[PATCH 0/5] Various improvements for the VIF linux hotplug scripts

[PATCH 0/5] Various improvements for the VIF linux hotplug scripts

[Sylvain Munaut]

This patch series contains several improvement to the linux hotplug network
script, mostly adding IPv6 support to the iptables firewall setup and routing
setup.

The series can also be cloned from https://github.com/smunaut/xen.git

Some of theses patches were submitted a while ago and reviewed by
Ian Campbell at the time. They were held up because of some discussion
and I eventually lost track of them. I removed the parts that were not
settled from the patch, made some other improvements and took into
account all the comments that were raised back then.

Cheers,

    Sylvain Munaut



_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH 1/5] hotplug/linux: Use the '-w' wait flag when calling iptables

[Sylvain Munaut]

Without this, several hotplug script instances might attempt to run at
the same rime and one will fail because it can't get the xtables lock !

The 'frob_iptables' is protected by a lock, but not the availability
check and this is also needed in case other things on the servers are
using the xtable lock.

Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
---
 tools/hotplug/Linux/vif-common.sh | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index 6e8d584..33e5408 100644
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -129,9 +129,9 @@ frob_iptable()
     local c="-D"
   fi
 
-  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
+  iptables "$c" FORWARD -w -m physdev --physdev-is-bridged --physdev-in "$dev" \
     "$@" -j ACCEPT 2>/dev/null &&
-  iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \
+  iptables "$c" FORWARD -w -m physdev --physdev-is-bridged --physdev-out "$dev" \
     -j ACCEPT 2>/dev/null
 
   if [ \( "$command" == "online" -o "$command" == "add" \) -a $? -ne 0 ]
@@ -154,7 +154,7 @@ handle_iptable()
   # binary is not sufficient, because the user may not have the appropriate
   # modules installed.  If iptables is not working, then there's no need to do
   # anything with it, so we can just return.
-  if ! iptables -L -n >&/dev/null
+  if ! iptables -L -w -n >&/dev/null
   then
     return
   fi
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH 2/5] hotplug/linux: Properly match input/output interfaces for non-bridge mode

[Sylvain Munaut]

The "-m physdev --physdev-is-bridged --physdev-XXX" condition only
works for ports of a bridge and won't match anything in the other cases.

Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
---
 tools/hotplug/Linux/vif-bridge      |  2 +-
 tools/hotplug/Linux/vif-common.sh   | 14 ++++++++++++--
 tools/hotplug/Linux/vif-openvswitch |  2 +-
 3 files changed, 14 insertions(+), 4 deletions(-)

diff --git a/tools/hotplug/Linux/vif-bridge b/tools/hotplug/Linux/vif-bridge
index 6956dea..bc0e944 100644
--- a/tools/hotplug/Linux/vif-bridge
+++ b/tools/hotplug/Linux/vif-bridge
@@ -93,7 +93,7 @@ case "$command" in
         ;;
 esac
 
-handle_iptable
+handle_iptable bridge
 
 call_hooks vif post
 
diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index 33e5408..77d139d 100644
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -129,9 +129,9 @@ frob_iptable()
     local c="-D"
   fi
 
-  iptables "$c" FORWARD -w -m physdev --physdev-is-bridged --physdev-in "$dev" \
+  iptables "$c" FORWARD -w $dev_in_match "$dev" \
     "$@" -j ACCEPT 2>/dev/null &&
-  iptables "$c" FORWARD -w -m physdev --physdev-is-bridged --physdev-out "$dev" \
+  iptables "$c" FORWARD -w $dev_out_match "$dev" \
     -j ACCEPT 2>/dev/null
 
   if [ \( "$command" == "online" -o "$command" == "add" \) -a $? -ne 0 ]
@@ -150,6 +150,16 @@ frob_iptable()
 #
 handle_iptable()
 {
+  # Set iptables match mode
+  if [ "$1" == "bridge" ];
+  then
+    dev_in_match="-m physdev --physdev-is-bridged --physdev-in"
+    dev_out_match="-m physdev --physdev-is-bridged --physdev-out"
+  else
+    dev_in_match="-i"
+    dev_out_match="-o"
+  fi
+
   # Check for a working iptables installation.  Checking for the iptables
   # binary is not sufficient, because the user may not have the appropriate
   # modules installed.  If iptables is not working, then there's no need to do
diff --git a/tools/hotplug/Linux/vif-openvswitch b/tools/hotplug/Linux/vif-openvswitch
index 18bfb6c..1d842a4 100644
--- a/tools/hotplug/Linux/vif-openvswitch
+++ b/tools/hotplug/Linux/vif-openvswitch
@@ -100,7 +100,7 @@ case "$command" in
 esac
 
 if [ "$type_if" = vif ]; then
-    handle_iptable
+    handle_iptable bridge
 fi
 
 log debug "Successful vif-openvswitch $command for $dev."
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH 3/5] hotplug/linux: Improve iptables logic

[Sylvain Munaut]

The main goal of this is to pave the way for IPv6 support, but it
also improves the rules by preventing duplicate incoming packets
rules to be added.

frob_iptables now takes a list of address to handle as parameter
and creates the rules as needed. Any 'common' rule is no longer
repeated.

Here below is a comparison of the rules before / after.

 <*> For the case where 'ip' is empty or not given at all:

 No change, both generate:

  ACCEPT  all  0.0.0.0/0     0.0.0.0/0  PHYSDEV match --physdev-out
 vif87.0 --physdev-is-bridged
  ACCEPT  all  0.0.0.0/0     0.0.0.0/0  PHYSDEV match --physdev-in
 vif87.0 --physdev-is-bridged

 <*> For the case where 'ip' is set to "192.168.0.254 192.168.0.141"
 (as an example) :

 Previous:

  ACCEPT  all  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-out
 vif86.0 --physdev-is-bridged
  ACCEPT  udp  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-in
 vif86.0 --physdev-is-bridged udp spt:68 dpt:67
  ACCEPT  all  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-out
 vif86.0 --physdev-is-bridged
  ACCEPT  all  192.168.0.141  0.0.0.0/0  PHYSDEV match --physdev-in
 vif86.0 --physdev-is-bridged
  ACCEPT  all  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-out
 vif86.0 --physdev-is-bridged
  ACCEPT  all  192.168.0.254  0.0.0.0/0  PHYSDEV match --physdev-in
 vif86.0 --physdev-is-bridged

 New:

