* [PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering
@ 2013-05-13 13:55 Sylvain Munaut
2013-05-20 16:12 ` Ian Campbell
0 siblings, 1 reply; 4+ messages in thread
From: Sylvain Munaut @ 2013-05-13 13:55 UTC (permalink / raw)
To: xen-devel
[-- Attachment #1: Type: text/plain, Size: 437 bytes --]
The vif-common.sh hotplug script doesn't support ipv6 iptables
filtering setup. The attached patch adds basic filtering capability so
that if an IPv6 is specified, it's added to the 'authorized' source
list.
Basically the same behavior as for ipv4.
I've been using this patch for some time on xen 4.1 and I've just
forward ported it to xen master (it applied cleanly and didn't see any
changes that would matter).
Cheers,
Sylvain
[-- Attachment #2: 0001-tools-hotplug-Linux-Add-IPv6-support-to-vif-common-f.patch --]
[-- Type: application/octet-stream, Size: 4176 bytes --]
From c6561a403a2c8b1afaf5f336d2df95aceb362cbc Mon Sep 17 00:00:00 2001
From: Sylvain Munaut <s.munaut@whatever-company.com>
Date: Mon, 13 May 2013 15:52:14 +0200
Subject: [PATCH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering
By default DomU are not allow to send router-advertisement
message. Set the ipv6_allow_ra config option to yet to allow it.
Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
---
tools/hotplug/Linux/vif-common.sh | 103 ++++++++++++++++++++++++++++++++++++--
1 file changed, 99 insertions(+), 4 deletions(-)
diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index 73ee241..d5c51e7 100644
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -121,8 +121,11 @@ fi
ip=${ip:-}
ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip")
+ipv6_allow_ra=$(xenstore_read_default "$XENBUS_PATH/ipv6_allow_ra" "false")
+
frob_iptable()
{
+ # Add or remove
if [ "$command" == "online" ]
then
local c="-I"
@@ -130,6 +133,7 @@ frob_iptable()
local c="-D"
fi
+ # Main rules
iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
"$@" -j ACCEPT 2>/dev/null &&
iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \
@@ -139,6 +143,61 @@ frob_iptable()
then
log err "iptables setup failed. This may affect guest networking."
fi
+
+ # Always allow the domain to talk to a DHCP server.
+ if [ -n "$1" ]
+ then
+ iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
+ -p udp --sport 68 --dport 67 -j ACCEPT 2>/dev/null
+ fi
+
+ if [ "$command" == "online" -a $? -ne 0 ]
+ then
+ log err "iptables setup failed. This may affect guest networking."
+ fi
+}
+
+frob_ip6table()
+{
+ # Add or remove
+ if [ "$command" == "online" ]
+ then
+ local c="-I"
+ else
+ local c="-D"
+ fi
+
+ # Main rules
+ ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
+ "$@" -j ACCEPT 2>/dev/null &&
+ ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \
+ -j ACCEPT 2>/dev/null
+
+ if [ "$command" == "online" -a $? -ne 0 ]
+ then
+ log err "ip6tables setup failed. This may affect guest networking."
+ fi
+
+ # Filter out RA if not explicitely allowed
+ if [ "$ipv6_allow_ra" != "true" ]
+ then
+ ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
+ -p icmpv6 --icmpv6-type router-advertisement -j DROP 2>/dev/null
+ fi
+
+ if [ "$command" == "online" -a $? -ne 0 ]
+ then
+ log err "ip6tables setup failed. This may affect guest networking."
+ fi
+}
+
+
+##
+# Check if the given IP is IPv6 or not
+#
+is_ipv6()
+{
+ echo "$1" | perl -wane '/:/ && print "yes"'
}
@@ -167,14 +226,17 @@ handle_iptable()
local addr
for addr in $ip
do
- frob_iptable -s "$addr"
+ result=$(is_ipv6 "${addr}")
+ if [ -z "${result}" ] ; then
+ frob_iptable -s "$addr"
+ else
+ frob_ip6table -s "$addr"
+ fi
done
-
- # Always allow the domain to talk to a DHCP server.
- frob_iptable -p udp --sport 68 --dport 67
else
# No IP addresses have been specified, so allow anything.
frob_iptable
+ frob_ip6table
fi
release_lock "iptables"
@@ -213,3 +275,36 @@ dom0_ip()
fi
echo "$result"
}
+
+
+##
+# ip6_of interface
+#
+# Print the first IPv6 address currently in use at the given interface, or nothing if
+# the interface is not up.
+#
+ip6_of()
+{
+ ip -6 addr show primary dev "$1" | perl -wane '/scope global/ && /inet6 (([0-9a-f]+:*)+)/ && print $1;'
+}
+
+
+##
+# dom0_ip6
+#
+# Print the IPv6 address of the interface in dom0 through which we are routing.
