Bug 669747

Summary: Xen's network-route and vif-route scripts broken
Product: [Fedora] Fedora Reporter: W. Michael Petullo <mike>
Component: xenAssignee: Xen Maintainance List <xen-maint>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: 14CC: berrange, jforbes, kraxel, m.a.young, virt-maint, xen-maint
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: xen-4.0.1-7.fc14 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-02-07 15:03:36 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Description W. Michael Petullo 2011-01-14 10:58:54 EST 
Description of problem:
I am using Xen with the included network-route and vif-route. My system
run Fedora 14 with a third party Dom0 kernel.

When xend starts and network-route executes, I see the following error:

/etc/xen/scripts/network-route: line 28:
/proc/sys/net/ipv4/conf/eth/proxy_arp: No such file or directory

I suspect that the problem is that the vifnum shell variable is not set.

Later, when I start an unprivileged domain, I see:

physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING
chains for non-bridged traffic is not supported anymore.

Version-Release number of selected component (if applicable):
xen-4.0.1-6.fc14.x86_64

How reproducible:
Every time

Steps to Reproduce:
1. Install and boot a Xen Dom0-capable kernel (see http://fedoraproject.org/wiki/Features/XenPvopsDom0, "In order to configure a system to boot...")

2. Configure xend by editing /etc/xen/xen-config.sxp and setting "(network-script network-route)" and "(vif-script vif-route)"

3. Restart xend
  
Actual results:
Please see above.

Expected results:
The network-route script should turn on ARP proxy on eth0, not "eth." The iptables rules should operate in a Fedora environment.

Additional info:
See also note to upstream mailing list, http://lists.xensource.com/archives/html/xen-devel/2011-01/msg00975.html.
Comment 1 W. Michael Petullo 2011-01-17 14:23:54 EST 
The first issue, that of the network-route script not setting up ARP proxying properly may be fixed with the following patch:

--- network-route.orig  2011-01-17 11:47:56.698858533 -0600
+++ network-route       2011-01-17 11:48:15.469082276 -0600
@@ -22,7 +22,7 @@

 evalVariables "$@"

-netdev=${netdev:-eth${vifnum}}
+netdev=${netdev:-eth${vifnum:-0}}

 echo 1 >/proc/sys/net/ipv4/ip_forward
 echo 1 >/proc/sys/net/ipv4/conf/${netdev}/proxy_arp

I am not sure where $vifnum is supposed to be set, but it is not being set on my system. This uses '0' when it is not set.


The second issue is fixed for me with the following patch (but someone else might want to confirm that my iptables rules are equivalent to the intention of the previous ones):

--- vif-common.sh.orig	2011-01-17 12:11:41.625343857 -0600
+++ vif-common.sh	2011-01-17 13:16:04.162440608 -0600
@@ -73,10 +73,10 @@
     local c="-D"
   fi
 
-  iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
+  iptables "$c" FORWARD --in-interface "$vif" "$@" -j ACCEPT \
     2>/dev/null &&
-  iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
-    --physdev-out "$vif" -j ACCEPT 2>/dev/null
+  iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED \
+    --out-interface "$vif" -j ACCEPT 2>/dev/null
 
   if [ "$command" == "online" -a $? -ne 0 ]
   then
Comment 2 Fedora Update System 2011-01-29 14:41:26 EST 
xen-4.0.1-7.fc14 has been submitted as an update for Fedora 14.
https://admin.fedoraproject.org/updates/xen-4.0.1-7.fc14
Comment 3 W. Michael Petullo 2011-01-29 17:08:55 EST 
Fixed in the build listed in comment #2. How do we get these changes upstream?
Comment 4 Fedora Update System 2011-01-30 14:50:41 EST 
xen-4.0.1-7.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update xen'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/xen-4.0.1-7.fc14
Comment 5 Michael Young 2011-01-31 16:18:54 EST 
Upstream for the second change has gone in a different direction with the lines

  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" \
    "$@" -j ACCEPT 2>/dev/null &&
  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$vif" \
    -j ACCEPT 2>/dev/null
Comment 6 Fedora Update System 2011-02-07 15:03:06 EST 
xen-4.0.1-7.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.