  ACCEPT  udp  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-in
 vif86.0 --physdev-is-bridged udp spt:68 dpt:67
  ACCEPT  all  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-out
 vif86.0 --physdev-is-bridged
  ACCEPT  all  192.168.0.254  0.0.0.0/0  PHYSDEV match --physdev-in
 vif86.0 --physdev-is-bridged
  ACCEPT  all  192.168.0.141  0.0.0.0/0  PHYSDEV match --physdev-in
 vif86.0 --physdev-is-bridged

Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
---
 tools/hotplug/Linux/vif-common.sh | 67 +++++++++++++++++++++++++++++----------
 1 file changed, 51 insertions(+), 16 deletions(-)

diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index 77d139d..3755f0a 100644
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -120,8 +120,14 @@ fi
 ip=${ip:-}
 ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip")
 
+chain_v4=FORWARD
+
 frob_iptable()
 {
+  local has_err="no"
+  local has_any="no"
+
+  # Add or remove
   if [ "$command" == "online" -o "$command" == "add" ]
   then
     local c="-I"
@@ -129,12 +135,35 @@ frob_iptable()
     local c="-D"
   fi
 
-  iptables "$c" FORWARD -w $dev_in_match "$dev" \
-    "$@" -j ACCEPT 2>/dev/null &&
-  iptables "$c" FORWARD -w $dev_out_match "$dev" \
-    -j ACCEPT 2>/dev/null
+  # Add rules for each address
+  local addr
+
+  for addr in $@; do
+    if [ "$addr" = "any" ]; then
+      addr="0.0.0.0/0"
+      has_any="yes"
+    fi
+
+    iptables "$c" "$chain_v4" -w $dev_in_match "$dev" \
+      -s "$addr" -j ACCEPT 2>/dev/null || has_err="yes"
+  done
 
-  if [ \( "$command" == "online" -o "$command" == "add" \) -a $? -ne 0 ]
+  # Always Allow all packets _to_ the domain
+  iptables "$c" "$chain_v4" -w $dev_out_match "$dev" \
+    -j ACCEPT 2>/dev/null || has_err="yes"
+
+  # If 'any' isn't allowed, we needs to allow a few more things
+  if [ "$has_any" != "yes" ]
+  then
+
+    # Always allow the domain to talk to a DHCP server.
+    iptables "$c" "$chain_v4" -w $dev_in_match "$dev" \
+      -p udp --sport 68 --dport 67 -j ACCEPT 2>/dev/null || has_err="yes"
+
+  fi
+
+  # Error handling
+  if [ \( "$command" == "online" -o "$command" == "add" \) -a "$has_err" == "yes" ]
   then
     log err "iptables setup failed. This may affect guest networking."
   fi
@@ -169,21 +198,27 @@ handle_iptable()
     return
   fi
 
-  claim_lock "iptables"
+  # Scan through the addresses
+  local ipv4_addrs
 
   if [ "$ip" != "" ]
   then
-      local addr
-      for addr in $ip
-      do
-        frob_iptable -s "$addr"
-      done
-
-      # Always allow the domain to talk to a DHCP server.
-      frob_iptable -p udp --sport 68 --dport 67
+    local addr
+    for addr in $ip
+    do
+        ipv4_addrs="$addr $ipv4_addrs"
+    done
   else
-      # No IP addresses have been specified, so allow anything.
-      frob_iptable
+    # No IP addresses have been specified, so allow anything.
+    ipv4_addrs="any"
+  fi
+
+  # Actually add the rules
+  claim_lock "iptables"
+
+  if [ "$ipv4_addrs" != "" ]
+  then
+    frob_iptable $ipv4_addrs
   fi
 
   release_lock "iptables"
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic

[Sylvain Munaut]

This adds the same functions for ip6tables as the one for iptables.
The 'ip' variable can now contain ipv6s for the domain and add
appropriate rules

 - If the 'ip' var is empty then both full IPv4 and IPv6 are allowed.
 - If only IPv4 ips are present, then IPv6 will be completely disallowed.
 - If only IPv6 ips are present, then IPv4 will be completely disallowed.
 - You can use ::0/0 or 0.0.0.0/0 to allow v6 or v4 globally but filter
   the other one.

 (see below for examples of rules generated after this patch)

This gracefully handles if the dom0 doesn't have IPv6. If
the call to ip6tables doesn't succeed, it just ignores any
IPv6 stuff.

Examples of rules added :

 * ip=""

 iptables:

  ACCEPT  all  0.0.0.0/0  0.0.0.0/0  PHYSDEV match --physdev-in
   vif91.0 --physdev-is-bridged
  ACCEPT  all  0.0.0.0/0  0.0.0.0/0  PHYSDEV match --physdev-out
   vif91.0 --physdev-is-bridged

 ip6tables:

  DROP    udp    ::/0  ::/0  PHYSDEV match --physdev-in  vif91.0
   --physdev-is-bridged udp spt:547 dpt:546
  DROP    icmpv6 ::/0  ::/0  PHYSDEV match --physdev-in  vif91.0
   --physdev-is-bridged ipv6-icmptype 134
  ACCEPT  all    ::/0  ::/0  PHYSDEV match --physdev-out vif91.0
   --physdev-is-bridged
  ACCEPT  all    ::/0  ::/0  PHYSDEV match --physdev-in  vif91.0
   --physdev-is-bridged

 * ip="192.168.0.254"

 iptables:

  ACCEPT  udp  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-in
   vif92.0 --physdev-is-bridged udp spt:68 dpt:67
  ACCEPT  all  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-out
   vif92.0 --physdev-is-bridged
  ACCEPT  all  192.168.0.254  0.0.0.0/0  PHYSDEV match --physdev-in
   vif92.0 --physdev-is-bridged

 ip6tables:

  [no rules added]

 * ip="2001:aaaa:bbbb:cccc::1 eui64"

 iptables:

  [no rules added]

 ip6tables:

  DROP    udp    ::/0                 ::/0
   PHYSDEV match --physdev-in  vif94.0 --physdev-is-bridged udp spt:547
 dpt:546
  DROP    icmpv6 ::/0                 ::/0
   PHYSDEV match --physdev-in  vif94.0 --physdev-is-bridged ipv6-icmptype
 134
  ACCEPT  udp    ::/0                 ::/0
   PHYSDEV match --physdev-in  vif94.0 --physdev-is-bridged udp spt:546
   dpt:547
  ACCEPT  all    fe80::216:3eff:fed0:da2d/128  ::/0
   PHYSDEV match --physdev-in  vif94.0 --physdev-is-bridged
  ACCEPT  all    ::/0                 ::/0
   PHYSDEV match --physdev-out vif94.0 --physdev-is-bridged
  ACCEPT  all    2001:aaaa:bbbb:cccc::1/128  ::/0
   PHYSDEV match --physdev-in  vif94.0 --physdev-is-bridged
  ACCEPT  all    ::216:3eff:fed0:da2d/::ffff:ffff:ffff:ffff  ::/0
   PHYSDEV match --physdev-in  vif94.0 --physdev-is-bridged

