[Pkg-xen-devel] Bug#550692: Script network-bridge in lenny may break network/firewall configuration

Daniel Lutz daniel.lutz at logintas.ch
Mon Oct 12 09:33:20 UTC 2009 

Package: xen-utils-common
Version: 3.2.0-2

Hello

We used the script "network-bridge" on our Xen servers based on "etch" (xen-utils-common 3.0.3-0-2)
to setup bridge configuration. This script created a bridge "xenbr0", renamed "eth0" to "peth0",
renamed "veth0" to "eth0" and added "peth0" and "vif0.0" to the bridge.
For firewalling, we had to create rules to filter on "xenbr0" (FORWARD) and
"eth0" (INPUT/OUTPUT).

The resulting configuration is as follows:

peth0 <------> Bridge xenbr0 <----------> vifx.x/eth0  (DomU)
                        ^
                        |
                        v
                  vif0.0/eth0
                       Dom0


Since XEN 3.2, the script network-bridge creates a bridge "eth0" instead of "xenbr0"
and doesn't use "vif0.0"/"veth0" anymore. That is, "eth0" is now a bridge and an interface
for Dom0 in one. This behaviour breaks our firewall rules.

The resulting configuration is as follows:

peth0 <------> Bridge eth0 <----------> vifx.x/eth0  (DomU)
                      Dom0

vif0.0, veth0: not used


As work-around, we still use the scripts "network-bridge" and "xen-network-common.sh"
from XEN 3.0 to get back the old behaviour.

For firewalling, we use Shorewall. The setup and rules required for Shorewall
are described at http://shorewall.net/4.2/XenMyWay.html. This setup assumes
there's a bridge "xenbr0" and an interface "eth0" for Dom0, that is, it assumes
the behaviour from XEN 3.0.

I think this change of configuration by the new scripts might break firewalling rules of
other people, too. So there should be a way to re-activiate the old behaviour of the scripts,
or get a smooth transition to the new way of configuration.


A similar problem is described in Bug #511579
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511579

And also here:
http://lists.xensource.com/archives/html/xen-users/2008-09/msg00261.html
https://systemausfall.org/wikis/howto/XenUpgrade3.2

Currently, we continue using the old network configuration scheme from XEN 3.0. We might
consider to switch to the new configuration scheme in the future. We propose to add
the old network-bridge scripts from XEN 3.0 as an alternative to the new configuration
scheme (e. g. named network-bridge-3.0, xen-network-common-3.0.sh).

Regards,
Daniel Lutz


-- 
-- Daniel Lutz
-- Logintas AG, Sonnhaldenstrasse 87, CH-6331 Hünenberg, +41 41 783 21 21

More information about the Pkg-xen-devel mailing list