Bug#550692: Script network-bridge in lenny may break network/firewall configuration

2009-10-12 Thread Daniel Lutz 
Package: xen-utils-common
Version: 3.2.0-2

Hello

We used the script network-bridge on our Xen servers based on etch 
(xen-utils-common 3.0.3-0-2)
to setup bridge configuration. This script created a bridge xenbr0, renamed 
eth0 to peth0,
renamed veth0 to eth0 and added peth0 and vif0.0 to the bridge.
For firewalling, we had to create rules to filter on xenbr0 (FORWARD) and
eth0 (INPUT/OUTPUT).

The resulting configuration is as follows:

peth0 -- Bridge xenbr0 -- vifx.x/eth0  (DomU)
^
|
v
  vif0.0/eth0
   Dom0


Since XEN 3.2, the script network-bridge creates a bridge eth0 instead of 
xenbr0
and doesn't use vif0.0/veth0 anymore. That is, eth0 is now a bridge and 
an interface
for Dom0 in one. This behaviour breaks our firewall rules.

The resulting configuration is as follows:

peth0 -- Bridge eth0 -- vifx.x/eth0  (DomU)
  Dom0

vif0.0, veth0: not used


As work-around, we still use the scripts network-bridge and 
xen-network-common.sh
from XEN 3.0 to get back the old behaviour.

For firewalling, we use Shorewall. The setup and rules required for Shorewall
are described at http://shorewall.net/4.2/XenMyWay.html. This setup assumes
there's a bridge xenbr0 and an interface eth0 for Dom0, that is, it assumes
the behaviour from XEN 3.0.

I think this change of configuration by the new scripts might break firewalling 
rules of
other people, too. So there should be a way to re-activiate the old behaviour 
of the scripts,
or get a smooth transition to the new way of configuration.


A similar problem is described in Bug #511579
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511579

And also here:
http://lists.xensource.com/archives/html/xen-users/2008-09/msg00261.html
https://systemausfall.org/wikis/howto/XenUpgrade3.2

Currently, we continue using the old network configuration scheme from XEN 3.0. 
We might
consider to switch to the new configuration scheme in the future. We propose to 
add
the old network-bridge scripts from XEN 3.0 as an alternative to the new 
configuration
scheme (e. g. named network-bridge-3.0, xen-network-common-3.0.sh).

Regards,
Daniel Lutz


-- 
-- Daniel Lutz
-- Logintas AG, Sonnhaldenstrasse 87, CH-6331 Hünenberg, +41 41 783 21 21



--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org

Bug#550692: [Pkg-xen-devel] Bug#550692: Script network-bridge in lenny may break network/firewall configuration

2009-10-12 Thread Bastian Blank 
On Mon, Oct 12, 2009 at 11:33:20AM +0200, Daniel Lutz wrote:
 We used the script network-bridge on our Xen servers based on etch 
 (xen-utils-common 3.0.3-0-2)
 to setup bridge configuration. 

Don't use this script if you have special needs. See
/usr/share/doc/bridge-utils/ how to do that the Debian way.

 I think this change of configuration by the new scripts might break 
 firewalling rules of
 other people, too. So there should be a way to re-activiate the old behaviour 
 of the scripts,
 or get a smooth transition to the new way of configuration.

It is documented in the changelog and follows upstream.

Bastian

-- 
One does not thank logic.
-- Sarek, Journey to Babel, stardate 3842.4



-- 
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org