 * ip="192.168.0.254 2001:aaaa:bbbb:cccc::1" (either ipv4 or ipv6 can
 be replaced by the 0.0.0.0/0 or ::0/0 address to allow any, the
 dhcp/nd rules might be redudant then).

 iptables:

  ACCEPT  udp  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-in
   vif95.0 --physdev-is-bridged udp spt:68 dpt:67
  ACCEPT  all  0.0.0.0/0      0.0.0.0/0  PHYSDEV match --physdev-out
   vif95.0 --physdev-is-bridged
  ACCEPT  all  192.168.0.254  0.0.0.0/0  PHYSDEV match --physdev-in
   vif95.0 --physdev-is-bridged

 ip6tables:

  DROP    udp    ::/0                 ::/0           PHYSDEV match
   --physdev-in  vif95.0 --physdev-is-bridged udp spt:547 dpt:546
  DROP    icmpv6 ::/0                 ::/0           PHYSDEV match
   --physdev-in  vif95.0 --physdev-is-bridged ipv6-icmptype 134
  ACCEPT  udp    ::/0                 ::/0           PHYSDEV match
   --physdev-in  vif95.0 --physdev-is-bridged udp spt:546 dpt:547
  ACCEPT  all    fe80::216:3eff:fed0:da2d/128  ::/0  PHYSDEV match
   --physdev-in  vif95.0 --physdev-is-bridged
  ACCEPT  all    ::/0                 ::/0           PHYSDEV match
   --physdev-out vif95.0 --physdev-is-bridged

Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
---
 docs/man/xl-network-configuration.markdown.5 | 16 +++++
 tools/hotplug/Linux/vif-common.sh            | 89 ++++++++++++++++++++++++++++
 2 files changed, 105 insertions(+)

diff --git a/docs/man/xl-network-configuration.markdown.5 b/docs/man/xl-network-configuration.markdown.5
index 3c439d4..5b86974 100644
--- a/docs/man/xl-network-configuration.markdown.5
+++ b/docs/man/xl-network-configuration.markdown.5
@@ -128,6 +128,21 @@ configured. A typically behaviour (exhibited by the example hotplug
 scripts) if set might be to configure firewall rules to allow only the
 specified IP address to be used by the guest (blocking all others).
 
+The linux hotplug script supports both IPv4 and IPv6 in this field. When
+the field is omitted or empty, both will be fully allowed. If only IPv4s
+are listed, then IPv6 will be blocked completely. Symmetrically, if only
+IPv6s are listed, then IPv4 will be blocked. If you wish to filter one
+but not the other, you can use the wildcard addresses 0.0.0.0/0 and
+::0/0 for IPv4/6 respectively.
+
+As a special case, you can use 'eui64' token as an IPv6 address and this
+will allow traffic all traffic from the VM where the lower 64 bits are
+matched against the [EUI64] generated from the mac address of the VIF. It
+is up to the network administrator to filter the network part of the
+address globally if necessary. This is of course only usable for the
+vif-bridge script as the vif-route will require a fully defined address
+in the 'ip' field.
+
 ### backend
 
 Specifies the backend domain which this device should attach to. This
@@ -166,3 +181,4 @@ on the underlying netback implementation.
 [oui]: http://en.wikipedia.org/wiki/Organizationally_Unique_Identifier
 [net]: http://wiki.xen.org/wiki/HostConfiguration/Networking
 [vifroute]: http://wiki.xen.org/wiki/Vif-route
+[EUI64]: http://en.wikipedia.org/wiki/IPv6_address#Modified_EUI-64
diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index 3755f0a..b92c36c 100644
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -121,6 +121,7 @@ ip=${ip:-}
 ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip")
 
 chain_v4=FORWARD
+chain_v6=FORWARD
 
 frob_iptable()
 {
@@ -169,6 +170,71 @@ frob_iptable()
   fi
 }
 
+frob_ip6table()
+{
+  local has_err="no"
+  local has_any="no"
+  local mac=$(xenstore_read "$XENBUS_PATH/mac")
+  local eui64=$(echo $mac | awk '{split($1,i,":"); print xor(i[1],2) i[2] ":" i[3] "ff:fe" i[4] ":" i[5] i[6] }')
+      # Refer to http://en.wikipedia.org/wiki/IPv6_address#Modified_EUI-64
+
+  # Add or remove
+  if [ "$command" == "online" -o "$command" == "add" ]
+  then
+    local c="-I"
+  else
+    local c="-D"
+  fi
+
+  # Add rules for each address
+  local addr
+
+  for addr in $@; do
+    if [ "$addr" = "any" ]; then
+      addr="::0/0"
+      has_any="yes"
+    elif [ "$addr" = "eui64" ]; then
+      addr="::$eui64/::ffff:ffff:ffff:ffff"
+    fi
+
+    ip6tables "$c" "$chain_v6" -w $dev_in_match "$dev" \
+      -s "$addr" -j ACCEPT 2>/dev/null || has_err="yes"
+  done
+
+  # Always Allow all packets _to_ the domain
+  ip6tables "$c" "$chain_v6" -w $dev_out_match "$dev" \
+    -j ACCEPT 2>/dev/null || has_err="yes"
+
+  # If 'any' isn't allowed, we needs to allow a few more things
+  if [ "$has_any" != "yes" ]
+  then
+
+    # Always allow ICMP messages from link-local addresses (for ND)
+    ip6tables "$c" "$chain_v6" -w $dev_in_match "$dev" \
+      -s "fe80::$eui64" -j ACCEPT 2>/dev/null || has_err="yes"
+
+    # Always allow the domain to talk to a DHCP server
+    ip6tables "$c" "$chain_v6" -w $dev_in_match "$dev" \
+      -p udp --sport 546 --dport 547 -j ACCEPT 2>/dev/null || has_err="yes"
+
+  fi
+
+  # Error handling
+  if [ \( "$command" == "online" -o "$command" == "add" \) -a "$has_err" == "yes" ]
+  then
+    log err "ip6tables setup failed. This may affect guest networking."
+  fi
+}
+
+
+##
+# Check if the given IP is IPv6 or not
+#
+is_ipv6()
+{
+  echo "$1" | awk '/:|eui64/ { print "yes" }'
+}
+
 
