[patch] xen bridged network setup fixes

[patch] xen bridged network setup fixes

[Gerd Hoffmann]

[-- Attachment #1: Type: text/plain, Size: 650 bytes --]

  Hi,

The attached patch fixes the setup of the bridge ports and the bridge
itself.  Changes:

  * move some functions to xen-network-common.sh, so both vif-bridge
    and network-bridge can use them.
  * add a new function to configure bridge ports and use it.
  * make sure arp requests, ipv6 autoconfiguration and ipv6 router
    solicitations are disabled for the bridge ports and also for the
    bridge itself.

cheers,

  Gerd

-- 
Gerd Hoffmann <kraxel@suse.de>
Erst mal heiraten, ein, zwei Kinder, und wenn alles läuft
geh' ich nach drei Jahren mit der Familie an die Börse.
http://www.suse.de/~kraxel/julika-dora.jpeg

[-- Attachment #2: xen-netconf.diff --]
[-- Type: text/x-patch, Size: 3977 bytes --]

--- /etc/xen/scripts/vif-bridge.ipv6	2006-05-11 17:23:16.000000000 +0200
+++ /etc/xen/scripts/vif-bridge	2006-05-12 09:12:12.000000000 +0200
@@ -48,16 +48,8 @@
 
 case "$command" in
     online)
-        if brctl show | grep -q "$vif"
-        then
-          log debug "$vif already attached to a bridge"
-          exit 0
-        fi
-
-        brctl addif "$bridge" "$vif" ||
-          fatal "brctl addif $bridge $vif failed"
-
-        ifconfig "$vif" up || fatal "ifconfig $vif up failed"
+	setup_bridge_port "$vif"
+	add_to_bridge "$bridge" "$vif"
         ;;
 
     offline)
--- /etc/xen/scripts/network-bridge.ipv6	2006-05-11 17:23:30.000000000 +0200
+++ /etc/xen/scripts/network-bridge	2006-05-12 10:27:04.000000000 +0200
@@ -137,29 +137,6 @@
 }
 
 
-# Usage: create_bridge bridge
-create_bridge () {
-    local bridge=$1
-
-    # Don't create the bridge if it already exists.
-    if [ ! -e "/sys/class/net/${bridge}/bridge" ]; then
-	brctl addbr ${bridge}
-	brctl stp ${bridge} off
-	brctl setfd ${bridge} 0
-    fi
-    ip link set ${bridge} up
-}
-
-# Usage: add_to_bridge bridge dev
-add_to_bridge () {
-    local bridge=$1
-    local dev=$2
-    # Don't add $dev to $bridge if it's already on a bridge.
-    if [ ! -e "/sys/class/net/${bridge}/brif/${dev}" ]; then
-	brctl addif ${bridge} ${dev}
-    fi
-}
-
 # Set the default forwarding policy for $dev to drop.
 # Allow forwarding to the bridge.
 antispoofing () {
@@ -220,15 +197,14 @@
 	ifdown ${netdev}
 	ip link set ${netdev} name ${pdev}
 	ip link set ${vdev} name ${netdev}
-	ip link set ${pdev} down arp off
-	ip link set ${pdev} addr fe:ff:ff:ff:ff:ff
-	ip addr flush ${pdev}
+
+	setup_bridge_port ${pdev}
+	setup_bridge_port ${vif0}
 	ip link set ${netdev} addr ${mac} arp on
-	add_to_bridge ${bridge} ${vif0}
 	ip link set ${bridge} up
-	ip link set ${vif0} up
-	ip link set ${pdev} up
+	add_to_bridge ${bridge} ${vif0}
 	add_to_bridge2 ${bridge} ${pdev}
+
         ip link set ${netdev} up
 	ifup ${hwddev}
     else
@@ -286,6 +262,7 @@
     local maxtries=10
 
