[PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering

[PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering

[Sylvain Munaut]

[-- Attachment #1: Type: text/plain, Size: 437 bytes --]

The vif-common.sh hotplug script doesn't support ipv6 iptables
filtering setup. The attached patch adds basic filtering capability so
that if an IPv6 is specified, it's added to the 'authorized' source
list.
Basically the same behavior as for ipv4.

I've been using this patch for some time on xen 4.1 and I've just
forward ported it to xen master (it applied cleanly and didn't see any
changes that would matter).

Cheers,

    Sylvain

[-- Attachment #2: 0001-tools-hotplug-Linux-Add-IPv6-support-to-vif-common-f.patch --]
[-- Type: application/octet-stream, Size: 4176 bytes --]

From c6561a403a2c8b1afaf5f336d2df95aceb362cbc Mon Sep 17 00:00:00 2001
From: Sylvain Munaut <s.munaut@whatever-company.com>
Date: Mon, 13 May 2013 15:52:14 +0200
Subject: [PATCH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering

By default DomU are not allow to send router-advertisement
message. Set the ipv6_allow_ra config option to yet to allow it.

Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
---
 tools/hotplug/Linux/vif-common.sh | 103 ++++++++++++++++++++++++++++++++++++--
 1 file changed, 99 insertions(+), 4 deletions(-)

diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
index 73ee241..d5c51e7 100644
--- a/tools/hotplug/Linux/vif-common.sh
+++ b/tools/hotplug/Linux/vif-common.sh
@@ -121,8 +121,11 @@ fi
 ip=${ip:-}
 ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip")
 
+ipv6_allow_ra=$(xenstore_read_default "$XENBUS_PATH/ipv6_allow_ra" "false")
+
 frob_iptable()
 {
+  # Add or remove
   if [ "$command" == "online" ]
   then
     local c="-I"
@@ -130,6 +133,7 @@ frob_iptable()
     local c="-D"
   fi
 
+  # Main rules
   iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
     "$@" -j ACCEPT 2>/dev/null &&
   iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \
@@ -139,6 +143,61 @@ frob_iptable()
   then
     log err "iptables setup failed. This may affect guest networking."
   fi
+
+  # Always allow the domain to talk to a DHCP server.
+  if [ -n "$1" ]
+  then
+    iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
+      -p udp --sport 68 --dport 67 -j ACCEPT 2>/dev/null
+  fi
+
+  if [ "$command" == "online" -a $? -ne 0 ]
+  then
+    log err "iptables setup failed. This may affect guest networking."
+  fi
+}
+
+frob_ip6table()
+{
+  # Add or remove
+  if [ "$command" == "online" ]
+  then
+    local c="-I"
+  else
+    local c="-D"
+  fi
+
+  # Main rules
+  ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
+    "$@" -j ACCEPT 2>/dev/null &&
+  ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \
+    -j ACCEPT 2>/dev/null
+
+  if [ "$command" == "online" -a $? -ne 0 ]
+  then
+    log err "ip6tables setup failed. This may affect guest networking."
+  fi
+
+  # Filter out RA if not explicitely allowed
+  if [ "$ipv6_allow_ra" != "true" ]
+  then
+    ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
+      -p icmpv6 --icmpv6-type router-advertisement -j DROP 2>/dev/null
+  fi
+
+  if [ "$command" == "online" -a $? -ne 0 ]
+  then
+    log err "ip6tables setup failed. This may affect guest networking."
+  fi
+}
+
+
+##
+# Check if the given IP is IPv6 or not
+#
+is_ipv6()
+{
+        echo "$1" | perl -wane '/:/ && print "yes"'
 }
 
 
@@ -167,14 +226,17 @@ handle_iptable()
       local addr
       for addr in $ip
       do
-        frob_iptable -s "$addr"
+        result=$(is_ipv6 "${addr}")
+        if [ -z "${result}" ] ; then
+          frob_iptable -s "$addr"
+        else
+          frob_ip6table -s "$addr"
+        fi
       done
-
-      # Always allow the domain to talk to a DHCP server.
-      frob_iptable -p udp --sport 68 --dport 67
   else
       # No IP addresses have been specified, so allow anything.
       frob_iptable
+      frob_ip6table
   fi
 