 ##
 # Add or remove the appropriate entries in the iptables.  With antispoofing
@@ -198,19 +264,34 @@ handle_iptable()
     return
   fi
 
+  # User has a working IPv4 iptables, but maybe no IPv6 support ...
+  local do_ipv6="yes"
+
+  if ! ip6tables -L -w -n >&/dev/null
+  then
+    do_ipv6="no"
+  fi
+
   # Scan through the addresses
   local ipv4_addrs
+  local ipv6_addrs
 
   if [ "$ip" != "" ]
   then
     local addr
     for addr in $ip
     do
+      result=$(is_ipv6 "$addr")
+      if [ -z "$result" ] ; then
         ipv4_addrs="$addr $ipv4_addrs"
+      else
+        ipv6_addrs="$addr $ipv6_addrs"
+      fi
     done
   else
     # No IP addresses have been specified, so allow anything.
     ipv4_addrs="any"
+    ipv6_addrs="any"
   fi
 
   # Actually add the rules
@@ -221,6 +302,14 @@ handle_iptable()
     frob_iptable $ipv4_addrs
   fi
 
+  if [ "$ipv6_addrs" != "" -a "$do_ipv6" = "yes" ]
+  then
+    frob_ip6table $ipv6_addrs
+  elif [ "$ipv6_addrs" != "" -a "$ipv6_addrs" != "any" ]
+  then
+    log err "ip6tables setup skipped. This may affect guest networking."
+  fi
+
   release_lock "iptables"
 }
 
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route

[Sylvain Munaut]

Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
---
 docs/man/xl-network-configuration.markdown.5 |  9 ++++++++
 tools/hotplug/Linux/vif-common.sh            | 33 ++++++++++++++++++++++++++++
 tools/hotplug/Linux/vif-route                | 20 ++++++++++++++++-
 tools/libxl/libxl_nic.c                      |  5 +++++
 tools/libxl/libxl_types.idl                  |  1 +
 tools/libxl/xl_cmdimpl.c                     |  7 ++++++
 6 files changed, 74 insertions(+), 1 deletion(-)

diff --git a/docs/man/xl-network-configuration.markdown.5 b/docs/man/xl-network-configuration.markdown.5
index 5b86974..ce0da42 100644
--- a/docs/man/xl-network-configuration.markdown.5
+++ b/docs/man/xl-network-configuration.markdown.5
@@ -143,6 +143,15 @@ address globally if necessary. This is of course only usable for the
 vif-bridge script as the vif-route will require a fully defined address
 in the 'ip' field.
 
+### ipv6_proxy_ndp
+
+Enabling this option will cause the Dom0 to answer the IPv6 Neighbor
+Sollicitation messages it sees on 'gatewaydev' for the VM IPs.
+
+Valid values are 'no' & 'yes'. Defaults to 'no'.
+
+This feature is currently only supported in the linux hotplug script.
+
 ### backend
 
 Specifies the backend domain which this device should attach to. This
diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index b92c36c..d5d98a7 100644
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -346,3 +346,36 @@ dom0_ip()
   fi
   echo "$result"
 }
+
+
+##
+# ip6_of interface
+#
+# Print the first IPv6 address currently in use at the given interface, or nothing if
+# the interface is not up.
+#
+ip6_of()
+{
+  ip -6 -o addr show primary dev "$1" scope global | awk '$3 == "inet6" {split($4,i,"/"); print i[1]; exit}'
+}
+
+
+##
+# dom0_ip6
+#
+# Print the IPv6 address of the interface in dom0 through which we are routing.
+# This is the IP address on the interface specified as "netdev" as a parameter
+# to these scripts, or eth0 by default.  This function will return nothing if no
+# such interface could be found.
+#
+dom0_ip6()
+{
+  local nd=${netdev:-eth0}
+  local result=$(ip6_of "$nd")
+  if [ -z "$result" ]
+  then
+        ""
+  else
+        echo "$result"
+  fi
+}
diff --git a/tools/hotplug/Linux/vif-route b/tools/hotplug/Linux/vif-route
index c149ffc..f07cd75 100644
--- a/tools/hotplug/Linux/vif-route
+++ b/tools/hotplug/Linux/vif-route
@@ -20,11 +20,21 @@ dir=$(dirname "$0")
 . "${dir}/vif-common.sh"
 
 main_ip=$(dom0_ip)
+main_ip6=$(dom0_ip6)
+
+ipv6_proxy_ndp=$(xenstore_read_default "$XENBUS_PATH/ipv6_proxy_ndp" "0")
+
 
 case "${command}" in
     online)
         ifconfig ${dev} ${main_ip} netmask 255.255.255.255 up
         echo 1 >/proc/sys/net/ipv4/conf/${dev}/proxy_arp
+        if [ ! -z "${main_ip6}" ]; then
+            ip -6 addr add ${main_ip6} dev ${dev}
+            if [ "${ipv6_proxy_ndp}" != "0" ]; then
+                echo 1 >/proc/sys/net/ipv6/conf/${dev}/proxy_ndp
+            fi
+        fi
         ipcmd='add'
         cmdprefix=''
         ;;
@@ -39,7 +49,15 @@ if [ "${ip}" ] ; then
     # If we've been given a list of IP addresses, then add routes from dom0 to
     # the guest using those addresses.
     for addr in ${ip} ; do
-      ${cmdprefix} ip route ${ipcmd} ${addr} dev ${dev} src ${main_ip}
+        result=$(is_ipv6 "${addr}")
+        if [ -z "${result}" ] ; then
+            ${cmdprefix} ip route ${ipcmd} ${addr} dev ${dev} src ${main_ip}
+        else
+            ${cmdprefix} ip -6 route ${ipcmd} ${addr} dev ${dev} src ${main_ip6}
+            if [ "${ipv6_proxy_ndp}" != "0" ]; then
+                ${cmdprefix} ip -6 neighbor ${ipcmd} proxy ${addr} dev ${netdev:-eth0}
+            fi
+        fi
     done
 fi
 
diff --git a/tools/libxl/libxl_nic.c b/tools/libxl/libxl_nic.c
index 61b55ca..47b0a63 100644
--- a/tools/libxl/libxl_nic.c
+++ b/tools/libxl/libxl_nic.c
@@ -214,6 +214,11 @@ static void libxl__device_nic_add(libxl__egc *egc, uint32_t domid,
                             nic->rate_interval_usecs));
     }
 
