Xen devel - Nov 2010 - [PATCH] vif-common.sh prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore

Hi all,

Please consider this patch, with newer (pvops) kernels my logs get flooded with
this iptables warning:
physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains
for non-bridged traffic is not supported anymore

Using the --physdev-is-bridged option prevents this.
See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10

--
Sander



# HG changeset patch
# User root@localhost
# Date 1289255948 -3600
# Node ID 8270590996e55674532101c3dcfd41312c8598cf
# Parent  0d5f09e3728cd2ebf1126bc7341ae9dded45006a
Use --physdev-is-bridged to make it explicit the rules only apply to bridged
traffic.
This prevents a flood of:
physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains
for non-bridged traffic is not supported anymore.
messages when starting or shutting down domU''s

Background information:
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10

Signed-off-by: Sander Eikelenboom <linux@eikelenboom.it>

diff -r 0d5f09e3728c -r 8270590996e5 tools/hotplug/Linux/vif-common.sh
--- a/tools/hotplug/Linux/vif-common.sh Thu Nov 04 16:42:34 2010 +0000
+++ b/tools/hotplug/Linux/vif-common.sh Mon Nov 08 23:39:08 2010 +0100
@@ -105,10 +105,10 @@
     local c="-D"
   fi
 
-  iptables "$c" FORWARD -m physdev --physdev-in "$vif"
"$@" -j ACCEPT \
+  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in
"$vif" "$@" -j ACCEPT \
     2>/dev/null &&
   iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m
physdev \
-    --physdev-out "$vif" -j ACCEPT 2>/dev/null
+    --physdev-is-bridged --physdev-out "$vif" -j ACCEPT
2>/dev/null
 
   if [ "$command" == "online" -a $? -ne 0 ]
   then


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Tue, Nov 9, 2010 at 6:53 AM, Sander Eikelenboom <linux@eikelenboom.it>
wrote:
> Hi all,
>
> Please consider this patch, with newer (pvops) kernels my logs get flooded
with this iptables warning:
> physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING
chains for non-bridged traffic is not supported anymore
>
> Using the --physdev-is-bridged option prevents this.
> See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10
>
I guess a patch for tools/hotplug/Linux/network-bridge will also be required?

$ grep iptables ./*/*
./Linux/network-bridge:# antispoof  Whether to use iptables to prevent
spoofing (default no).
./Linux/network-bridge:    iptables -P FORWARD DROP
./Linux/network-bridge:    iptables -F FORWARD
./Linux/network-bridge:    iptables -A FORWARD -m physdev --physdev-in
${pdev} -j ACCEPT << HERE IT IS
./Linux/network-nat:# antispoof  Whether to use iptables to prevent
spoofing (default no).
./Linux/network-nat:	iptables -t nat -A POSTROUTING -o ${netdev} -j MASQUERADE
./Linux/network-nat:	iptables -t nat -D POSTROUTING -o ${netdev} -j MASQUERADE
./Linux/network-route:# antispoof  Whether to use iptables to prevent
spoofing (default yes).
./Linux/vif-bridge:# Enslaves the vif interface to the bridge and adds
iptables rules
./Linux/vif-bridge:# Removes the vif interface from the bridge and
removes the iptables
./Linux/vif-common.sh:  iptables "$c" FORWARD -m physdev --physdev-in
"$vif" "$@" -j ACCEPT \
./Linux/vif-common.sh:  iptables "$c" FORWARD -m state --state
RELATED,ESTABLISHED -m physdev \
./Linux/vif-common.sh:    log err "iptables setup failed. This may
affect guest networking."
./Linux/vif-common.sh:# Add or remove the appropriate entries in the
iptables.  With antispoofing
./Linux/vif-common.sh:  # Check for a working iptables installation.
Checking for the iptables
./Linux/vif-common.sh:  # modules installed.  If iptables is not
working, then there''s no need to do
./Linux/vif-common.sh:  if ! iptables -L -n >&/dev/null
./Linux/vif-common.sh:  claim_lock "iptables"
./Linux/vif-common.sh:  release_lock "iptables"

Thanks.

