[Pkg-xen-devel] Bug#698841: xen-utils-common: HVM networking for ioemu devices is blocked when antispoof is on

[Marc Warne (GigaTux)]

Package: xen-utils-common
Version: 4.1.3-8
Severity: important

When antispoof is set to 'on', the vif-common script does not create an ALLOW firewall rule for the emulated vif devices. This means that HVM nodes, unless a Xen PV driver is installed and running, cannot access the external network.

The vif-common script creates an ACCEPT entry for the normal vif device (e.g. vif4.0) but not the emulated device (vif4.0-emu). Xen 4.1 seems to use these as opposed to tap devices, hence this is related to bug 613540 (Xen 4.0/squeeze) but needs a different resolution for Xen 4.1/wheezy.

To resolve, the /etc/xen/scripts/vif-common.sh script can be edited to have a new line added to the frob_iptable() function. After the first iptables command in this function, add:

  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev"-emu "$@" -j ACCEPT 2>/dev/null &&

This isn't a full patch as there might be a nicer way to do this, e.g. a nicer way to determine the naming of the vif interface.

-- System Information:
Debian Release: 7.0
  APT prefers testing-updates
  APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 3.2.0-4-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

Versions of packages xen-utils-common depends on:
ii  gawk            1:4.0.1+dfsg-2
ii  lsb-base        4.1+Debian8
ii  python          2.7.3~rc2-1
ii  ucf             3.0025+nmu3
ii  udev            175-7
ii  xenstore-utils  4.1.3-8

xen-utils-common recommends no packages.

xen-utils-common suggests no packages.

-- Configuration Files:
/etc/default/xendomains changed [not included]
/etc/init.d/xendomains changed [not included]
/etc/xen/scripts/vif-common.sh changed [not included]
/etc/xen/xend-config.sxp changed [not included]

-- no debconf information