+    if (!libxl_defbool_is_default(nic->ipv6_proxy_ndp)) {
+        flexarray_append_pair(back,"ipv6_proxy_ndp",
+            libxl_defbool_val(nic->ipv6_proxy_ndp) ? "1" : "0");
+    }
+
     flexarray_append(back, "bridge");
     flexarray_append(back, libxl__strdup(gc, nic->bridge));
     flexarray_append(back, "handle");
diff --git a/tools/libxl/libxl_types.idl b/tools/libxl/libxl_types.idl
index a612d1f..628b102 100644
--- a/tools/libxl/libxl_types.idl
+++ b/tools/libxl/libxl_types.idl
@@ -626,6 +626,7 @@ libxl_device_nic = Struct("device_nic", [
     ("rate_bytes_per_interval", uint64),
     ("rate_interval_usecs", uint32),
     ("gatewaydev", string),
+    ("ipv6_proxy_ndp", libxl_defbool),
     # Note that the COLO configuration settings should be considered unstable.
     # They may change incompatibly in future versions of Xen.
     ("coloft_forwarddev", string)
diff --git a/tools/libxl/xl_cmdimpl.c b/tools/libxl/xl_cmdimpl.c
index 7e8a8ae..9996c61 100644
--- a/tools/libxl/xl_cmdimpl.c
+++ b/tools/libxl/xl_cmdimpl.c
@@ -1059,6 +1059,13 @@ static int parse_nic_config(libxl_device_nic *nic, XLU_Config **config, char *to
         parse_vif_rate(config, oparg, nic);
     } else if (MATCH_OPTION("forwarddev", token, oparg)) {
         replace_string(&nic->coloft_forwarddev, oparg);
+    } else if (MATCH_OPTION("ipv6_proxy_ndp", token, oparg)) {
+	if (!strcasecmp(oparg, "on") || !strcasecmp(oparg, "1"))
+		libxl_defbool_set(&nic->ipv6_proxy_ndp, true);
+	else if (!strcasecmp(oparg, "off") || !strcasecmp(oparg, "0"))
+		libxl_defbool_set(&nic->ipv6_proxy_ndp, false);
+	else
+		fprintf(stderr, "Invalid value for 'ipv6_proxy_ndp' parameter\n");
     } else if (MATCH_OPTION("accel", token, oparg)) {
         fprintf(stderr, "the accel parameter for vifs is currently not supported\n");
     } else {
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 1/5] hotplug/linux: Use the '-w' wait flag when calling iptables

[Ian Jackson]

Sylvain Munaut writes ("[PATCH 1/5] hotplug/linux: Use the '-w' wait flag when calling iptables"):
> Without this, several hotplug script instances might attempt to run at
> the same rime and one will fail because it can't get the xtables lock !
> 
> The 'frob_iptables' is protected by a lock, but not the availability
> check and this is also needed in case other things on the servers are
> using the xtable lock.

Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 2/5] hotplug/linux: Properly match input/output interfaces for non-bridge mode

[Ian Jackson]

Sylvain Munaut writes ("[PATCH 2/5] hotplug/linux: Properly match input/output interfaces for non-bridge mode"):
> The "-m physdev --physdev-is-bridged --physdev-XXX" condition only
> works for ports of a bridge and won't match anything in the other cases.

Acked-by: Ian Jackson <ian.jackson@eu.citrix.com>

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 3/5] hotplug/linux: Improve iptables logic

[Ian Jackson]

Sylvain Munaut writes ("[PATCH 3/5] hotplug/linux: Improve iptables logic"):
> The main goal of this is to pave the way for IPv6 support, but it
> also improves the rules by preventing duplicate incoming packets
> rules to be added.
> 
> frob_iptables now takes a list of address to handle as parameter
> and creates the rules as needed. Any 'common' rule is no longer
> repeated.
...

AFIACT the duplicate entries are simply because

> -  iptables "$c" FORWARD -w $dev_in_match "$dev" \
> -    "$@" -j ACCEPT 2>/dev/null &&
> -  iptables "$c" FORWARD -w $dev_out_match "$dev" \
> -    -j ACCEPT 2>/dev/null

this second line, which does not contain "$@", is invoked once for
each source pattern.

Surely instead it would be better to lift this out.

I'm not sure I like the change in the handling of any.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic

[Ian Jackson]

Sylvain Munaut writes ("[PATCH 4/5] hotplug/linux: Add IPv6 support to the iptables logic"):
> This adds the same functions for ip6tables as the one for iptables.
> The 'ip' variable can now contain ipv6s for the domain and add
> appropriate rules
> 
>  - If the 'ip' var is empty then both full IPv4 and IPv6 are allowed.
>  - If only IPv4 ips are present, then IPv6 will be completely disallowed.
>  - If only IPv6 ips are present, then IPv4 will be completely disallowed.
>  - You can use ::0/0 or 0.0.0.0/0 to allow v6 or v4 globally but filter
>    the other one.

Again, I think the explicit tracking of "any" is too complicated.

Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route

[Ian Jackson]

Sylvain Munaut writes ("[PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route"):
> Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
> ---
>  docs/man/xl-network-configuration.markdown.5 |  9 ++++++++
>  tools/hotplug/Linux/vif-common.sh            | 33 ++++++++++++++++++++++++++++
>  tools/hotplug/Linux/vif-route                | 20 ++++++++++++++++-
>  tools/libxl/libxl_nic.c                      |  5 +++++
>  tools/libxl/libxl_types.idl                  |  1 +
>  tools/libxl/xl_cmdimpl.c                     |  7 ++++++
>  6 files changed, 74 insertions(+), 1 deletion(-)

I'm afraid I don't really understand IPv6 neighbour discovery
etc. well enough to review this.

Can you point me to an explanation ?  (I understand IPv4 quite well.)

> diff --git a/docs/man/xl-network-configuration.markdown.5 b/docs/man/xl-network-configuration.markdown.5
> index 5b86974..ce0da42 100644
> --- a/docs/man/xl-network-configuration.markdown.5
> +++ b/docs/man/xl-network-configuration.markdown.5
> @@ -143,6 +143,15 @@ address globally if necessary. This is of course only usable for the
>  vif-bridge script as the vif-route will require a fully defined address
>  in the 'ip' field.
>  
> +### ipv6_proxy_ndp
> +
> +Enabling this option will cause the Dom0 to answer the IPv6 Neighbor
> +Sollicitation messages it sees on 'gatewaydev' for the VM IPs.

 Solicitation

Thanks,
Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 0/5] Various improvements for the VIF linux hotplug scripts

[Ian Jackson]

Sylvain Munaut writes ("[PATCH 0/5] Various improvements for the VIF linux hotplug scripts"):
> This patch series contains several improvement to the linux hotplug network
> script, mostly adding IPv6 support to the iptables firewall setup and routing
> setup.
> 
> The series can also be cloned from https://github.com/smunaut/xen.git

Thanks for these patches.  Several of them are clearly good.  Some I'm
being picky about - I hope that's OK.  And for the v6 stuff I think I
need to do some reading.

