Hide Forgot
Description of problem: I am using Xen with the included network-route and vif-route. My system run Fedora 14 with a third party Dom0 kernel. When xend starts and network-route executes, I see the following error: /etc/xen/scripts/network-route: line 28: /proc/sys/net/ipv4/conf/eth/proxy_arp: No such file or directory I suspect that the problem is that the vifnum shell variable is not set. Later, when I start an unprivileged domain, I see: physdev match: using --physdev-out in the OUTPUT, FORWARD and POSTROUTING chains for non-bridged traffic is not supported anymore. Version-Release number of selected component (if applicable): xen-4.0.1-6.fc14.x86_64 How reproducible: Every time Steps to Reproduce: 1. Install and boot a Xen Dom0-capable kernel (see http://fedoraproject.org/wiki/Features/XenPvopsDom0, "In order to configure a system to boot...") 2. Configure xend by editing /etc/xen/xen-config.sxp and setting "(network-script network-route)" and "(vif-script vif-route)" 3. Restart xend Actual results: Please see above. Expected results: The network-route script should turn on ARP proxy on eth0, not "eth." The iptables rules should operate in a Fedora environment. Additional info: See also note to upstream mailing list, http://lists.xensource.com/archives/html/xen-devel/2011-01/msg00975.html.
The first issue, that of the network-route script not setting up ARP proxying properly may be fixed with the following patch: --- network-route.orig 2011-01-17 11:47:56.698858533 -0600 +++ network-route 2011-01-17 11:48:15.469082276 -0600 @@ -22,7 +22,7 @@ evalVariables "$@" -netdev=${netdev:-eth${vifnum}} +netdev=${netdev:-eth${vifnum:-0}} echo 1 >/proc/sys/net/ipv4/ip_forward echo 1 >/proc/sys/net/ipv4/conf/${netdev}/proxy_arp I am not sure where $vifnum is supposed to be set, but it is not being set on my system. This uses '0' when it is not set. The second issue is fixed for me with the following patch (but someone else might want to confirm that my iptables rules are equivalent to the intention of the previous ones): --- vif-common.sh.orig 2011-01-17 12:11:41.625343857 -0600 +++ vif-common.sh 2011-01-17 13:16:04.162440608 -0600 @@ -73,10 +73,10 @@ local c="-D" fi - iptables "$c" FORWARD -m physdev --physdev-in "$vif" "$@" -j ACCEPT \ + iptables "$c" FORWARD --in-interface "$vif" "$@" -j ACCEPT \ 2>/dev/null && - iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED -m physdev \ - --physdev-out "$vif" -j ACCEPT 2>/dev/null + iptables "$c" FORWARD -m state --state RELATED,ESTABLISHED \ + --out-interface "$vif" -j ACCEPT 2>/dev/null if [ "$command" == "online" -a $? -ne 0 ] then
xen-4.0.1-7.fc14 has been submitted as an update for Fedora 14. https://admin.fedoraproject.org/updates/xen-4.0.1-7.fc14
Fixed in the build listed in comment #2. How do we get these changes upstream?
xen-4.0.1-7.fc14 has been pushed to the Fedora 14 testing repository. If problems still persist, please make note of it in this bug report. If you want to test the update, you can install it with su -c 'yum --enablerepo=updates-testing update xen'. You can provide feedback for this update here: https://admin.fedoraproject.org/updates/xen-4.0.1-7.fc14
Upstream for the second change has gone in a different direction with the lines iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$vif" \ "$@" -j ACCEPT 2>/dev/null && iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$vif" \ -j ACCEPT 2>/dev/null
xen-4.0.1-7.fc14 has been pushed to the Fedora 14 stable repository. If problems still persist, please make note of it in this bug report.