diff -rup xen-3.0.5-testing.hg-rc2-14889/tools/examples/network-bridge xen-3.0.5-testing.hg-rc2-14889.new/tools/examples/network-bridge --- xen-3.0.5-testing.hg-rc2-14889/tools/examples/network-bridge 2007-04-23 19:21:23.000000000 -0400 +++ xen-3.0.5-testing.hg-rc2-14889.new/tools/examples/network-bridge 2007-04-26 11:14:10.000000000 -0400 @@ -5,9 +5,10 @@ # The script name to use is defined in /etc/xen/xend-config.sxp # in the network-script field. # -# This script creates a bridge (default xenbr${vifnum}), adds a device -# (default eth${vifnum}) to it, copies the IP addresses from the device -# to the bridge and adjusts the routes accordingly. +# This script creates a bridge (default ${netdev}), adds a device +# (defaults to the device on the default gateway route) to it, copies +# the IP addresses from the device to the bridge and adjusts the routes +# accordingly. # # If all goes well, this should ensure that networking stays up. # However, some configurations are upset by this, especially @@ -20,31 +21,27 @@ # # Vars: # -# vifnum Virtual device number to use (default 0). Numbers >=8 -# require the netback driver to have nloopbacks set to a -# higher value than its default of 8. -# bridge The bridge to use (default xenbr${vifnum}). -# netdev The interface to add to the bridge (default eth${vifnum}). +# bridge The bridge to use (default ${netdev}). +# netdev The interface to add to the bridge (default gateway device). # antispoof Whether to use iptables to prevent spoofing (default no). # # Internal Vars: # pdev="p${netdev}" -# vdev="veth${vifnum}" -# vif0="vif0.${vifnum}" +# tdev=tmpbridge # # start: -# Creates the bridge -# Copies the IP and MAC addresses from netdev to vdev +# Creates the bridge as tdev +# Copies the IP and MAC addresses from pdev to bridge # Renames netdev to be pdev -# Renames vdev to be netdev -# Enslaves pdev, vdev to bridge +# Renames tdev to bridge +# Enslaves pdev to bridge # # stop: -# Removes netdev from the bridge -# Transfers addresses, routes from netdev to pdev -# Renames netdev to vdev +# Removes pdev from the bridge +# Transfers addresses, routes from bridge to pdev +# Renames bridge to tdev # Renames pdev to netdev -# Deletes bridge +# Deletes tdev # # status: # Print addresses, interfaces, routes @@ -59,15 +56,13 @@ dir=$(dirname "$0") findCommand "$@" evalVariables "$@" -vifnum=${vifnum:-$(ip route list | awk '/^default / { print $NF }' | sed 's/^[^0-9]*//')} -vifnum=${vifnum:-0} -bridge=${bridge:-xenbr${vifnum}} -netdev=${netdev:-eth${vifnum}} +netdev=${netdev:-$(ip route list | awk '/^default / { print $NF }' | + sed 's/.* dev //')} +bridge=${bridge:-${netdev}} antispoof=${antispoof:-no} pdev="p${netdev}" -vdev="veth${vifnum}" -vif0="vif0.${vifnum}" +tdev=tmpbridge get_ip_info() { addr_pfx=`ip addr show dev $1 | egrep '^ *inet' | sed -e 's/ *inet //' -e 's/ .*//'` @@ -157,7 +152,6 @@ antispoofing () { iptables -P FORWARD DROP iptables -F FORWARD iptables -A FORWARD -m physdev --physdev-in ${pdev} -j ACCEPT - iptables -A FORWARD -m physdev --physdev-in ${vif0} -j ACCEPT } # Usage: show_status dev bridge @@ -184,53 +178,27 @@ op_start () { fi if link_exists "$pdev"; then - # The device is already up. - return - fi - if link_exists veth0 && ! link_exists "$vdev"; then - echo " -Link $vdev is missing. -This may be because you have reached the limit of the number of interfaces -that the loopback driver supports. If the loopback driver is a module, you -may raise this limit by passing it as a parameter (nloopbacks=); if the -driver is compiled statically into the kernel, then you may set the parameter -using netloop.nloopbacks= on the domain 0 kernel command line. -" >&2 - exit 1 + # The device is already up. + return fi - create_bridge ${bridge} + create_bridge ${tdev} - if link_exists "$vdev"; then - mac=`ip link show ${netdev} | grep 'link\/ether' | sed -e 's/.*ether \(..:..:..:..:..:..\).