Regards,
Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route

[Sylvain Munaut]

Hi,

> I'm afraid I don't really understand IPv6 neighbour discovery
> etc. well enough to review this.
>
> Can you point me to an explanation ?  (I understand IPv4 quite well.)

It's pretty much that same as IPv4 except instead of being a different
protocol (ARP), it's done over ICMPv6 with special multicast
addresses.

https://en.wikipedia.org/wiki/Neighbor_Discovery_Protocol
http://www.cisco.com/c/dam/en/us/td/i/000001-100000/50001-55000/52501-53000/52673.ps/_jcr_content/renditions/52673.jpg

The kernel has a 'proxy_ndp' mode that's similar to 'proxy_arp' except
you need to manually specify which address you want it to proxy and on
which interface.


Cheers,

   Sylvain Munaut

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 3/5] hotplug/linux: Improve iptables logic

[Sylvain Munaut]

Hi,

> AFIACT the duplicate entries are simply because
>
>> -  iptables "$c" FORWARD -w $dev_in_match "$dev" \
>> -    "$@" -j ACCEPT 2>/dev/null &&
>> -  iptables "$c" FORWARD -w $dev_out_match "$dev" \
>> -    -j ACCEPT 2>/dev/null
>
> this second line, which does not contain "$@", is invoked once for
> each source pattern.

Well yes, obviously.


> Surely instead it would be better to lift this out.

"better" ?

Not creating this rules several times is exactly what this patch does.
Previously frob_iptables was called independently for each source IP,
in which case in that function you have no idea if you need to add the
output rule or not since you don't know if the rule is already there
or not. So now it's called with the full list of allowed IPs so it can
make smarter choices.
And just moving the 'out' rule outside of frob_iptables alltogether
seems hackish to me, especially when you add IPv6 later on because you
have iptables manipulations spread around.

Here you have a clear separation with frob_iptables generating all the
v4 rules and frob_ip6tables generating all the v6 rules.


> I'm not sure I like the change in the handling of any.

What change exactly ?

The only change in the resulting rules are :
 * No duplicating -> Don't really see how this could be a bad thing.
 * Don't add the DHCP rule if you allow all packets -> Again, this
avoid inserting a useless rules, how can that be bad ?

and same goes for the v6 version, trying to minimize the rules added
and never add useless ones.


Cheers,

   Sylvain

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 3/5] hotplug/linux: Improve iptables logic

[Ian Jackson]

Sylvain Munaut writes ("Re: [PATCH 3/5] hotplug/linux: Improve iptables logic"):
> And just moving the 'out' rule outside of frob_iptables alltogether
> seems hackish to me, especially when you add IPv6 later on because you
> have iptables manipulations spread around.

Sorry for the terseness of my previous mail.  I should say that I
appreciate your efforts to tidy this up and to support v6.

I think it's probably better to show you what I mean in code.  So I am
going to send two patches (from git-format-patch/git-send-email) to
show what I mean.  They come instead of this patch, and the rest of
the series would need rework.

You can find them here too:
  git://xenbits.xen.org/people/iwj/xen.git#for.sylvain-munaut
  http://xenbits.xen.org/gitweb/?p=people/iwj/xen.git;a=shortlog;h=refs/heads/for.sylvain-munaut

> > I'm not sure I like the change in the handling of any.
> 
> What change exactly ?

I meant that rather than having a subroutine which adds a wildcard
rule, you have an explicit "any" address, and tracking if it's been
added, etc.

Please take a look and see if you prefer my approach.

Regards,
Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH RFC 1/2] hotplug/linux: Break out frob_iptable_command, and improve logging

[Ian Jackson]

Move the actual execution of `iptable' into a new function which
captures the stderr, and logs it.  The actual `iptables' command is a
parameter to `frob_iptable_command' so that in future we can reuse
this subroutine for `ip6tables'.

No functional change other than to log messages.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---
 tools/hotplug/Linux/vif-common.sh | 20 +++++++++++++-------
 1 file changed, 13 insertions(+), 7 deletions(-)

diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index 77d139d..20cb6a7 100644
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -120,8 +120,10 @@ fi
 ip=${ip:-}
 ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip")
 
-frob_iptable()
+frob_iptable_command()
 {
+  local iptables=$1; shift
+
   if [ "$command" == "online" -o "$command" == "add" ]
   then
     local c="-I"
@@ -129,17 +131,21 @@ frob_iptable()
     local c="-D"
   fi
 
-  iptables "$c" FORWARD -w $dev_in_match "$dev" \
-    "$@" -j ACCEPT 2>/dev/null &&
-  iptables "$c" FORWARD -w $dev_out_match "$dev" \
-    -j ACCEPT 2>/dev/null
-
+  local errormsg=$("$iptables" "$c" "$@" 2>&1)
   if [ \( "$command" == "online" -o "$command" == "add" \) -a $? -ne 0 ]
   then
-    log err "iptables setup failed. This may affect guest networking."
+    log err "iptables setup failed. This may affect guest networking. ($iptables $c $*: $errormsg)"
   fi
 }
 
+frob_iptable()
+{
+  frob_iptable_command iptables FORWARD -w $dev_in_match "$dev" \
+    "$@" -j ACCEPT 2>/dev/null
+  frob_iptable_command iptables FORWARD -w $dev_out_match "$dev" \
+    -j ACCEPT 2>/dev/null
+}
+
 
 ##
 # Add or remove the appropriate entries in the iptables.  With antispoofing
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

[PATCH RFC 2/2] tools/hotplug: Insert output filter only once

[Ian Jackson]

Break frob_iptable into two subroutines frob_iptable_in and
frob_iptable_out_all.

frob_iptable_in must be called with the iptables command name and
appropriate parameters (for each source address or condition, as
necessary).

frob_iptable_out_all must be called exactly once.

