Marc Warne (GigaTux)
2013-Jan-24 11:25 UTC
[Pkg-xen-devel] Bug#698841: xen-utils-common: HVM networking for ioemu devices is blocked when antispoof is on
Package: xen-utils-common Version: 4.1.3-8 Severity: important When antispoof is set to 'on', the vif-common script does not create an ALLOW firewall rule for the emulated vif devices. This means that HVM nodes, unless a Xen PV driver is installed and running, cannot access the external network. The vif-common script creates an ACCEPT entry for the normal vif device (e.g. vif4.0) but not the emulated device (vif4.0-emu). Xen 4.1 seems to use these as opposed to tap devices, hence this is related to bug 613540 (Xen 4.0/squeeze) but needs a different resolution for Xen 4.1/wheezy. To resolve, the /etc/xen/scripts/vif-common.sh script can be edited to have a new line added to the frob_iptable() function. After the first iptables command in this function, add: iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev"-emu "$@" -j ACCEPT 2>/dev/null && This isn't a full patch as there might be a nicer way to do this, e.g. a nicer way to determine the naming of the vif interface. -- System Information: Debian Release: 7.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Kernel: Linux 3.2.0-4-amd64 (SMP w/16 CPU cores) Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Versions of packages xen-utils-common depends on: ii gawk 1:4.0.1+dfsg-2 ii lsb-base 4.1+Debian8 ii python 2.7.3~rc2-1 ii ucf 3.0025+nmu3 ii udev 175-7 ii xenstore-utils 4.1.3-8 xen-utils-common recommends no packages. xen-utils-common suggests no packages. -- Configuration Files: /etc/default/xendomains changed [not included] /etc/init.d/xendomains changed [not included] /etc/xen/scripts/vif-common.sh changed [not included] /etc/xen/xend-config.sxp changed [not included] -- no debconf information
Seemingly Similar Threads
- [Xense-devel] [RFC][PATCH][ACM] enforcing ACM policy on network traffic between virtual network interfaces
- XEN 4.0.1 bridged network - antispoof Option does not work
- Processed: closing 613540
- Bug#894013: xen-utils-common: issue with iptables antispoofing rules in xen4.8 generated by vif-bridge and vif-common.sh
- vif-antispoof