     echo -n "Waiting for ${dev} to negotiate link."
+    ip link set ${dev} up
     for i in `seq ${maxtries}` ; do
 	if ifconfig ${dev} | grep -q RUNNING ; then
 	    break
--- /etc/xen/scripts/xen-network-common.sh.ipv6	2006-05-12 08:58:19.000000000 +0200
+++ /etc/xen/scripts/xen-network-common.sh	2006-05-12 10:41:47.000000000 +0200
@@ -67,3 +67,57 @@
 {
   first_file -x /etc/init.d/{dhcp3-server,dhcp,dhcpd}
 }
+
+# configure interfaces which act as pure bridge ports:
+#  - make quiet: no arp, no ipv6 autoconf
+#  - set mac address to fe:ff:ff:ff:ff:ff
+setup_bridge_port() {
+    local dev="$1"
+
+    # take interface down ...
+    ip link set ${dev} up	# creates ipv6 conf dir
+    ip link set ${dev} down
+
+    # ... and configure
+    if test -f /proc/sys/net/ipv6/conf/${dev}/autoconf; then
+	echo 0 > /proc/sys/net/ipv6/conf/${dev}/autoconf
+	echo 0 > /proc/sys/net/ipv6/conf/${dev}/router_solicitations
+    fi
+    ip link set ${dev} arp off
+    ip link set ${dev} addr fe:ff:ff:ff:ff:ff
+    ip addr flush ${dev}
+}
+
+# Usage: create_bridge bridge
+create_bridge () {
+    local bridge=$1
+
+    # Don't create the bridge if it already exists.
+    if [ ! -e "/sys/class/net/${bridge}/bridge" ]; then
+	brctl addbr ${bridge}
+	brctl stp ${bridge} off
+	brctl setfd ${bridge} 0
+        ip link set ${bridge} arp off
+	ip link set ${bridge} up	# creates ipv6 conf dir
+	if test -f /proc/sys/net/ipv6/conf/${bridge}/autoconf; then
+	    echo 0 > /proc/sys/net/ipv6/conf/${bridge}/autoconf
+	    echo 0 > /proc/sys/net/ipv6/conf/${bridge}/router_solicitations
+	fi
+    else
+	ip link set ${bridge} up
+    fi
+}
+
+# Usage: add_to_bridge bridge dev
+add_to_bridge () {
+    local bridge=$1
+    local dev=$2
+
+    # Don't add $dev to $bridge if it's already on a bridge.
+    if [ -e "/sys/class/net/${bridge}/brif/${dev}" ]; then
+	return
+    fi
+    brctl addif ${bridge} ${dev}
+    ip link set ${dev} up
+}
+

[-- Attachment #3: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel

Re: [patch] xen bridged network setup fixes

[Ewan Mellor]

On Fri, May 12, 2006 at 12:24:18PM +0200, Gerd Hoffmann wrote:

>   Hi,
> 
> The attached patch fixes the setup of the bridge ports and the bridge
> itself.  Changes:
> 
>   * move some functions to xen-network-common.sh, so both vif-bridge
>     and network-bridge can use them.
>   * add a new function to configure bridge ports and use it.
>   * make sure arp requests, ipv6 autoconfiguration and ipv6 router
>     solicitations are disabled for the bridge ports and also for the
>     bridge itself.
> 
> cheers,
> 
>   Gerd


Could you please make this patch against xen-unstable, not against your
installed machine?  Also, we need a Signed-off-by: line before we can accept
it.

Thanks,

Ewan.

> 
> -- 
> Gerd Hoffmann <kraxel@suse.de>
> Erst mal heiraten, ein, zwei Kinder, und wenn alles läuft
> geh' ich nach drei Jahren mit der Familie an die Börse.
> http://www.suse.de/~kraxel/julika-dora.jpeg

