Package: xen-utils-common
Version: 3.2.0-2
Hello
We used the script network-bridge on our Xen servers based on etch
(xen-utils-common 3.0.3-0-2)
to setup bridge configuration. This script created a bridge xenbr0, renamed
eth0 to peth0,
renamed veth0 to eth0 and added peth0 and vif0.0 to the bridge.
For firewalling, we had to create rules to filter on xenbr0 (FORWARD) and
eth0 (INPUT/OUTPUT).
The resulting configuration is as follows:
peth0 -- Bridge xenbr0 -- vifx.x/eth0 (DomU)
^
|
v
vif0.0/eth0
Dom0
Since XEN 3.2, the script network-bridge creates a bridge eth0 instead of
xenbr0
and doesn't use vif0.0/veth0 anymore. That is, eth0 is now a bridge and
an interface
for Dom0 in one. This behaviour breaks our firewall rules.
The resulting configuration is as follows:
peth0 -- Bridge eth0 -- vifx.x/eth0 (DomU)
Dom0
vif0.0, veth0: not used
As work-around, we still use the scripts network-bridge and
xen-network-common.sh
from XEN 3.0 to get back the old behaviour.
For firewalling, we use Shorewall. The setup and rules required for Shorewall
are described at http://shorewall.net/4.2/XenMyWay.html. This setup assumes
there's a bridge xenbr0 and an interface eth0 for Dom0, that is, it assumes
the behaviour from XEN 3.0.
I think this change of configuration by the new scripts might break firewalling
rules of
other people, too. So there should be a way to re-activiate the old behaviour
of the scripts,
or get a smooth transition to the new way of configuration.
A similar problem is described in Bug #511579
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=511579
And also here:
http://lists.xensource.com/archives/html/xen-users/2008-09/msg00261.html
https://systemausfall.org/wikis/howto/XenUpgrade3.2
Currently, we continue using the old network configuration scheme from XEN 3.0.
We might
consider to switch to the new configuration scheme in the future. We propose to
add
the old network-bridge scripts from XEN 3.0 as an alternative to the new
configuration
scheme (e. g. named network-bridge-3.0, xen-network-common-3.0.sh).
Regards,
Daniel Lutz
--
-- Daniel Lutz
-- Logintas AG, Sonnhaldenstrasse 87, CH-6331 Hünenberg, +41 41 783 21 21
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org