   release_lock "iptables"
@@ -213,3 +275,36 @@ dom0_ip()
   fi
   echo "$result"
 }
+
+
+##
+# ip6_of interface
+#
+# Print the first IPv6 address currently in use at the given interface, or nothing if
+# the interface is not up.
+#
+ip6_of()
+{
+        ip -6 addr show primary dev "$1" | perl -wane '/scope global/ && /inet6 (([0-9a-f]+:*)+)/ && print $1;'
+}
+
+
+##
+# dom0_ip6
+#
+# Print the IPv6 address of the interface in dom0 through which we are routing.
+# This is the IP address on the interface specified as "netdev" as a parameter
+# to these scripts, or eth0 by default.  This function will call fatal if no
+# such interface could be found.
+#
+dom0_ip6()
+{
+  local nd=${netdev:-eth0}
+  local result=$(ip6_of "$nd")
+  if [ -z "$result" ]
+  then
+        ""
+  else
+        echo "$result"
+  fi
+}
-- 
1.8.1.5


[-- Attachment #3: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

Re: [PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering

[Ian Campbell]

On Mon, 2013-05-13 at 14:55 +0100, Sylvain Munaut wrote:
> The vif-common.sh hotplug script doesn't support ipv6 iptables
> filtering setup. The attached patch adds basic filtering capability so
> that if an IPv6 is specified, it's added to the 'authorized' source
> list.
> Basically the same behavior as for ipv4.
> 
> I've been using this patch for some time on xen 4.1 and I've just
> forward ported it to xen master (it applied cleanly and didn't see any
> changes that would matter).

Thanks, this looks plausible, at least as far as I am able to tell. Is
there anyone around who could review this from the ipv6/iptables PoV?

WRT the release, we are now frozen for 4.3 and I'd be concerned about
introducing a subtle (or not so subtle) networking regression. George
what do you think?

I notice you use --physdev-out -- I got the impression that this wasn't
supported any more (occasional bug reports about a warning message). TBH
I don't know enough about what it does to say one way or the other.

One minor niggle, you've spelt "explicitly" as "explicitely".

> 
> Cheers,
> 
>     Sylvain

> From c6561a403a2c8b1afaf5f336d2df95aceb362cbc Mon Sep 17 00:00:00 2001
> From: Sylvain Munaut <s.munaut@whatever-company.com>
> Date: Mon, 13 May 2013 15:52:14 +0200
> Subject: [PATCH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering
> 
> By default DomU are not allow to send router-advertisement
> message. Set the ipv6_allow_ra config option to yet to allow it.
> 
> Signed-off-by: Sylvain Munaut <s.munaut@whatever-company.com>
> ---
>  tools/hotplug/Linux/vif-common.sh | 103 ++++++++++++++++++++++++++++++++++++--
>  1 file changed, 99 insertions(+), 4 deletions(-)
> 
> diff --git a/tools/hotplug/Linux/vif-common.sh b/tools/hotplug/Linux/vif-common.sh
> index 73ee241..d5c51e7 100644
> --- a/tools/hotplug/Linux/vif-common.sh
> +++ b/tools/hotplug/Linux/vif-common.sh
> @@ -121,8 +121,11 @@ fi
>  ip=${ip:-}
>  ip=$(xenstore_read_default "$XENBUS_PATH/ip" "$ip")
>  
> +ipv6_allow_ra=$(xenstore_read_default "$XENBUS_PATH/ipv6_allow_ra" "false")
> +
>  frob_iptable()
>  {
> +  # Add or remove
>    if [ "$command" == "online" ]
>    then
>      local c="-I"
> @@ -130,6 +133,7 @@ frob_iptable()
>      local c="-D"
>    fi
>  
> +  # Main rules
>    iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
>      "$@" -j ACCEPT 2>/dev/null &&
>    iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \
> @@ -139,6 +143,61 @@ frob_iptable()
>    then
>      log err "iptables setup failed. This may affect guest networking."
>    fi
> +
> +  # Always allow the domain to talk to a DHCP server.
> +  if [ -n "$1" ]
> +  then
> +    iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
> +      -p udp --sport 68 --dport 67 -j ACCEPT 2>/dev/null
> +  fi
> +
> +  if [ "$command" == "online" -a $? -ne 0 ]
> +  then
> +    log err "iptables setup failed. This may affect guest networking."
> +  fi
> +}
> +
> +frob_ip6table()
> +{
> +  # Add or remove
> +  if [ "$command" == "online" ]
> +  then
> +    local c="-I"
> +  else
> +    local c="-D"
> +  fi
> +
> +  # Main rules
> +  ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
> +    "$@" -j ACCEPT 2>/dev/null &&
> +  ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out "$dev" \
> +    -j ACCEPT 2>/dev/null
> +
> +  if [ "$command" == "online" -a $? -ne 0 ]
> +  then
> +    log err "ip6tables setup failed. This may affect guest networking."
> +  fi
> +
> +  # Filter out RA if not explicitely allowed
> +  if [ "$ipv6_allow_ra" != "true" ]
> +  then
> +    ip6tables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in "$dev" \
> +      -p icmpv6 --icmpv6-type router-advertisement -j DROP 2>/dev/null
> +  fi
> +
> +  if [ "$command" == "online" -a $? -ne 0 ]
> +  then
> +    log err "ip6tables setup failed. This may affect guest networking."
> +  fi
> +}
> +
> +
> +##
> +# Check if the given IP is IPv6 or not
> +#
> +is_ipv6()
> +{
> +        echo "$1" | perl -wane '/:/ && print "yes"'
>  }
>  
>  
> @@ -167,14 +226,17 @@ handle_iptable()
>        local addr
>        for addr in $ip
>        do
> -        frob_iptable -s "$addr"
> +        result=$(is_ipv6 "${addr}")
> +        if [ -z "${result}" ] ; then
> +          frob_iptable -s "$addr"
> +        else
> +          frob_ip6table -s "$addr"
> +        fi
>        done
> -
> -      # Always allow the domain to talk to a DHCP server.
> -      frob_iptable -p udp --sport 68 --dport 67
>    else
>        # No IP addresses have been specified, so allow anything.
>        frob_iptable
> +      frob_ip6table
>    fi
>  
>    release_lock "iptables"
> @@ -213,3 +275,36 @@ dom0_ip()
>    fi
>    echo "$result"
>  }
> +
> +
> +##
> +# ip6_of interface
> +#
> +# Print the first IPv6 address currently in use at the given interface, or nothing if
> +# the interface is not up.
> +#
> +ip6_of()
> +{
> +        ip -6 addr show primary dev "$1" | perl -wane '/scope global/ && /inet6 (([0-9a-f]+:*)+)/ && print $1;'
> +}
> +
> +
> +##
> +# dom0_ip6
> +#
> +# Print the IPv6 address of the interface in dom0 through which we are routing.
> +# This is the IP address on the interface specified as "netdev" as a parameter
> +# to these scripts, or eth0 by default.  This function will call fatal if no
> +# such interface could be found.
> +#
> +dom0_ip6()
> +{
> +  local nd=${netdev:-eth0}
> +  local result=$(ip6_of "$nd")
> +  if [ -z "$result" ]
> +  then
> +        ""
> +  else
> +        echo "$result"
> +  fi
> +}
> -- 
> 1.8.1.5