> --- /etc/xen/scripts/vif-bridge.ipv6	2006-05-11 17:23:16.000000000 +0200
> +++ /etc/xen/scripts/vif-bridge	2006-05-12 09:12:12.000000000 +0200
> @@ -48,16 +48,8 @@
>  
>  case "$command" in
>      online)
> -        if brctl show | grep -q "$vif"
> -        then
> -          log debug "$vif already attached to a bridge"
> -          exit 0
> -        fi
> -
> -        brctl addif "$bridge" "$vif" ||
> -          fatal "brctl addif $bridge $vif failed"
> -
> -        ifconfig "$vif" up || fatal "ifconfig $vif up failed"
> +	setup_bridge_port "$vif"
> +	add_to_bridge "$bridge" "$vif"
>          ;;
>  
>      offline)
> --- /etc/xen/scripts/network-bridge.ipv6	2006-05-11 17:23:30.000000000 +0200
> +++ /etc/xen/scripts/network-bridge	2006-05-12 10:27:04.000000000 +0200
> @@ -137,29 +137,6 @@
>  }
>  
>  
> -# Usage: create_bridge bridge
> -create_bridge () {
> -    local bridge=$1
> -
> -    # Don't create the bridge if it already exists.
> -    if [ ! -e "/sys/class/net/${bridge}/bridge" ]; then
> -	brctl addbr ${bridge}
> -	brctl stp ${bridge} off
> -	brctl setfd ${bridge} 0
> -    fi
> -    ip link set ${bridge} up
> -}
> -
> -# Usage: add_to_bridge bridge dev
> -add_to_bridge () {
> -    local bridge=$1
> -    local dev=$2
> -    # Don't add $dev to $bridge if it's already on a bridge.
> -    if [ ! -e "/sys/class/net/${bridge}/brif/${dev}" ]; then
> -	brctl addif ${bridge} ${dev}
> -    fi
> -}
> -
>  # Set the default forwarding policy for $dev to drop.
>  # Allow forwarding to the bridge.
>  antispoofing () {
> @@ -220,15 +197,14 @@
>  	ifdown ${netdev}
>  	ip link set ${netdev} name ${pdev}
>  	ip link set ${vdev} name ${netdev}
> -	ip link set ${pdev} down arp off
> -	ip link set ${pdev} addr fe:ff:ff:ff:ff:ff
> -	ip addr flush ${pdev}
> +
> +	setup_bridge_port ${pdev}
> +	setup_bridge_port ${vif0}
>  	ip link set ${netdev} addr ${mac} arp on
> -	add_to_bridge ${bridge} ${vif0}
>  	ip link set ${bridge} up
> -	ip link set ${vif0} up
> -	ip link set ${pdev} up
> +	add_to_bridge ${bridge} ${vif0}
>  	add_to_bridge2 ${bridge} ${pdev}
> +
>          ip link set ${netdev} up
>  	ifup ${hwddev}
>      else
> @@ -286,6 +262,7 @@
>      local maxtries=10
>  
>      echo -n "Waiting for ${dev} to negotiate link."
> +    ip link set ${dev} up
>      for i in `seq ${maxtries}` ; do
>  	if ifconfig ${dev} | grep -q RUNNING ; then
>  	    break
> --- /etc/xen/scripts/xen-network-common.sh.ipv6	2006-05-12 08:58:19.000000000 +0200
> +++ /etc/xen/scripts/xen-network-common.sh	2006-05-12 10:41:47.000000000 +0200
> @@ -67,3 +67,57 @@
>  {
>    first_file -x /etc/init.d/{dhcp3-server,dhcp,dhcpd}
>  }
> +
> +# configure interfaces which act as pure bridge ports:
> +#  - make quiet: no arp, no ipv6 autoconf
> +#  - set mac address to fe:ff:ff:ff:ff:ff
> +setup_bridge_port() {
> +    local dev="$1"
> +
> +    # take interface down ...
> +    ip link set ${dev} up	# creates ipv6 conf dir
> +    ip link set ${dev} down
> +
> +    # ... and configure
> +    if test -f /proc/sys/net/ipv6/conf/${dev}/autoconf; then
> +	echo 0 > /proc/sys/net/ipv6/conf/${dev}/autoconf
> +	echo 0 > /proc/sys/net/ipv6/conf/${dev}/router_solicitations
> +    fi
> +    ip link set ${dev} arp off
> +    ip link set ${dev} addr fe:ff:ff:ff:ff:ff
> +    ip addr flush ${dev}
> +}
> +
> +# Usage: create_bridge bridge
> +create_bridge () {
> +    local bridge=$1
> +
> +    # Don't create the bridge if it already exists.
> +    if [ ! -e "/sys/class/net/${bridge}/bridge" ]; then
> +	brctl addbr ${bridge}
> +	brctl stp ${bridge} off
> +	brctl setfd ${bridge} 0
> +        ip link set ${bridge} arp off
> +	ip link set ${bridge} up	# creates ipv6 conf dir
> +	if test -f /proc/sys/net/ipv6/conf/${bridge}/autoconf; then
> +	    echo 0 > /proc/sys/net/ipv6/conf/${bridge}/autoconf
> +	    echo 0 > /proc/sys/net/ipv6/conf/${bridge}/router_solicitations
> +	fi
> +    else
> +	ip link set ${bridge} up
> +    fi
> +}
> +
> +# Usage: add_to_bridge bridge dev
> +add_to_bridge () {
> +    local bridge=$1
> +    local dev=$2
> +
> +    # Don't add $dev to $bridge if it's already on a bridge.
> +    if [ -e "/sys/class/net/${bridge}/brif/${dev}" ]; then
> +	return
> +    fi
> +    brctl addif ${bridge} ${dev}
> +    ip link set ${dev} up
> +}
> +