Kindest regards,
Giam Teck Choon

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Tue, Nov 9, 2010 at 7:49 AM, Teck Choon Giam <giamteckchoon@gmail.com>
wrote:
> On Tue, Nov 9, 2010 at 6:53 AM, Sander Eikelenboom
<linux@eikelenboom.it> wrote:
>> Hi all,
>>
>> Please consider this patch, with newer (pvops) kernels my logs get
flooded with this iptables warning:
>> physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING chains for non-bridged traffic is not supported anymore
>>
>> Using the --physdev-is-bridged option prevents this.
>> See also: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=571634#10
>>
>
> I guess a patch for tools/hotplug/Linux/network-bridge will also be
required?
Answer to my own question above... ... not needed!

Thanks.

Kindest regards,
Giam Teck Choon

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Sander Eikelenboom writes ("[Xen-devel] [PATCH] vif-common.sh prevent
physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains
for non-bridged traffic is not supported anymore"):
> -  iptables "$c" FORWARD -m physdev --physdev-in "$vif"
"$@" -j ACCEPT \
> +  iptables "$c" FORWARD -m physdev --physdev-is-bridged
--physdev-in "$vif" "$@" -j ACCEPT \
This will break on earlier iptables and/or earlier kernels.

Is there a way to detect whether --physdev-is-bridged is going to work ?

We could grep the output from iptables but is that sufficient ?  I
guess we may need to check for kernel behaviour too somehow.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Tuesday, November 9, 2010, 5:53:19 PM, you wrote:
> Sander Eikelenboom writes ("[Xen-devel] [PATCH] vif-common.sh prevent
physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains
for non-bridged traffic is not supported anymore"):
>> -  iptables "$c" FORWARD -m physdev --physdev-in
"$vif" "$@" -j ACCEPT \
>> +  iptables "$c" FORWARD -m physdev --physdev-is-bridged
--physdev-in "$vif" "$@" -j ACCEPT \
> This will break on earlier iptables and/or earlier kernels.
> Is there a way to detect whether --physdev-is-bridged is going to work ?
> We could grep the output from iptables but is that sufficient ?  I
> guess we may need to check for kernel behaviour too somehow.
Good point, although I don''t have a config with an old enough
iptables/kernel to test what happens in that case ..
The option should be available from before 2008
(http://ipset.netfilter.org/iptables.man.html) though.

> Ian.


-- 
Best regards,
 Sander                            mailto:linux@eikelenboom.it


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Sander Eikelenboom writes ("Re: [Xen-devel] [PATCH] vif-common.sh prevent
physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains
for non-bridged traffic is not supported anymore"):
> Good point, although I don''t have a config with an old enough
> iptables/kernel to test what happens in that case ..
On lenny:

$ iptables --physdev-is-bridged 
iptables v1.4.2: Unknown arg `(null)''
Try `iptables -h'' or ''iptables --help'' for more
information.
$

What I want to know, though, is what happens if you have a new
iptables and an old kernel.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Hello Ian,

Tuesday, November 9, 2010, 7:32:00 PM, you wrote:
> Sander Eikelenboom writes ("Re: [Xen-devel] [PATCH] vif-common.sh
prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING chains for non-bridged traffic is not supported anymore"):
>> Good point, although I don''t have a config with an old enough
>> iptables/kernel to test what happens in that case ..
this
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commit;h=30596a5e7ae8c518a8a0bbf3aa891728e9f9ec1b
commit allready seems to have the option
it''s from 2003...

> On lenny:
> $ iptables --physdev-is-bridged 
> iptables v1.4.2: Unknown arg `(null)''
> Try `iptables -h'' or ''iptables --help'' for more
information.
> $
> What I want to know, though, is what happens if you have a new
> iptables and an old kernel.
> Ian.