Re: [PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering

[Sylvain Munaut]

Hi,

> WRT the release, we are now frozen for 4.3 and I'd be concerned about
> introducing a subtle (or not so subtle) networking regression. George
> what do you think?

I'm not really in a hurry, I have to maintain my own package anyways
for other custom patches anyway.
I just thought this one might be useful for others and IPv6 is more
and more popular.


> I notice you use --physdev-out -- I got the impression that this wasn't
> supported any more (occasional bug reports about a warning message). TBH
> I don't know enough about what it does to say one way or the other.

physdev-out is only supported for bridged devices, hence the
"physdev-is-bridged" option.
If the device isn't bridged, it simply won't match and iptables has to
be configured some
other way.

But those limitations are already present in the IPv4 iptables config.


> One minor niggle, you've spelt "explicitly" as "explicitely".

Damnit :p

I'll wait and see if there are other comments on the patch and resend
with all corrections if needed.


Cheers,

   Sylvain

Re: [PATH] tools/hotplug/Linux: Add IPv6 support to vif-common filtering

[George Dunlap]

On 05/20/2013 05:12 PM, Ian Campbell wrote:
> On Mon, 2013-05-13 at 14:55 +0100, Sylvain Munaut wrote:
>> The vif-common.sh hotplug script doesn't support ipv6 iptables
>> filtering setup. The attached patch adds basic filtering capability so
>> that if an IPv6 is specified, it's added to the 'authorized' source
>> list.
>> Basically the same behavior as for ipv4.
>>
>> I've been using this patch for some time on xen 4.1 and I've just
>> forward ported it to xen master (it applied cleanly and didn't see any
>> changes that would matter).
>
> Thanks, this looks plausible, at least as far as I am able to tell. Is
> there anyone around who could review this from the ipv6/iptables PoV?
>
> WRT the release, we are now frozen for 4.3 and I'd be concerned about
> introducing a subtle (or not so subtle) networking regression. George
> what do you think?

Yeah, I think given that no one has been clamoring for it, it would be 
better to wait until 4.4.

  -George