Signed-off-by: Ian Jackson <Ian.Jackson@eu.citrix.com>
---
 tools/hotplug/Linux/vif-common.sh | 15 +++++++++++----
 1 file changed, 11 insertions(+), 4 deletions(-)

diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index 20cb6a7..b7b3e32 100644
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -138,10 +138,15 @@ frob_iptable_command()
   fi
 }
 
-frob_iptable()
+frob_iptable_in()
 {
-  frob_iptable_command iptables FORWARD -w $dev_in_match "$dev" \
+  local iptables=$1; shift
+  frob_iptable_command $iptables FORWARD -w $dev_in_match "$dev" \
     "$@" -j ACCEPT 2>/dev/null
+}
+
+frob_iptable_out_all()
+{
   frob_iptable_command iptables FORWARD -w $dev_out_match "$dev" \
     -j ACCEPT 2>/dev/null
 }
@@ -186,10 +191,12 @@ handle_iptable()
       done
 
       # Always allow the domain to talk to a DHCP server.
-      frob_iptable -p udp --sport 68 --dport 67
+      frob_iptable_in iptables -p udp --sport 68 --dport 67
+      frob_iptable_out_all
   else
       # No IP addresses have been specified, so allow anything.
-      frob_iptable
+      frob_iptable_in iptables
+      frob_iptable_out_all
   fi
 
   release_lock "iptables"
-- 
2.1.4


_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 3/5] hotplug/linux: Improve iptables logic

[Sylvain Munaut]

Hi,


> I meant that rather than having a subroutine which adds a wildcard
> rule, you have an explicit "any" address, and tracking if it's been
> added, etc.

I used the "any" keywords because when you add v6 you need to
differentiate the case "none" allowed and "any" allowed to support the
case where only v6 or only v4 is allowed. So you can't just rely on
having an empty variable any more since it's more a "tri-state".

Also, in my patch set, instead of hardcoding 'FORWARD', I also used
variables to make customization easier when integrating with software
like ufw where the user rules should go in a separate chain (whose
name is different in v4 and v6), so the frob_iptables_command call
needs one more argument. At that point calling iptables directly is
not far off.


> Please take a look and see if you prefer my approach.

Sorry, but no, I don't see it as better, at best equivalent.

I can admit that some aspects of the v4 patch might not make sense on
their own and they're only there to more properly support the v6 and
have a better symmetry in how v4/v6 are processed and ease
customization.
I'd have to see how it works with v6 and user customization but I'm
not going to implement the v6 and redo all the testing purely to see
if it's at best equivalent in my eyes.


Cheers,

    Sylvain Munaut

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 3/5] hotplug/linux: Improve iptables logic

[Ian Jackson]

Sylvain Munaut writes ("Re: [PATCH 3/5] hotplug/linux: Improve iptables logic"):
> I used the "any" keywords because when you add v6 you need to
> differentiate the case "none" allowed and "any" allowed to support the
> case where only v6 or only v4 is allowed. So you can't just rely on
> having an empty variable any more since it's more a "tri-state".

I think this comes out in the wash in my approach.  It is still
necessary to test an address for v4 or v6 format in the addition loop.

> I'd have to see how it works with v6 and user customization but I'm
> not going to implement the v6 and redo all the testing purely to see
> if it's at best equivalent in my eyes.

If you have a test setup, and I redid the v6 things to meet your goals
as you explain above, would you retest it ?

Thanks,
Ian.

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
https://lists.xen.org/xen-devel

Re: [PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route

[Ian Campbell]

On Tue, 2014-05-20 at 13:17 +0200, Sylvain Munaut wrote:
> Hi,
> 
> > In theory I think this could be combined into a single helper which took
> > $2 == '4' or '6' and "ip -$2 | ... inet${2%4}.." (then ip_of and ip6_of
> > become invocations of that)
> 
> It could. However this would also add a filter on 'scope global' for
> ipv4 which isn't present at the moment. Not sure if this would affect
> anything in practice ...

True, I missed that aspect.

> However since dom0_ip and dom0_ip6 need to stay separate (ipv4 is
> mandatory and 'fatal' out if not found, but ipv6 is optional), I'm not
> sure how useful it is to really combine there.

Indeed, I'm happy not to do so if it doesn't seem worthwhile to you.

> > But perhaps the ${2%4} bit is overly cryptic?
> 
> Yeah, I had to re-read the doc :)

I just tried the various options I know (%, %%, #, ##) till I found the
one which did what I expect :-)

Ian.

Re: [PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route

[Sylvain Munaut]

Hi,

> In theory I think this could be combined into a single helper which took
> $2 == '4' or '6' and "ip -$2 | ... inet${2%4}.." (then ip_of and ip6_of
> become invocations of that)

It could. However this would also add a filter on 'scope global' for
ipv4 which isn't present at the moment. Not sure if this would affect
anything in practice ...

However since dom0_ip and dom0_ip6 need to stay separate (ipv4 is
mandatory and 'fatal' out if not found, but ipv6 is optional), I'm not
sure how useful it is to really combine there.


> But perhaps the ${2%4} bit is overly cryptic?

Yeah, I had to re-read the doc :)


Cheers,

    Sylvain

Re: [PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route

[Ian Campbell]

On Tue, 2014-05-20 at 10:06 +0200, Sylvain Munaut wrote:
> >> +##
> >> +# ip6_of interface
> >> +#
> >> +# Print the first IPv6 address currently in use at the given interface, or nothing if
> >> +# the interface is not up.
> >> +#
> >> +ip6_of()
> >> +{
> >> +        ip -6 addr show primary dev "$1" | perl -wane '/scope global/ && /inet6 (([0-9a-f]+:*)+)/ && print $1;'
> >
> > Hrm, Perl again. Can this be done with awk? Looks tricky though.
> >
> 
> Changed to :
> 
> ip -6 -o addr show primary dev "$1" scope global | awk '$3 == "inet6"
> {split($4,i,"/"); print i[1]; exit}'
> 
> which is now very similar to the ip_of() function.

thanks.

In theory I think this could be combined into a single helper which took
$2 == '4' or '6' and "ip -$2 | ... inet${2%4}.." (then ip_of and ip6_of
become invocations of that)

But perhaps the ${2%4} bit is overly cryptic?

Ian.

Re: [PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route

[Sylvain Munaut]

>> +##
>> +# ip6_of interface
>> +#
>> +# Print the first IPv6 address currently in use at the given interface, or nothing if
>> +# the interface is not up.
>> +#
>> +ip6_of()
>> +{
>> +        ip -6 addr show primary dev "$1" | perl -wane '/scope global/ && /inet6 (([0-9a-f]+:*)+)/ && print $1;'
>
> Hrm, Perl again. Can this be done with awk? Looks tricky though.
>

Changed to :

ip -6 -o addr show primary dev "$1" scope global | awk '$3 == "inet6"
{split($4,i,"/"); print i[1]; exit}'

which is now very similar to the ip_of() function.


