[Bug 472107] New: XEN network-nat puts rules in DROP if SuSEFirewall is active
https://bugzilla.novell.com/show_bug.cgi?id=472107 Summary: XEN network-nat puts rules in DROP if SuSEFirewall is active Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: All OS/Version: openSUSE 11.1 Status: NEW Severity: Major Priority: P5 - None Component: Xen AssignedTo: cgriffin@novell.com ReportedBy: Emmanuel.Appiahkubi@atea.com QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008123009 Gentoo Firefox/3.0.5 On a fresh install with xen and changing /etc/xen/xend-config.sxp to use nat : (network-script network-nat) (vif-script vif-nat) the rules will end up in FORWARD DROP instead of FORWARD ACCEPT. example without SuSEFirewall active : Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.0.2 anywhere PHYSDEV match --physdev-in vif7.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif8.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps example with SuSEfirewall : Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' ACCEPT all -- 10.0.0.2 anywhere PHYSDEV match --physdev-in vif7.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif8.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps Reproducible: Always Steps to Reproduce: 1. Make change in /etc/xen/xend-config.sxp (network-script network-nat) (vif-script vif-nat) 2. Entern an IP in a DomU config "vif=['x.x.x.x']" 3. Start the DomU with xm create 4. In the DomU configure it to use the static IP x.x.x.x 4. iptables -L and look in the Chain Forward Actual Results: My DomU's connection could not get outside the Dom0. Expected Results: The DomU's should have been able to reach the external network (internet) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=472107 James Fehlig <jfehlig@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jfehlig@novell.com, | |lbendixs@novell.com AssignedTo|cgriffin@novell.com |jfehlig@novell.com QAContact|qa@suse.de |jdouglas@novell.com -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=472107 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=472107#c1 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lnussel@novell.com --- Comment #1 from Ludwig Nussel <lnussel@novell.com> 2009-02-09 08:16:37 MST --- Why do those scripts mess with firewall settings anyways? That conflits with SuSEfirewall2. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=472107 User Emmanuel.Appiah-Kubi@atea.com added comment https://bugzilla.novell.com/show_bug.cgi?id=472107#c2 --- Comment #2 from Emmanuel Appiah-Kubi <Emmanuel.Appiah-Kubi@atea.com> 2009-02-09 08:20:53 MST --- The dists I been installing XEN on dont usally have a firewall (empty tables in iptables ) but OpenSuse differs. Should these networking scripts be changed for suse? Or Suse provide it's on networking scripts for XEN? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=472107 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=472107#c3 --- Comment #3 from Ludwig Nussel <lnussel@novell.com> 2009-02-09 08:34:06 MST --- SuSEfirwall2 should provide all necessary features (if it doesn't => feature request) and is configurable via yast. No script needs to change firewall settings as long as SuSEfirewall2 is active. If SuSEfirwall2 is not turned on the scripts are free to do whatever they need to do of course. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=472107 User jfehlig@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=472107#c4 James Fehlig <jfehlig@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO Info Provider| |lnussel@novell.com --- Comment #4 from James Fehlig <jfehlig@novell.com> 2009-02-11 15:21:19 MST --- With firewall off, I can use the network-nat and vif-nat scripts successfully. It sounds like this works for you (Emmanuel) as well. Re comment #3: Ludwig, during startup of a vm (xen, kvm, qemu, ...) a vif (tap) device is created and hotplug triggers invocation of vif-nat script. When called with 'online vif vif-ipaddr' this script does routing_ip() { echo $(echo $1 | awk -F. '{print $1"."$2"."$3"."$4 + 127}') } router_ip=$(routing_ip "$vif_ip") ip link set "$vif" up arp on ip addr add "$router_ip" dev "$vif" ip route add "$vif_ip" dev "$vif" src "$router_ip" echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp iptables -A FORWARD -m physdev --physdev-in "$vif" -s "$addr" -j ACCEPT iptables -A FORWARD -m physdev --physdev-in "$vif" -p udp --sport 68 --dport 67 -j ACCEPT How can this be handled when firewall is active? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=472107 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=472107#c5 Ludwig Nussel <lnussel@novell.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW Info Provider|lnussel@novell.com | --- Comment #5 from Ludwig Nussel <lnussel@novell.com> 2009-02-12 01:20:45 MST ---
Re comment #3: Ludwig, during startup of a vm (xen, kvm, qemu, ...) a vif (tap) device is created and hotplug triggers invocation of vif-nat script. When called with 'online vif vif-ipaddr' this script does
routing_ip() { echo $(echo $1 | awk -F. '{print $1"."$2"."$3"."$4 + 127}') }
router_ip=$(routing_ip "$vif_ip")
weird calculation, yet this one avoids an external command with bash: router_ip="${vif_up%.*}.$((${vif_up##*.}+127))"
ip link set "$vif" up arp on ip addr add "$router_ip" dev "$vif" ip route add "$vif_ip" dev "$vif" src "$router_ip" echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp iptables -A FORWARD -m physdev --physdev-in "$vif" -s "$addr" -j ACCEPT iptables -A FORWARD -m physdev --physdev-in "$vif" -p udp --sport 68 --dport 67 -j ACCEPT
How can this be handled when firewall is active?
SuSEfirewall2 doesn't support bridging firewall (physdev) rules like that. => feature request or custom rules script needed via FW_CUSTOMRULES. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=472107 User Emmanuel.Appiah-Kubi@atea.com added comment https://bugzilla.novell.com/show_bug.cgi?id=472107#c6 --- Comment #6 from Emmanuel Appiah-Kubi <Emmanuel.Appiah-Kubi@atea.com> 2009-02-20 01:28:05 MST --- So if I understand this right. There should be (or a request) for a XEN-NAT rule in the Firewall configuration in Yast? You change the script like in step 1 Go into Yast -> Security -> Firewall , add XEN-NAT to allow and then it should work? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com