Bug 669747 - Xen's network-route and vif-route scripts broken
Xen's network-route and vif-route scripts broken
Product: Fedora
Classification: Fedora
Component: xen (Show other bugs)
Unspecified Unspecified
low Severity medium
: ---
: ---
Assigned To: Xen Maintainance List
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2011-01-14 10:58 EST by W. Michael Petullo
Modified: 2011-02-07 15:03 EST (History)
6 users (show)

See Also:
Fixed In Version: xen-4.0.1-7.fc14
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2011-02-07 15:03:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description W. Michael Petullo 2011-01-14 10:58:54 EST
Description of problem:
I am using Xen with the included network-route and vif-route. My system
run Fedora 14 with a third party Dom0 kernel.

When xend starts and network-route executes, I see the following error:

/etc/xen/scripts/network-route: line 28:
/proc/sys/net/ipv4/conf/eth/proxy_arp: No such file or directory

I suspect that the problem is that the vifnum shell variable is not set.

Later, when I start an unprivileged domain, I see:

physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING
chains for non-bridged traffic is not supported anymore.

Version-Release number of selected component (if applicable):

How reproducible:
Every time

Steps to Reproduce:
1. Install and boot a Xen Dom0-capable kernel (see http://fedoraproject.org/wiki/Features/XenPvopsDom0, "In order to configure a system to boot...")

2. Configure xend by editing /etc/xen/xen-config.sxp and setting "(network-script network-route)" and "(vif-script vif-route)"

3. Restart xend
Actual results:
Please see above.

Expected results:
The network-route script should turn on ARP proxy on eth0, not "eth." The iptables rules should operate in a Fedora environment.

Additional info:
See also note to upstream mailing list, http://lists.xensource.com/archives/html/xen-devel/2011-01/msg00975.html.
Comment 1 W. Michael Petullo 2011-01-17 14:23:54 EST
The first issue, that of the network-route script not setting up ARP proxying properly may be fixed with the following patch:

--- network-route.orig  2011-01-17 11:47:56.698858533 -0600
+++ network-route       2011-01-17 11:48:15.469082276 -0600
@@ -22,7 +22,7 @@

 evalVariables "$@"


 echo 1 >/proc/sys/net/ipv4/ip_forward
 echo 1 >/proc/sys/net/ipv4/conf/${netdev}/proxy_arp

I am not sure where $vifnum is supposed to be set, but it is not being set on my system. This uses '0' when it is not set.

The second issue is fixed for me with the following patch (but someone else might want to confirm that my iptables rules are equivalent to the intention of the previous ones):

--- vif-common.sh.orig	2011-01-17 12:11:41.625343857 -0600
+++ vif-common.sh	2011-01-17 13:16:04.162440608 -0600
@@ -73,10 +73,10 @@
     local c="-D"
-  iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \
+  iptables "$c" FORWARD --in-interface "$vif" "$@" -j ACCEPT \
     2>/dev/null &&
-  iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \
-    --physdev-out "$vif" -j ACCEPT 2>/dev/null
+  iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED \
+    --out-interface "$vif" -j ACCEPT 2>/dev/null
   if [ "$command" == "online" -a $? -ne 0 ]
Comment 2 Fedora Update System 2011-01-29 14:41:26 EST
xen-4.0.1-7.fc14 has been submitted as an update for Fedora 14.
Comment 3 W. Michael Petullo 2011-01-29 17:08:55 EST
Fixed in the build listed in comment #2. How do we get these changes upstream?
Comment 4 Fedora Update System 2011-01-30 14:50:41 EST
xen-4.0.1-7.fc14 has been pushed to the Fedora 14 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update xen'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/xen-4.0.1-7.fc14
Comment 5 Michael Young 2011-01-31 16:18:54 EST
Upstream for the second change has gone in a different direction with the lines

  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" \
    "$@" -j ACCEPT 2>/dev/null &&
  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$vif" \
    -j ACCEPT 2>/dev/null
Comment 6 Fedora Update System 2011-02-07 15:03:06 EST
xen-4.0.1-7.fc14 has been pushed to the Fedora 14 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.