-- 
Best regards,
 Sander                            mailto:linux@eikelenboom.it


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

On Wed, Nov 10, 2010 at 2:37 AM, Sander Eikelenboom
<linux@eikelenboom.it> wrote:
> Hello Ian,
>
> Tuesday, November 9, 2010, 7:32:00 PM, you wrote:
>
>> Sander Eikelenboom writes ("Re: [Xen-devel] [PATCH] vif-common.sh
prevent physdev match: using --physdev-out in the OUTPUT, FORWARD and
POSTROUTING chains for non-bridged traffic is not supported anymore"):
>>> Good point, although I don''t have a config with an old
enough
>>> iptables/kernel to test what happens in that case ..
>
> this
http://git.netfilter.org/cgi-bin/gitweb.cgi?p=iptables.git;a=commit;h=30596a5e7ae8c518a8a0bbf3aa891728e9f9ec1b
commit allready seems to have the option
> it''s from 2003...
>
>
>> On lenny:
>
>> $ iptables --physdev-is-bridged
>> iptables v1.4.2: Unknown arg `(null)''
>> Try `iptables -h'' or ''iptables --help'' for
more information.
>> $
>
>> What I want to know, though, is what happens if you have a new
>> iptables and an old kernel.
>
>> Ian.
Hi Ian,

Usage as below which show support for CentOS 4 amd CentOS 5:

# /sbin/iptables -m physdev --help|grep ''physdev-is-bridged''
 [!] --physdev-is-bridged		it''s a bridged packet


# /sbin/iptables -m physdev --help
iptables v1.2.11

Usage: iptables -[AD] chain rule-specification [options]
       iptables -[RI] chain rulenum rule-specification [options]
       iptables -D chain rulenum [options]
       iptables -[LFZ] [chain] [options]
       iptables -[NX] chain
       iptables -E old-chain-name new-chain-name
       iptables -P chain target [options]
       iptables -h (print this help information)

Commands:
Either long or short options are allowed.
  --append  -A chain		Append to chain
  --delete  -D chain		Delete matching rule from chain
  --delete  -D chain rulenum
				Delete rule rulenum (1 = first) from chain
  --insert  -I chain [rulenum]
				Insert in chain as rulenum (default 1=first)
  --replace -R chain rulenum
				Replace rule rulenum (1 = first) in chain
  --list    -L [chain]		List the rules in a chain or all chains
  --flush   -F [chain]		Delete all rules in  chain or all chains
  --zero    -Z [chain]		Zero counters in chain or all chains
  --new     -N chain		Create a new user-defined chain
  --delete-chain
            -X [chain]		Delete a user-defined chain
  --policy  -P chain target
				Change policy on chain to target
  --rename-chain
            -E old-chain new-chain
				Change chain name, (moving any references)
Options:
  --proto	-p [!] proto	protocol: by number or name, eg. `tcp''
  --source	-s [!] address[/mask]
				source specification
  --destination -d [!] address[/mask]
				destination specification
  --in-interface -i [!] input name[+]
				network interface name ([+] for wildcard)
  --jump	-j target
				target for rule (may load target extension)
  --match	-m match
				extended match (may load extension)
  --numeric	-n		numeric output of addresses and ports
  --out-interface -o [!] output name[+]
				network interface name ([+] for wildcard)
  --table	-t table	table to manipulate (default: `filter'')
  --verbose	-v		verbose mode
  --line-numbers		print line numbers when listing
  --exact	-x		expand numbers (display exact values)
[!] --fragment	-f		match second or further fragments only
  --modprobe=<command>		try to insert modules using this command
  --set-counters PKTS BYTES	set the counter during insert/append
[!] --version	-V		print package version.

physdev v1.2.11 options:
 --physdev-in [!] input name[+]		bridge port name ([+] for wildcard)
 --physdev-out [!] output name[+]	bridge port name ([+] for wildcard)
 [!] --physdev-is-in			arrived on a bridge device
 [!] --physdev-is-out			will leave on a bridge device
 [!] --physdev-is-bridged		it''s a bridged packet


Thanks.

Kindest regards,
Giam Teck Choon

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Teck Choon Giam writes ("Re: [Xen-devel] [PATCH] vif-common.sh prevent
physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains
for non-bridged traffic is not supported anymore"):
> Usage as below which show support for CentOS 4 amd CentOS 5:
> 
> # /sbin/iptables -m physdev --help|grep
''physdev-is-bridged''
>  [!] --physdev-is-bridged		it''s a bridged packet
I think that means this has indeed been deployed everywhere for ages.
So thanks for that, and I have applied Sander''s patch.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel