[Pkg-xen-devel] Bug#698841: xen-utils-common: HVM networking for ioemu devices is blocked when antispoof is on
Marc Warne (GigaTux)
info at gigatux.com
Thu Jan 24 11:25:36 UTC 2013
Package: xen-utils-common
Version: 4.1.3-8
Severity: important
When antispoof is set to 'on', the vif-common script does not create an ALLOW firewall rule for the emulated vif devices. This means that HVM nodes, unless a Xen PV driver is installed and running, cannot access the external network.
The vif-common script creates an ACCEPT entry for the normal vif device (e.g. vif4.0) but not the emulated device (vif4.0-emu). Xen 4.1 seems to use these as opposed to tap devices, hence this is related to bug 613540 (Xen 4.0/squeeze) but needs a different resolution for Xen 4.1/wheezy.
To resolve, the /etc/xen/scripts/vif-common.sh script can be edited to have a new line added to the frob_iptable() function. After the first iptables command in this function, add:
iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev"-emu "$@" -j ACCEPT 2>/dev/null &&
This isn't a full patch as there might be a nicer way to do this, e.g. a nicer way to determine the naming of the vif interface.
-- System Information:
Debian Release: 7.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 3.2.0-4-amd64 (SMP w/16 CPU cores)
Locale: LANG=en_GB.UTF-8, LC_CTYPE=en_GB.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages xen-utils-common depends on:
ii gawk 1:4.0.1+dfsg-2
ii lsb-base 4.1+Debian8
ii python 2.7.3~rc2-1
ii ucf 3.0025+nmu3
ii udev 175-7
ii xenstore-utils 4.1.3-8
xen-utils-common recommends no packages.
xen-utils-common suggests no packages.
-- Configuration Files:
/etc/default/xendomains changed [not included]
/etc/init.d/xendomains changed [not included]
/etc/xen/scripts/vif-common.sh changed [not included]
/etc/xen/xend-config.sxp changed [not included]
-- no debconf information
More information about the Pkg-xen-devel
mailing list