Xen devel - May 2013 - [PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering

The vif-common.sh hotplug script doesn''t support ipv6 iptables
filtering setup. The attached patch adds basic filtering capability so
that if an IPv6 is specified, it''s added to the
''authorized'' source
list.
Basically the same behavior as for ipv4.

I''ve been using this patch for some time on xen 4.1 and I''ve
just
forward ported it to xen master (it applied cleanly and didn''t see any
changes that would matter).

Cheers,

    Sylvain


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

On Mon, 2013-05-13 at 14:55 +0100, Sylvain Munaut wrote:
> The vif-common.sh hotplug script doesn''t support ipv6 iptables
> filtering setup. The attached patch adds basic filtering capability so
> that if an IPv6 is specified, it''s added to the
''authorized'' source
> list.
> Basically the same behavior as for ipv4.
> 
> I''ve been using this patch for some time on xen 4.1 and
I''ve just
> forward ported it to xen master (it applied cleanly and didn''t see
any
> changes that would matter).
Thanks, this looks plausible, at least as far as I am able to tell. Is
there anyone around who could review this from the ipv6/iptables PoV?

WRT the release, we are now frozen for 4.3 and I''d be concerned about
introducing a subtle (or not so subtle) networking regression. George
what do you think?

I notice you use --physdev-out -- I got the impression that this wasn''t
supported any more (occasional bug reports about a warning message). TBH
I don''t know enough about what it does to say one way or the other.

One minor niggle, you''ve spelt "explicitly" as
"explicitely".
> 
> Cheers,
> 
>     Sylvain
> From c6561a403a2c8b1afaf5f336d2df95aceb362cbc Mon Sep 17 00:00:00 2001
> From: Sylvain Munaut <s.munaut@whatever-company.com>
> Date: Mon, 13 May 2013 15:52:14 +0200
> Subject: [PATCH] tools/hotplug/Linux: Add IPv6 support to vif-common
filtering
> 
> By default DomU are not allow to send router-advertisement
> message. Set the ipv6_allow_ra config option to yet to allow it.
> 
> Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
> ---
>  tools/hotplug/Linux/vif-common.sh | 103
++++++++++++++++++++++++++++++++++++--
>  1 file changed, 99 insertions(+), 4 deletions(-)
> 
> diff --git a/tools/hotplug/Linux/vif-common.sh
b/tools/hotplug/Linux/vif-common.sh
> index 73ee241..d5c51e7 100644
> --- a/tools/hotplug/Linux/vif-common.sh
> +++ b/tools/hotplug/Linux/vif-common.sh
> @@ -121,8 +121,11 @@ fi
>  ip=${ip:-}
>  ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip")
>  
> +ipv6_allow_ra=$(xenstore_read_default
"$XENBUS_PATH/ipv6_allow_ra" "false")
> +
>  frob_iptable()
>  {
> +  # Add or remove
>    if [ "$command" == "online" ]
>    then
>      local c="-I"
> @@ -130,6 +133,7 @@ frob_iptable()
>      local c="-D"
>    fi
>  
> +  # Main rules
>    iptables "$c" FORWARD -m physdev --physdev-is-bridged
--physdev-in "$dev" \
>      "$@" -j ACCEPT 2>/dev/null &&
>    iptables "$c" FORWARD -m physdev --physdev-is-bridged
--physdev-out "$dev" \
> @@ -139,6 +143,61 @@ frob_iptable()
>    then
>      log err "iptables setup failed. This may affect guest
networking."
>    fi
> +
> +  # Always allow the domain to talk to a DHCP server.
> +  if [ -n "$1" ]
> +  then
> +    iptables "$c" FORWARD -m physdev --physdev-is-bridged
--physdev-in "$dev" \
> +      -p udp --sport 68 --dport 67 -j ACCEPT 2>/dev/null
> +  fi
> +
> +  if [ "$command" == "online" -a $? -ne 0 ]
> +  then
> +    log err "iptables setup failed. This may affect guest
networking."
> +  fi
> +}
> +
> +frob_ip6table()
> +{
> +  # Add or remove
> +  if [ "$command" == "online" ]
> +  then
> +    local c="-I"
> +  else
> +    local c="-D"
> +  fi
> +
> +  # Main rules
> +  ip6tables "$c" FORWARD -m physdev --physdev-is-bridged
--physdev-in "$dev" \
> +    "$@" -j ACCEPT 2>/dev/null &&
> +  ip6tables "$c" FORWARD -m physdev --physdev-is-bridged
--physdev-out "$dev" \
> +    -j ACCEPT 2>/dev/null
> +
> +  if [ "$command" == "online" -a $? -ne 0 ]
> +  then
> +    log err "ip6tables setup failed. This may affect guest
networking."
> +  fi
> +
> +  # Filter out RA if not explicitely allowed
> +  if [ "$ipv6_allow_ra" != "true" ]
> +  then
> +    ip6tables "$c" FORWARD -m physdev --physdev-is-bridged
--physdev-in "$dev" \
> +      -p icmpv6 --icmpv6-type router-advertisement -j DROP 2>/dev/null
> +  fi
> +
> +  if [ "$command" == "online" -a $? -ne 0 ]
> +  then
> +    log err "ip6tables setup failed. This may affect guest
networking."
> +  fi
> +}
> +
> +
> +##
> +# Check if the given IP is IPv6 or not
> +#
> +is_ipv6()
> +{
> +        echo "$1" | perl -wane ''/:/ && print
"yes"''
>  }
>  
>  
> @@ -167,14 +226,17 @@ handle_iptable()
>        local addr
>        for addr in $ip
>        do
> -        frob_iptable -s "$addr"
> +        result=$(is_ipv6 "${addr}")
> +        if [ -z "${result}" ] ; then
> +          frob_iptable -s "$addr"
> +        else
> +          frob_ip6table -s "$addr"
> +        fi
>        done
> -
> -      # Always allow the domain to talk to a DHCP server.
> -      frob_iptable -p udp --sport 68 --dport 67
>    else
>        # No IP addresses have been specified, so allow anything.
>        frob_iptable
> +      frob_ip6table
>    fi
>  
>    release_lock "iptables"
> @@ -213,3 +275,36 @@ dom0_ip()
>    fi
>    echo "$result"
>  }
> +
> +
> +##
> +# ip6_of interface
> +#
> +# Print the first IPv6 address currently in use at the given interface, or
nothing if
> +# the interface is not up.
> +#
> +ip6_of()
> +{
> +        ip -6 addr show primary dev "$1" | perl -wane
''/scope global/ && /inet6 (([0-9a-f]+:*)+)/ && print
$1;''
> +}
> +
> +
> +##
> +# dom0_ip6
> +#
> +# Print the IPv6 address of the interface in dom0 through which we are
routing.
> +# This is the IP address on the interface specified as "netdev"
as a parameter
> +# to these scripts, or eth0 by default.  This function will call fatal if
no
> +# such interface could be found.
> +#
> +dom0_ip6()
> +{
> +  local nd=${netdev:-eth0}
> +  local result=$(ip6_of "$nd")
> +  if [ -z "$result" ]
> +  then
> +        ""
> +  else
> +        echo "$result"
> +  fi
> +}
> -- 
> 1.8.1.5