> _______________________________________________
> Xen-devel mailing list
> Xen-devel@lists.xensource.com
> http://lists.xensource.com/xen-devel

Re: [patch] xen bridged network setup fixes

[Gerd Hoffmann]

[-- Attachment #1: Type: text/plain, Size: 799 bytes --]

  Hi,

> Could you please make this patch against xen-unstable, not against your
> installed machine?  Also, we need a Signed-off-by: line before we can accept
> it.

Here we go.  We have a slightly different attack on the problem now, our
ipv6 guy suggested to simply patch the kernel to not send out the ipv6
autoconfiguration multicast packets in case multicast is turned off for
the network interface in question.  That is certainly cleaner than
poking around in /proc/sys/net/ipv6 and also has no race conditions ;)

The cleanups are the same though: create some helper functions to do the
interface setup and use them everythere.  Additionally there is a second
patch which adds the kernel bits.

cheers,

  Gerd

-- 
Gerd Hoffmann <kraxel@suse.de>
http://www.suse.de/~kraxel/julika-dora.jpeg

[-- Attachment #2: tools.diff --]
[-- Type: text/x-patch, Size: 3648 bytes --]

Signed-off-by: Gerd Hoffmann <kraxel@suse.de>
diff -r 360f9dc71f51 tools/examples/network-bridge
--- a/tools/examples/network-bridge	Tue Jun 13 10:41:15 2006
+++ b/tools/examples/network-bridge	Thu Jun 15 15:11:56 2006
@@ -151,30 +151,6 @@
     fi
 }
 
-
-# Usage: create_bridge bridge
-create_bridge () {
-    local bridge=$1
-
-    # Don't create the bridge if it already exists.
-    if ! brctl show | grep -q ${bridge} ; then
-	brctl addbr ${bridge}
-	brctl stp ${bridge} off
-	brctl setfd ${bridge} 0
-    fi
-    ip link set ${bridge} up
-}
-
-# Usage: add_to_bridge bridge dev
-add_to_bridge () {
-    local bridge=$1
-    local dev=$2
-    # Don't add $dev to $bridge if it's already on a bridge.
-    if ! brctl show | grep -q ${dev} ; then
-	brctl addif ${bridge} ${dev}
-    fi
-}
-
 # Set the default forwarding policy for $dev to drop.
 # Allow forwarding to the bridge.
 antispoofing () {
@@ -238,14 +214,13 @@
 	fi
 	ip link set ${netdev} name ${pdev}
 	ip link set ${vdev} name ${netdev}
-	ip link set ${pdev} down arp off
-	ip link set ${pdev} addr fe:ff:ff:ff:ff:ff
-	ip addr flush ${pdev}
+
+	setup_bridge_port ${pdev}
+	setup_bridge_port ${vif0}
 	ip link set ${netdev} addr ${mac} arp on
-	add_to_bridge ${bridge} ${vif0}
+
 	ip link set ${bridge} up
-	ip link set ${vif0} up
-	ip link set ${pdev} up
+	add_to_bridge  ${bridge} ${vif0}
 	add_to_bridge2 ${bridge} ${pdev}
 	do_ifup ${netdev}
     else
@@ -301,6 +276,7 @@
     local maxtries=10
 
     echo -n "Waiting for ${dev} to negotiate link."
+    ip link set ${dev} up
     for i in `seq ${maxtries}` ; do
 	if ifconfig ${dev} | grep -q RUNNING ; then
 	    break
diff -r 360f9dc71f51 tools/examples/vif-bridge
--- a/tools/examples/vif-bridge	Tue Jun 13 10:41:15 2006
+++ b/tools/examples/vif-bridge	Thu Jun 15 15:11:56 2006
@@ -48,16 +48,8 @@
 
