Hi
I am sending this due the change of behaviour in some parts, and perhaps
it needs some code amendments, unsure if the devel list is the best
place, fell free to point me to the right place for this. Let me know if
I should load a bug instead.
Per the documentation
http://wiki.xenproject.org/wiki/Network_Configuration_Examples_(Xen_4.1%2B)
it is suggested to use:
net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0
We use that setup currently, but we are experiencing the following side
effects:
1. We manage the firewall in dom0 ourselves, and there seems not to be a
parameter for the hotplug scripts to avoid the insertion of random rules
in iptables, or proper checks that will ensure populated iptables rules
are valid in the case they are needed. Why one will want FORWARD rules
to be populated that are not required for the above bridge settings?
2. After the change in the kernel:
http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/54334
There is no module loaded br_netfilter by default now, so the settings
for net.bridge.bridge-nf-call-* do not exist and cannot be setup at
/etc/sysctl.conf at boot time.
The vif-bridge hotplug script calls (via handle_iptable()
frob_iptable() in vif-common.sh ) the for insertion of iptables rules in
the FORWARD chain with module physdev, that calls for the module load
br_netfilter, when br_netfilter is loaded has as defaults
net.bridge.bridge-nf-call-*=1. So we end up using iptables over a bridge
when we do not want it.
So, to solve this I come up with the following solutions:
A. blacklist modules br_netfilter and xt_physdev, but perhaps not great
if there is some other uses for them
B. load br_netfilter at boot and set the right parameters
net.bridge.bridge-nf-call-* = 0 as it should and continue to ignore the
iptables populated rules.
C. Add some proper code changes to handle the rules insertions, unsure
if something like this is ok or if it is in the right place. I do not
know much about the other setups, like nat and routed.
I see there is not much around ip6tables either.
###############################
diff --git a/tools/hotplug/Linux/vif-bridge b/tools/hotplug/Linux/vif-bridge
index 3d72ca4..7fc6650 100644
--- a/tools/hotplug/Linux/vif-bridge
+++ b/tools/hotplug/Linux/vif-bridge
@@ -93,7 +93,16 @@ case "$command" in
;;
esac
-handle_iptable
+brcalliptables=$(sysctl -n net.bridge.bridge-nf-call-iptables 2>/dev/null)
+brcalliptables=${brcalliptables:-0}
+
+brcallip6tables=$(sysctl -n net.bridge.bridge-nf-call-ip6tables
2>/dev/null)
+brcallip6tables=${brcallip6tables:-0}
+
+if [ "$brcalliptables" -eq "1" -a "$brcallip6tables" -eq "1" ];
+then
+ handle_iptable
+fi
call_hooks vif post
###############################
Thanks in advance
Regards.
Juan.-
http://ri.mu - Startups start here. Hosting; DNS; monitoring; backups;
email; web programming
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