+# This is the IP address on the interface specified as "netdev" as a parameter
+# to these scripts, or eth0 by default. This function will call fatal if no
+# such interface could be found.
+#
+dom0_ip6()
+{
+ local nd=${netdev:-eth0}
+ local result=$(ip6_of "$nd")
+ if [ -z "$result" ]
+ then
+ ""
+ else
+ echo "$result"
+ fi
+}
--
1.8.1.5
[-- Attachment #3: Type: text/plain, Size: 126 bytes --]
_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering
2013-05-13 13:55 [PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering Sylvain Munaut
@ 2013-05-20 16:12 ` Ian Campbell
2013-05-21 8:57 ` Sylvain Munaut
2013-05-21 12:26 ` George Dunlap
0 siblings, 2 replies; 4+ messages in thread
From: Ian Campbell @ 2013-05-20 16:12 UTC (permalink / raw)
To: Sylvain Munaut; +Cc: George Dunlap, xen-devel
On Mon, 2013-05-13 at 14:55 +0100, Sylvain Munaut wrote:
> The vif-common.sh hotplug script doesn't support ipv6 iptables
> filtering setup. The attached patch adds basic filtering capability so
> that if an IPv6 is specified, it's added to the 'authorized' source
> list.
> Basically the same behavior as for ipv4.
>
> I've been using this patch for some time on xen 4.1 and I've just
> forward ported it to xen master (it applied cleanly and didn't see any
> changes that would matter).
Thanks, this looks plausible, at least as far as I am able to tell. Is
there anyone around who could review this from the ipv6/iptables PoV?
WRT the release, we are now frozen for 4.3 and I'd be concerned about
introducing a subtle (or not so subtle) networking regression. George
what do you think?
I notice you use --physdev-out -- I got the impression that this wasn't
supported any more (occasional bug reports about a warning message). TBH
I don't know enough about what it does to say one way or the other.
One minor niggle, you've spelt "explicitly" as "explicitely".
>
> Cheers,
>
> Sylvain
> From c6561a403a2c8b1afaf5f336d2df95aceb362cbc Mon Sep 17 00:00:00 2001
> From: Sylvain Munaut <s.munaut@whatever-company.com>
> Date: Mon, 13 May 2013 15:52:14 +0200
> Subject: [PATCH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering
>
> By default DomU are not allow to send router-advertisement
> message. Set the ipv6_allow_ra config option to yet to allow it.
>
> Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
> ---
> tools/hotplug/Linux/vif-common.sh | 103 ++++++++++++++++++++++++++++++++++++--
> 1 file changed, 99 insertions(+), 4 deletions(-)
>
> diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
> index 73ee241..d5c51e7 100644
> --- a/tools/hotplug/Linux/vif-common.sh
> +++ b/tools/hotplug/Linux/vif-common.sh
> @@ -121,8 +121,11 @@ fi
> ip=${ip:-}
> ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip")
>
> +ipv6_allow_ra=$(xenstore_read_default "$XENBUS_PATH/ipv6_allow_ra" "false")
> +
> frob_iptable()
> {
> + # Add or remove
> if [ "$command" == "online" ]
> then
> local c="-I"
> @@ -130,6 +133,7 @@ frob_iptable()
> local c="-D"
> fi
>
> + # Main rules
> iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
> "$@" -j ACCEPT 2>/dev/null &&
> iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \
> @@ -139,6 +143,61 @@ frob_iptable()
> then
> log err "iptables setup failed. This may affect guest networking."
> fi
> +
> + # Always allow the domain to talk to a DHCP server.
> + if [ -n "$1" ]
> + then
> + iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
> + -p udp --sport 68 --dport 67 -j ACCEPT 2>/dev/null
> + fi
> +
> + if [ "$command" == "online" -a $? -ne 0 ]
> + then
> + log err "iptables setup failed. This may affect guest networking."
> + fi
> +}
> +
> +frob_ip6table()
> +{
> + # Add or remove
> + if [ "$command" == "online" ]
> + then
> + local c="-I"
> + else
> + local c="-D"
> + fi
> +
> + # Main rules
> + ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
> + "$@" -j ACCEPT 2>/dev/null &&
> + ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \
> + -j ACCEPT 2>/dev/null
> +
> + if [ "$command" == "online" -a $? -ne 0 ]
> + then
> + log err "ip6tables setup failed. This may affect guest networking."
> + fi
> +
> + # Filter out RA if not explicitely allowed
> + if [ "$ipv6_allow_ra" != "true" ]
> + then
> + ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
> + -p icmpv6 --icmpv6-type router-advertisement -j DROP 2>/dev/null
> + fi
> +
> + if [ "$command" == "online" -a $? -ne 0 ]
> + then
> + log err "ip6tables setup failed. This may affect guest networking."
