From 167607f4718e1b4da154f33bdd115a47b7b83109 Mon Sep 17 00:00:00 2001
From: "David M. Johnson" <johnsond@flux.utah.edu>
Date: Tue, 18 Mar 2025 13:11:59 -0600
Subject: [PATCH] Fix Xen expt bridge forwarding with bridge-nf-call-iptables
 on newer dom0 kernels.

Something changed at Xen 4.16/Linux 5.15, where if the
net.bridge.bridge-nf-call-iptables sysctl is enabled (which we
do so that we can firewall/nat the control net bridge ifaces),
iptables rules apply to the expt net bridges as well.  This
seems to be new behavior, because although we set the default
global FORWARD chain policy to DROP, and do not create
iptables rules for expt net bridges, in Xen 4.11/Linux 5.4,
the bridge forwarded ip packets just fine.  In Xen 4.16/Linux
5.15, this behavior has changed, and ip traffic is not
forwarded unless we add this basic allow-all forwarding rule
for each expt bridge.
---
 clientside/tmcc/linux/xen/libvnode_xen.pm | 34 +++++++++++++++++++++++
 1 file changed, 34 insertions(+)

diff --git a/clientside/tmcc/linux/xen/libvnode_xen.pm b/clientside/tmcc/linux/xen/libvnode_xen.pm
index b58c13e7bf..7d282a1f92 100644
--- a/clientside/tmcc/linux/xen/libvnode_xen.pm
+++ b/clientside/tmcc/linux/xen/libvnode_xen.pm
@@ -5098,6 +5098,27 @@ sub createExpBridges($$$)
 		print STDERR "createExpBridges: could not ifconfig $brname\n";
 		goto bad;
 	    }
+
+	    #
+	    # NB: something changed at Xen 4.16/Linux 5.15, where if the
+	    # net.bridge.bridge-nf-call-iptables sysctl is enabled (which we
+	    # do so that we can firewall/nat the control net bridge ifaces),
+	    # iptables rules apply to the expt net bridges as well.  This
+	    # seems to be new behavior, because although we set the default
+	    # global FORWARD chain policy to DROP, and do not create
+	    # iptables rules for expt net bridges, in Xen 4.11/Linux 5.4,
+	    # the bridge forwarded ip packets just fine.  In Xen 4.16/Linux
+	    # 5.15, this behavior has changed, and ip traffic is not
+	    # forwarded unless we add the basic allow-all forwarding rule
+	    # below.
+	    #
+	    my @rules = ("-I FORWARD -i $brname -o $brname -j ACCEPT");
+	    TBDebugTimeStamp("createExpBridges: installing iptables expt forward-all rule");
+	    if (DoIPtables(@rules)) {
+		TBDebugTimeStamp("  failed to install iptables rules");
+		goto bad;
+	    }
+	    TBDebugTimeStamp("  installed iptables expt forward-all rule");
 	}
 	# record bridge in use.
 	$private->{'physbridges'}->{$brname} = $brname;
@@ -5176,6 +5197,19 @@ sub destroyExpBridges($$)
 		delete($private->{'physbridges'}->{$brname})
 		    if (! $?);
 	    }
+	    
+
+	    #
+	    # NB: remove expt bridge forward-all rule; see createExpBridges
+	    # above.
+	    #
+	    my @rules = ("-D FORWARD -i $brname -o $brname -j ACCEPT");
+	    TBDebugTimeStamp("createExpBridges: removing iptables expt forward-all rule");
+	    if (DoIPtablesNoFail(@rules)) {
+		TBDebugTimeStamp("  failed to remove iptables expt forward-all rule");
+	    } else {
+		TBDebugTimeStamp("  removed iptables expt forward-all rule");
+	    }
 	}
     }
     TBDebugTimeStamp("  releasing global lock")
-- 
GitLab