Cheers,

    Sylvain Munaut

Re: [PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route

[Sylvain Munaut]

>>> +ip6_of()
>>> +{
>>> +        ip -6 addr show primary dev "$1" | perl -wane '/scope global/ && /inet6 (([0-9a-f]+:*)+)/ && print $1;'
>>
>> Hrm, Perl again. Can this be done with awk? Looks tricky though.
>
> Something like:
> awk '/inet6 .* scope global/ { split($2, v6, "/"); print v6[1] }'
>

Yes, I already found substitute for all the perl in my patch using
awk. Will be resubmitted on monday.

Cheers,

 Sylvain

Re: [PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route

[Jason Andryuk]

On 5/15/2014 12:20 PM, Ian Campbell wrote:
> On Wed, 2014-05-14 at 17:23 +0200, Sylvain Munaut wrote:
>> Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
>> ---
>>   tools/hotplug/Linux/vif-common.sh |   33 +++++++++++++++++++++++++++++++++
>>   tools/hotplug/Linux/vif-route     |   20 +++++++++++++++++++-
>>   2 files changed, 52 insertions(+), 1 deletion(-)
>>
>> diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
>> index 2f24274..cd341a33 100644
>> --- a/tools/hotplug/Linux/vif-common.sh
>> +++ b/tools/hotplug/Linux/vif-common.sh
>> @@ -324,3 +324,36 @@ dom0_ip()
>>     fi
>>     echo "$result"
>>   }
>> +
>> +
>> +##
>> +# ip6_of interface
>> +#
>> +# Print the first IPv6 address currently in use at the given interface, or nothing if
>> +# the interface is not up.
>> +#
>> +ip6_of()
>> +{
>> +        ip -6 addr show primary dev "$1" | perl -wane '/scope global/ && /inet6 (([0-9a-f]+:*)+)/ && print $1;'
> 
> Hrm, Perl again. Can this be done with awk? Looks tricky though.

Something like:
awk '/inet6 .* scope global/ { split($2, v6, "/"); print v6[1] }'

(Removing perl from locking.sh would be nice, since it's a large requirement for the one use.)

Regards,

Jason

Re: [PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route

[Ian Campbell]

On Wed, 2014-05-14 at 17:23 +0200, Sylvain Munaut wrote:
> Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
> ---
>  tools/hotplug/Linux/vif-common.sh |   33 +++++++++++++++++++++++++++++++++
>  tools/hotplug/Linux/vif-route     |   20 +++++++++++++++++++-
>  2 files changed, 52 insertions(+), 1 deletion(-)
> 
> diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
> index 2f24274..cd341a33 100644
> --- a/tools/hotplug/Linux/vif-common.sh
> +++ b/tools/hotplug/Linux/vif-common.sh
> @@ -324,3 +324,36 @@ dom0_ip()
>    fi
>    echo "$result"
>  }
> +
> +
> +##
> +# ip6_of interface
> +#
> +# Print the first IPv6 address currently in use at the given interface, or nothing if
> +# the interface is not up.
> +#
> +ip6_of()
> +{
> +        ip -6 addr show primary dev "$1" | perl -wane '/scope global/ && /inet6 (([0-9a-f]+:*)+)/ && print $1;'

Hrm, Perl again. Can this be done with awk? Looks tricky though.

Ian

[PATCH 5/5] hotplug/linux: Add IPv6 support to vif-route

[Sylvain Munaut]

Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
---
 tools/hotplug/Linux/vif-common.sh |   33 +++++++++++++++++++++++++++++++++
 tools/hotplug/Linux/vif-route     |   20 +++++++++++++++++++-
 2 files changed, 52 insertions(+), 1 deletion(-)

diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index 2f24274..cd341a33 100644
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -324,3 +324,36 @@ dom0_ip()
   fi
   echo "$result"
 }
+
+
+##
+# ip6_of interface
+#
+# Print the first IPv6 address currently in use at the given interface, or nothing if
+# the interface is not up.
+#
+ip6_of()
+{
+        ip -6 addr show primary dev "$1" | perl -wane '/scope global/ && /inet6 (([0-9a-f]+:*)+)/ && print $1;'
+}
+
+
+##
+# dom0_ip6
+#
+# Print the IPv6 address of the interface in dom0 through which we are routing.
+# This is the IP address on the interface specified as "netdev" as a parameter
+# to these scripts, or eth0 by default.  This function will call fatal if no
+# such interface could be found.
+#
+dom0_ip6()
+{
+  local nd=${netdev:-eth0}
+  local result=$(ip6_of "$nd")
+  if [ -z "$result" ]
+  then
+        ""
+  else
+        echo "$result"
+  fi
+}
diff --git a/tools/hotplug/Linux/vif-route b/tools/hotplug/Linux/vif-route
index 02f1403..8cf80d5 100644
--- a/tools/hotplug/Linux/vif-route
+++ b/tools/hotplug/Linux/vif-route
@@ -24,11 +24,21 @@ dir=$(dirname "$0")
 . "${dir}/vif-common.sh"
 
 main_ip=$(dom0_ip)
+main_ip6=$(dom0_ip6)
+
+proxy_ndp=$(xenstore_read_default "$XENBUS_PATH/proxy_ndp" "off")
+
 
 case "${command}" in
     online)
         ifconfig ${dev} ${main_ip} netmask 255.255.255.255 up
         echo 1 >/proc/sys/net/ipv4/conf/${dev}/proxy_arp
+        if [ ! -z "${main_ip6}" ]; then
+            ip -6 addr add ${main_ip6} dev ${vif}
+            if [ "${proxy_ndp}" != "off" ]; then
+                echo 1 >/proc/sys/net/ipv6/conf/${vif}/proxy_ndp
+            fi
+        fi
         ipcmd='add'
         cmdprefix=''
         ;;
@@ -43,7 +53,15 @@ if [ "${ip}" ] ; then
     # If we've been given a list of IP addresses, then add routes from dom0 to
     # the guest using those addresses.
     for addr in ${ip} ; do
-      ${cmdprefix} ip route ${ipcmd} ${addr} dev ${dev} src ${main_ip}
+        result=$(is_ipv6 "${addr}")
+        if [ -z "${result}" ] ; then
+            ${cmdprefix} ip route ${ipcmd} ${addr} dev ${dev} src ${main_ip}
+        else
+            ${cmdprefix} ip -6 route ${ipcmd} ${addr} dev ${vif} src ${main_ip6}
+            if [ "${proxy_ndp}" != "off" ]; then
+                ${cmdprefix} ip -6 neighbor ${ipcmd} proxy ${addr} dev ${netdev:-eth0}
+            fi
+        fi
     done
 fi
 
-- 
1.7.10.4