Hi,
> WRT the release, we are now frozen for 4.3 and I''d be concerned
about
> introducing a subtle (or not so subtle) networking regression. George
> what do you think?
I''m not really in a hurry, I have to maintain my own package anyways
for other custom patches anyway.
I just thought this one might be useful for others and IPv6 is more
and more popular.

> I notice you use --physdev-out -- I got the impression that this
wasn''t
> supported any more (occasional bug reports about a warning message). TBH
> I don''t know enough about what it does to say one way or the
other.
physdev-out is only supported for bridged devices, hence the
"physdev-is-bridged" option.
If the device isn''t bridged, it simply won''t match and
iptables has to
be configured some
other way.

But those limitations are already present in the IPv4 iptables config.

> One minor niggle, you''ve spelt "explicitly" as
"explicitely".
Damnit :p

I''ll wait and see if there are other comments on the patch and resend
with all corrections if needed.


Cheers,

   Sylvain

On 05/20/2013 05:12 PM, Ian Campbell wrote:
> On Mon, 2013-05-13 at 14:55 +0100, Sylvain Munaut wrote:
>> The vif-common.sh hotplug script doesn''t support ipv6 iptables
>> filtering setup. The attached patch adds basic filtering capability so
>> that if an IPv6 is specified, it''s added to the
''authorized'' source
>> list.
>> Basically the same behavior as for ipv4.
>>
>> I''ve been using this patch for some time on xen 4.1 and
I''ve just
>> forward ported it to xen master (it applied cleanly and didn''t
see any
>> changes that would matter).
>
> Thanks, this looks plausible, at least as far as I am able to tell. Is
> there anyone around who could review this from the ipv6/iptables PoV?
>
> WRT the release, we are now frozen for 4.3 and I''d be concerned
about
> introducing a subtle (or not so subtle) networking regression. George
> what do you think?
Yeah, I think given that no one has been clamoring for it, it would be 
better to wait until 4.4.

  -George