View Issue Details

IDProjectCategoryView StatusLast Update
0002900CentOS-5xenpublic2009-07-13 20:25
Reporterhoerbe 
PrioritynormalSeveritymajorReproducibilityalways
Status newResolutionopen 
Product Version5.1 
Target VersionFixed in Version 
Summary0002900: Bridgegroup members - iptables does not match interfaces
Descriptioni have got centos5.1 on a x86_64 running. I think there is a strange behavior of the iptables / xen interaction.

The vifX.n and tapX interfaces created by the xen-daemon and added into the bridgegroup xenbr0 are not visible via iptables in the FORWARD-Chain as they should? be.

Kernel: 2.6.18-53.1.21.el5xen
Xen: xen-libs-3.0.3-41.el5_1.6, kernel-xen-2.6.18-53.1.21.el5, xen-3.0.3-41.el5_1.6

Xen is up and running and there is one guest running in paravirtualization and one guest up with HVM. the Bridgegroup contains the following interfaces:


bridge name bridge id STP enabled interfaces
xenbr0 8000.66f068f69421 no vif9.0
vif3.0
tap0
peth0
vif0.0


If I am going to create an iptables-Rule like:

iptables -I FORWARD 1 -m physdev --physdev-in vif9.0 -j LOG --log-prefix "IN: "
iptables -I FORWARD 1 -m physdev --physdev-out vif9.0 -j LOG --log-prefix "OUT: "

A tcpdump on the vif9.0 interfaces shows data for the client.

There are no logs and it seems like the FORWARD-chain never matches anyway.

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-out vif9.0 LOG flags 0 level 4 prefix `IN: '
0 0 LOG all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif9.0 LOG flags 0 level 4 prefix `OUT: '
0 0 ACCEPT all -- * * 212.8.218.74 0.0.0.0/0 PHYSDEV match --physdev-in vif9.0
0 0 ACCEPT udp -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif9.0 udp spt:68 dpt:67

If I am going to boot the non-Xen-kernel and add a Bridgegroup with physical-interfaces everything is working fine:

brctl addbr xenbr0
brctl addif xenbr0 eth1
brctl addif xenbr0 eth2

ip link set eth1 up
ip link set eth2 up
ip link set xenbr0 up

iptables -I FORWARD 1 -m physdev --physdev-in eth2 --physdev-out eth1 -j LOG --log-prefix "OUT: "
iptables -I FORWARD 1 -m physdev --physdev-in eth1 --physdev-out eth2 -j LOG --log-prefix "IN: "

-> Logs are written and the packetcounters are counting :)
Additional InformationOn a gentoo-machine with Xen 3.0.2 and on a ubuntu 8.04 (Xen 3.2) everything works as expected.

I'm not sure if the antispoof-flag in Xen-Scripts is still useable because the chain never matches.
TagsNo tags attached.

Activities

hoerbe

hoerbe

2008-06-23 12:44

reporter   ~0007430

found this patch in SOURCES.

--- xen-unstable.hg/tools/examples/xen-network-common.sh.network-iptables-bridge 2006-07-19 09:45:57.000000000 -0400
+++ xen-unstable.hg/tools/examples/xen-network-common.sh 2006-07-19 09:46:18.000000000 -0400
@@ -130,6 +130,9 @@
        brctl addbr ${bridge}
        brctl stp ${bridge} off
        brctl setfd ${bridge} 0
+ sysctl -w "net.bridge.bridge-nf-call-arptables=0"
+ sysctl -w "net.bridge.bridge-nf-call-ip6tables=0"
+ sysctl -w "net.bridge.bridge-nf-call-iptables=0"
         ip link set ${bridge} arp off
         ip link set ${bridge} multicast off
     fi

What is the intention of applying this patch?
worta

worta

2009-07-13 20:25

reporter   ~0009604

Behaviour is the same with CentOS 5.3 and current kernel.
(2.6.18-128.1.16.el5xen, x86_64)

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target prot opt in out source destination
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif2.0
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif12.0
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif15.0
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0 PHYSDEV match --physdev-in vif19.0
    0 0 ACCEPT all -- * * 0.0.0.0/0 0.0.0.0/0

Issue History

Date Modified Username Field Change
2008-06-23 08:41 hoerbe New Issue
2008-06-23 12:44 hoerbe Note Added: 0007430
2009-07-13 20:25 worta Note Added: 0009604