*/\1/'` - preiftransfer ${netdev} - transfer_addrs ${netdev} ${vdev} - if ! ifdown ${netdev}; then - # If ifdown fails, remember the IP details. - get_ip_info ${netdev} - ip link set ${netdev} down - ip addr flush ${netdev} - fi - ip link set ${netdev} name ${pdev} - ip link set ${vdev} name ${netdev} - - setup_bridge_port ${pdev} - setup_bridge_port ${vif0} - ip link set ${netdev} addr ${mac} arp on - - ip link set ${bridge} up - add_to_bridge ${bridge} ${vif0} - add_to_bridge2 ${bridge} ${pdev} - do_ifup ${netdev} - else - ip link set ${bridge} arp on - ip link set ${bridge} multicast on - # old style without ${vdev} - transfer_addrs ${netdev} ${bridge} - transfer_routes ${netdev} ${bridge} - # Attach the real interface to the bridge. - add_to_bridge ${bridge} ${netdev} + preiftransfer ${netdev} + transfer_addrs ${netdev} ${tdev} + if ! ifdown ${netdev}; then + # If ifdown fails, remember the IP details. + get_ip_info ${netdev} + ip link set ${netdev} down + ip addr flush ${netdev} fi + ip link set ${netdev} name ${pdev} + ip link set ${tdev} name ${bridge} + + setup_bridge_port ${pdev} + + add_to_bridge2 ${bridge} ${pdev} + do_ifup ${bridge} if [ ${antispoof} = 'yes' ] ; then antispoofing @@ -245,31 +213,21 @@ op_stop () { return fi - if link_exists "$pdev"; then - ip link set dev ${vif0} down - mac=`ip link show ${netdev} | grep 'link\/ether' | sed -e 's/.*ether \(..:..:..:..:..:..\).*/\1/'` - transfer_addrs ${netdev} ${pdev} - if ! ifdown ${netdev}; then - get_ip_info ${netdev} - fi - ip link set ${netdev} down arp off - ip link set ${netdev} addr fe:ff:ff:ff:ff:ff - ip link set ${pdev} down - ip addr flush ${netdev} - ip link set ${pdev} addr ${mac} arp on - - brctl delif ${bridge} ${pdev} - brctl delif ${bridge} ${vif0} - ip link set ${bridge} down - - ip link set ${netdev} name ${vdev} - ip link set ${pdev} name ${netdev} - do_ifup ${netdev} - else - transfer_routes ${bridge} ${netdev} - ip link set ${bridge} down + transfer_addrs ${bridge} ${pdev} + if ! ifdown ${bridge}; then + get_ip_info ${bridge} fi - brctl delbr ${bridge} + ip link set ${pdev} down + ip addr flush ${bridge} + + brctl delif ${bridge} ${pdev} + ip link set ${bridge} down + + ip link set ${bridge} name ${tdev} + ip link set ${pdev} name ${netdev} + do_ifup ${netdev} + + brctl delbr ${tdev} } # adds $dev to $bridge but waits for $dev to be in running state first Only in xen-3.0.5-testing.hg-rc2-14889.new/tools/examples: network-bridge~ diff -rup xen-3.0.5-testing.hg-rc2-14889/tools/examples/vif-bridge xen-3.0.5-testing.hg-rc2-14889.new/tools/examples/vif-bridge --- xen-3.0.5-testing.hg-rc2-14889/tools/examples/vif-bridge 2007-04-23 19:21:23.000000000 -0400 +++ xen-3.0.5-testing.hg-rc2-14889.new/tools/examples/vif-bridge 2007-04-26 11:06:37.000000000 -0400 @@ -44,6 +44,32 @@ then then fatal "Could not find bridge, and none was specified" fi +else + # + # Old style bridge setup with netloop, used to have a bridge name + # of xenbrX, enslaving pethX and vif0.X, and then configuring + # eth0. + # + # New style bridge setup does not use netloop, so the bridge name + # is ethX and the physical device is enslaved pethX + # + # So if... + # + # - User asks for xenbrX + # - AND xenbrX doesn't exist + # - AND there is a ethX device which is a bridge + # + # ..then we translate xenbrX to ethX + # + # This lets old config files work without modification + # + if [ ! -e "/sys/class/net/$bridge" ] && [ "${bridge:0:5}" == "xenbr" ] + then + if [ -e "/sys/class/net/eth${bridge:5}/bridge" ] + then + bridge="eth${bridge:5}" + fi + fi fi RET=0 @@ -65,10 +91,8 @@ case "$command" in ;; esac -handle_iptable - log debug "Successful vif-bridge $command for $vif, bridge $bridge." -if [ "$command" = "online" ] +if [ "$command" == "online" ] then success fi diff -rup xen-3.0.5-testing.hg-rc2-14889/tools/examples/xend-config.sxp xen-3.0.5-testing.hg-rc2-14889.new/tools/examples/xend-config.sxp --- xen-3.0.5-testing.hg-rc2-14889/tools/examples/xend-config.sxp 2007-04-26 11:06:17.000000000 -0400 +++ xen-3.0.5-testing.hg-rc2-14889.new/tools/examples/xend-config.sxp 2007-04-26 11:06:37.000000000 -0400 @@ -118,9 +118,7 @@ ## # To bridge network traffic, like this: # -# dom0: fake eth0 -> vif0.0 -+ -# | -# bridge -> real eth0 -> the network +# dom0: ----------------- bridge -> real eth0 -> the network # | # domU: fake eth0 -> vifN.0 -+ # @@ -143,6 +141,13 @@ # yourself a wrapper script, and call network-bridge from it, as appropriate. # (network-script network-bridge) +#### LAPTOP USERS ! ##### +# For laptops, or machines where network interfaces come/go on-the-fly, +# or are otherwise managed by NetworkManager, comment out the above line. +# Then, uncomment the line below, and use libvirt's virtual networking +# capability which sets up a isolated bridge + NAT forwarding +#(network-script /bin/true) +#### LAPTOP USERS ! ##### # The script used to control virtual interfaces. This can be overridden on a # per-vif basis when creating a domain or a configuring a new vif. The @@ -162,12 +167,14 @@ ## Use the following if network traffic is routed, as an alternative to the # settings for bridged networking given above. +# NB: Obsolete. See note above for LAPTOP USERS #(network-script network-route) #(vif-script vif-route) ## Use the following if network traffic is routed with NAT, as an alternative # to the settings for bridged networking given above. +# NB: Obsolete. See note above for LAPTOP USERS #(network-script network-nat) #(vif-script vif-nat) diff -rup xen-3.0.5-testing.hg-rc2-14889/tools/examples/xen-network-common.sh xen-3.0.5-testing.hg-rc2-14889.new/tools/examples/xen-network-common.sh --- xen-3.0.5-testing.hg-rc2-14889/tools/examples/xen-network-common.sh 2007-04-23 19:21:23.000000000 -0400 +++ xen-3.0.5-testing.hg-rc2-14889.new/tools/examples/xen-network-common.sh 2007-04-26 11:06:37.000000000 -0400 @@ -90,8 +90,6 @@ find_dhcpd_init_file() } # configure interfaces which act as pure bridge ports: -# - make quiet: no arp, no multicast (ipv6 autoconf) -# - set mac address to fe:ff:ff:ff:ff:ff setup_bridge_port() { local dev="$1" @@ -99,9 +97,6 @@ setup_bridge_port() { ip link set ${dev} down # ... and configure it - ip link set ${dev} arp off - ip link set ${dev} multicast off - ip link set ${dev} addr fe:ff:ff:ff:ff:ff ip addr flush ${dev} } @@ -114,15 +109,14 @@ create_bridge () { brctl addbr ${bridge} brctl stp ${bridge} off brctl setfd ${bridge} 0 - ip link set ${bridge} arp off - ip link set ${bridge} multicast off + # Setting these to zero stops guest<->LAN traffic + # traversing the bridge from hitting the *tables + # rulesets. guest<->host traffic still gets processed + # by the host's iptables rules so this isn't a hole + sysctl -q -w "net.bridge.bridge-nf-call-arptables=0" + sysctl -q -w "net.bridge.bridge-nf-call-ip6tables=0" + sysctl -q -w "net.bridge.bridge-nf-call-iptables=0" fi - - # A small MTU disables IPv6 (and therefore IPv6 addrconf). - mtu=$(ip link show ${bridge} | sed -n 's/.* mtu \([0-9]\+\).*/\1/p') - ip link set ${bridge} mtu 68 - ip link set ${bridge} up - ip link set ${bridge} mtu ${mtu:-1500} } # Usage: add_to_bridge bridge dev diff -rup xen-3.0.5-testing.hg-rc2-14889/tools/ioemu/target-i386-dm/qemu-ifup xen-3.0.5-testing.hg-rc2-14889.new/tools/ioemu/target-i386-dm/qemu-ifup --- xen-3.0.5-testing.hg-rc2-14889/tools/ioemu/target-i386-dm/qemu-ifup 2007-04-23 19:21:23.000000000 -0400 +++ xen-3.0.5-testing.hg-rc2-14889.new/tools/ioemu/target-i386-dm/qemu-ifup 2007-04-26 11:06:37.000000000 -0400 @@ -5,5 +5,33 @@ echo 'config qemu network with xen bridge for ' $* +bridge=$2 + +# +# Old style bridge setup with netloop, used to have a bridge name +# of xenbrX, enslaving pethX and vif0.X, and then configuring +# eth0. +# +# New style bridge setup does not use netloop, so the bridge name +# is ethX and the physical device is enslaved pethX +# +# So if... +# +# - User asks for xenbrX +# - AND xenbrX doesn't exist +# - AND there is a ethX device which is a bridge +# +# ..then we translate xenbrX to ethX +# +# This lets old config files work without modification +# +if [ ! -e "/sys/class/net/$bridge" ] && [ "${bridge:0:5}" == "xenbr" ] +then + if [ -e "/sys/class/net/eth${bridge:5}/bridge" ] + then + bridge="eth${bridge:5}" + fi +fi + ifconfig $1 0.0.0.0 up -brctl addif $2 $1 +brctl addif $bridge $1