[Bug 472107] New: XEN network-nat puts rules in DROP if SuSEFirewall is active
https://bugzilla.novell.com/show_bug.cgi?id=472107 Summary: XEN network-nat puts rules in DROP if SuSEFirewall is active Classification: openSUSE Product: openSUSE 11.1 Version: Final Platform: All OS/Version: openSUSE 11.1 Status: NEW Severity: Major Priority: P5 - None Component: Xen AssignedTo: cgriffin@novell.com ReportedBy: Emmanuel.Appiahkubi@atea.com QAContact: qa@suse.de Found By: --- User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.5) Gecko/2008123009 Gentoo Firefox/3.0.5 On a fresh install with xen and changing /etc/xen/xend-config.sxp to use nat : (network-script network-nat) (vif-script vif-nat) the rules will end up in FORWARD DROP instead of FORWARD ACCEPT. example without SuSEFirewall active : Chain FORWARD (policy ACCEPT) target prot opt source destination ACCEPT all -- 10.0.0.2 anywhere PHYSDEV match --physdev-in vif7.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif8.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps example with SuSEfirewall : Chain FORWARD (policy DROP) target prot opt source destination LOG all -- anywhere anywhere limit: avg 3/min burst 5 LOG level warning tcp-options ip-options prefix `SFW2-FWD-ILL-ROUTING ' ACCEPT all -- 10.0.0.2 anywhere PHYSDEV match --physdev-in vif7.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif7.0 udp spt:bootpc dpt:bootps ACCEPT all -- 10.0.0.1 anywhere PHYSDEV match --physdev-in vif8.0 ACCEPT udp -- anywhere anywhere PHYSDEV match --physdev-in vif8.0 udp spt:bootpc dpt:bootps Reproducible: Always Steps to Reproduce: 1. Make change in /etc/xen/xend-config.sxp (network-script network-nat) (vif-script vif-nat) 2. Entern an IP in a DomU config "vif=['x.x.x.x']" 3. Start the DomU with xm create 4. In the DomU configure it to use the static IP x.x.x.x 4. iptables -L and look in the Chain Forward Actual Results: My DomU's connection could not get outside the Dom0. Expected Results: The DomU's should have been able to reach the external network (internet) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=472107
James Fehlig
https://bugzilla.novell.com/show_bug.cgi?id=472107
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=472107#c1
Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=472107
User Emmanuel.Appiah-Kubi@atea.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=472107#c2
--- Comment #2 from Emmanuel Appiah-Kubi
https://bugzilla.novell.com/show_bug.cgi?id=472107
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=472107#c3
--- Comment #3 from Ludwig Nussel
https://bugzilla.novell.com/show_bug.cgi?id=472107
User jfehlig@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=472107#c4
James Fehlig
https://bugzilla.novell.com/show_bug.cgi?id=472107
User lnussel@novell.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=472107#c5
Ludwig Nussel
Re comment #3: Ludwig, during startup of a vm (xen, kvm, qemu, ...) a vif (tap) device is created and hotplug triggers invocation of vif-nat script. When called with 'online vif vif-ipaddr' this script does
routing_ip() { echo $(echo $1 | awk -F. '{print $1"."$2"."$3"."$4 + 127}') }
router_ip=$(routing_ip "$vif_ip")
weird calculation, yet this one avoids an external command with bash: router_ip="${vif_up%.*}.$((${vif_up##*.}+127))"
ip link set "$vif" up arp on ip addr add "$router_ip" dev "$vif" ip route add "$vif_ip" dev "$vif" src "$router_ip" echo 1 >/proc/sys/net/ipv4/conf/${vif}/proxy_arp iptables -A FORWARD -m physdev --physdev-in "$vif" -s "$addr" -j ACCEPT iptables -A FORWARD -m physdev --physdev-in "$vif" -p udp --sport 68 --dport 67 -j ACCEPT
How can this be handled when firewall is active?
SuSEfirewall2 doesn't support bridging firewall (physdev) rules like that. => feature request or custom rules script needed via FW_CUSTOMRULES. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=472107
User Emmanuel.Appiah-Kubi@atea.com added comment
https://bugzilla.novell.com/show_bug.cgi?id=472107#c6
--- Comment #6 from Emmanuel Appiah-Kubi
participants (1)
-
bugzilla_noreply@novell.com