 case "$command" in
     online)
-        if brctl show | grep -q "$vif"
-        then
-          log debug "$vif already attached to a bridge"
-          exit 0
-        fi
-
-        brctl addif "$bridge" "$vif" ||
-          fatal "brctl addif $bridge $vif failed"
-
-        ifconfig "$vif" up || fatal "ifconfig $vif up failed"
+	setup_bridge_port "$vif"
+	add_to_bridge "$bridge" "$vif"
         ;;
 
     offline)
diff -r 360f9dc71f51 tools/examples/xen-network-common.sh
--- a/tools/examples/xen-network-common.sh	Tue Jun 13 10:41:15 2006
+++ b/tools/examples/xen-network-common.sh	Thu Jun 15 15:11:56 2006
@@ -104,3 +104,48 @@
 {
   first_file -x /etc/init.d/{dhcp3-server,dhcp,dhcpd}
 }
+
+# configure interfaces which act as pure bridge ports:
+#  - make quiet: no arp, no multicast (ipv6 autoconf)
+#  - set mac address to fe:ff:ff:ff:ff:ff
+setup_bridge_port() {
+    local dev="$1"
+
+    # take interface down ...
+    ip link set ${dev} down
+
+    # ... and configure it
+    ip link set ${dev} arp off
+    ip link set ${dev} multicast off
+    ip link set ${dev} addr fe:ff:ff:ff:ff:ff
+    ip addr flush ${dev}
+}
+
+# Usage: create_bridge bridge
+create_bridge () {
+    local bridge=$1
+
+    # Don't create the bridge if it already exists.
+    if [ ! -e "/sys/class/net/${bridge}/bridge" ]; then
+	brctl addbr ${bridge}
+	brctl stp ${bridge} off
+	brctl setfd ${bridge} 0
+        ip link set ${bridge} arp off
+        ip link set ${bridge} multicast off
+    fi
+    ip link set ${bridge} up
+}
+
+# Usage: add_to_bridge bridge dev
+add_to_bridge () {
+    local bridge=$1
+    local dev=$2
+
+    # Don't add $dev to $bridge if it's already on a bridge.
+    if [ -e "/sys/class/net/${bridge}/brif/${dev}" ]; then
+	return
+    fi
+    brctl addif ${bridge} ${dev}
+    ip link set ${dev} up
+}
+

[-- Attachment #3: kernel.diff --]
[-- Type: text/x-patch, Size: 1053 bytes --]

diff -r 360f9dc71f51 patches/linux-2.6.16.13/ipv6-no-autoconf.patch
--- /dev/null	Tue Jun 13 10:41:15 2006
+++ b/patches/linux-2.6.16.13/ipv6-no-autoconf.patch	Thu Jun 15 15:11:29 2006
@@ -0,0 +1,23 @@
+ net/ipv6/addrconf.c |    2 ++
+ 1 files changed, 2 insertions(+)
+
+Index: build/net/ipv6/addrconf.c
+===================================================================
+--- build.orig/net/ipv6/addrconf.c
++++ build/net/ipv6/addrconf.c
+@@ -2462,6 +2462,7 @@ static void addrconf_dad_start(struct in
+ 	spin_lock_bh(&ifp->lock);
+ 
+ 	if (dev->flags&(IFF_NOARP|IFF_LOOPBACK) ||
++	    !(dev->flags&IFF_MULTICAST) ||
+ 	    !(ifp->flags&IFA_F_TENTATIVE)) {
+ 		ifp->flags &= ~IFA_F_TENTATIVE;
+ 		spin_unlock_bh(&ifp->lock);
+@@ -2546,6 +2547,7 @@ static void addrconf_dad_completed(struc
+ 	if (ifp->idev->cnf.forwarding == 0 &&
+ 	    ifp->idev->cnf.rtr_solicits > 0 &&
+ 	    (dev->flags&IFF_LOOPBACK) == 0 &&
++	    (dev->flags & IFF_MULTICAST) &&
+ 	    (ipv6_addr_type(&ifp->addr) & IPV6_ADDR_LINKLOCAL)) {
+ 		struct in6_addr all_routers;
+ 

[-- Attachment #4: Type: text/plain, Size: 138 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xensource.com
http://lists.xensource.com/xen-devel