +0200 Size: 1492 URL: <http://lists.alioth.debian.org/pipermail/pkg-xen-devel/attachments/20120506/8f0125b4/attachment-0001.mht>