> + fi
> +}
> +
> +
> +##
> +# Check if the given IP is IPv6 or not
> +#
> +is_ipv6()
> +{
> + echo "$1" | perl -wane '/:/ && print "yes"'
> }
>
>
> @@ -167,14 +226,17 @@ handle_iptable()
> local addr
> for addr in $ip
> do
> - frob_iptable -s "$addr"
> + result=$(is_ipv6 "${addr}")
> + if [ -z "${result}" ] ; then
> + frob_iptable -s "$addr"
> + else
> + frob_ip6table -s "$addr"
> + fi
> done
> -
> - # Always allow the domain to talk to a DHCP server.
> - frob_iptable -p udp --sport 68 --dport 67
> else
> # No IP addresses have been specified, so allow anything.
> frob_iptable
> + frob_ip6table
> fi
>
> release_lock "iptables"
> @@ -213,3 +275,36 @@ dom0_ip()
> fi
> echo "$result"
> }
> +
> +
> +##
> +# ip6_of interface
> +#
> +# Print the first IPv6 address currently in use at the given interface, or nothing if
> +# the interface is not up.
> +#
> +ip6_of()
> +{
> + ip -6 addr show primary dev "$1" | perl -wane '/scope global/ && /inet6 (([0-9a-f]+:*)+)/ && print $1;'
> +}
> +
> +
> +##
> +# dom0_ip6
> +#
> +# Print the IPv6 address of the interface in dom0 through which we are routing.
> +# This is the IP address on the interface specified as "netdev" as a parameter
> +# to these scripts, or eth0 by default. This function will call fatal if no
> +# such interface could be found.
> +#
> +dom0_ip6()
> +{
> + local nd=${netdev:-eth0}
> + local result=$(ip6_of "$nd")
> + if [ -z "$result" ]
> + then
> + ""
> + else
> + echo "$result"
> + fi
> +}
> --
> 1.8.1.5
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering
2013-05-20 16:12 ` Ian Campbell
@ 2013-05-21 8:57 ` Sylvain Munaut
2013-05-21 12:26 ` George Dunlap
1 sibling, 0 replies; 4+ messages in thread
From: Sylvain Munaut @ 2013-05-21 8:57 UTC (permalink / raw)
To: Ian Campbell; +Cc: George Dunlap, xen-devel
Hi,
> WRT the release, we are now frozen for 4.3 and I'd be concerned about
> introducing a subtle (or not so subtle) networking regression. George
> what do you think?
I'm not really in a hurry, I have to maintain my own package anyways
for other custom patches anyway.
I just thought this one might be useful for others and IPv6 is more
and more popular.
> I notice you use --physdev-out -- I got the impression that this wasn't
> supported any more (occasional bug reports about a warning message). TBH
> I don't know enough about what it does to say one way or the other.
physdev-out is only supported for bridged devices, hence the
"physdev-is-bridged" option.
If the device isn't bridged, it simply won't match and iptables has to
be configured some
other way.
But those limitations are already present in the IPv4 iptables config.
> One minor niggle, you've spelt "explicitly" as "explicitely".
Damnit :p
I'll wait and see if there are other comments on the patch and resend
with all corrections if needed.
Cheers,
Sylvain
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering
2013-05-20 16:12 ` Ian Campbell
2013-05-21 8:57 ` Sylvain Munaut
@ 2013-05-21 12:26 ` George Dunlap
1 sibling, 0 replies; 4+ messages in thread
From: George Dunlap @ 2013-05-21 12:26 UTC (permalink / raw)
To: Ian Campbell; +Cc: Sylvain Munaut, xen-devel
On 05/20/2013 05:12 PM, Ian Campbell wrote:
> On Mon, 2013-05-13 at 14:55 +0100, Sylvain Munaut wrote:
>> The vif-common.sh hotplug script doesn't support ipv6 iptables
>> filtering setup. The attached patch adds basic filtering capability so
>> that if an IPv6 is specified, it's added to the 'authorized' source
>> list.
>> Basically the same behavior as for ipv4.
>>
>> I've been using this patch for some time on xen 4.1 and I've just
>> forward ported it to xen master (it applied cleanly and didn't see any
>> changes that would matter).
>
> Thanks, this looks plausible, at least as far as I am able to tell. Is
> there anyone around who could review this from the ipv6/iptables PoV?
>
> WRT the release, we are now frozen for 4.3 and I'd be concerned about
> introducing a subtle (or not so subtle) networking regression. George
> what do you think?
Yeah, I think given that no one has been clamoring for it, it would be
better to wait until 4.4.
-George
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2013-05-21 12:26 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-05-13 13:55 [PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering Sylvain Munaut
2013-05-20 16:12 ` Ian Campbell
2013-05-21 8:57 ` Sylvain Munaut
2013-05-21 12:26 ` George Dunlap
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.