remove allow_bridge_route setting

Not needed for new network model with additional bridge.
2025-10-04 10:00:15 +00:00 · 2014-05-06 11:12:21 +02:00 · 2014-05-06 11:12:21 +02:00 · fb8f4a70bb
commit fb8f4a70bb
parent 9e553e576b
6 changed files with 11 additions and 153 deletions
--- a/debian/README
+++ b/debian/README
@ -84,51 +84,13 @@ There are a number of restrictions when using iptables to filter
 bridged traffic. The physdev match feature does not work correctly
 when traffic is routed from host to bridge:
-  * when a packet being sent through a bridge entered the firewall on another interface 
+  * when a packet being sent through a bridge entered the firewall on 
-    and was being forwarded to the bridge.
+    another interface and was being forwarded to the bridge.
-  * when a packet originating on the firewall itself is being sent through a bridge.
+  * when a packet originating on the firewall itself is being sent through 
    a bridge.
-So we disable the firewall if we detect such case (bridge with assigned IP address).
+We use a second bridge for each interface to avoid above problem.
 You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw".
 The correct workaround is to remove the IP address from the bridge device, and
 use a veth device which is plugged into the bridge:
 ---/etc/network/interfaces----
 ...
 auto vmbr0
 iface vmbr0 inet manual
 	bridge_ports bond0
 	bridge_stp off
 	bridge_fd 0
 # this create the veth device and plug it into vmbr0
 auto pm0
 iface pm0 inet static
 	address  192.168.10.10
 	netmask  255.255.255.0
 	gateway  192.168.10.1
 	VETH_BRIDGETO vmbr0
 auto vmbr1
 iface vmbr1 inet manual
      bridge_ports none
      bridge_stp off
      bridge_fd 0
 # setup masqueraded bridge port vmbr1/pm1 using pm0
 # NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone) 
 auto pm1
 iface pm1 inet static
       address 10.10.10.1
       netmask 255.255.255.0
       VETH_BRIDGETO vmbr1
       VETH_MASQUERADE pm0
 ...
 --------------------------------
 eth0-->vmbr0<--tapXiY (non firewalled tap)
            <--linkXiY-->linkXiYp-->fwbrXiY-->tapXiY (firewalled tap)
--- a/debian/example/host.fw
+++ b/debian/example/host.fw
@ -14,11 +14,6 @@ nf_conntrack_max: 196608
 # reduce conntrack established timeout (default is 432000 - 5days)
 nf_conntrack_tcp_timeout_established: 7875
 # Enable firewall when bridges contains IP address.
 # The firewall is not fully functional in that case, so
 # you need to enable that explicitly
 allow_bridge_route: 1
 # disable SMURFS filter
 nosmurfs: 0
--- a/debian/ifupdown.sh
+++ b/debian/ifupdown.sh
@ -1,61 +0,0 @@
 #!/bin/sh
 # create a VETH device and plug it into bridge ${IF_VETH_BRIDGETO}
 if [ -z "${IF_VETH_BRIDGETO}" ]; then
    exit 0
 fi
 if [ ! -x /sbin/brctl ]
 then
    exit 0
 fi
 if [ "${MODE}" = "start" ]; then
    case "$PHASE" in
        pre-up)
 	    test -d "/sys/class/net/${IF_VETH_BRIDGETO}" || ifup "${IF_VETH_BRIDGETO}" || exit 1
 	    ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1
 	    ip link set "${IFACE}peer" up || exit 1
 	    brctl addif "${IF_VETH_BRIDGETO}" "${IFACE}peer" || exit 1
 	    ;;
        post-up)
 	    test -n "${IF_VETH_MASQUERADE}" || exit 0
 	    if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then 
 		iptables -t raw -A PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
 		iptables -t raw -A PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i  "${IF_VETH_BRIDGETO}" -j CT --zone 1
 		iptables -t nat -A POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o  "${IF_VETH_MASQUERADE}"  -j MASQUERADE
 	    else
 		echo "unable to setup VETH_MASQUERADE - no address/network"
 		exit 0
 	    fi
 	    ;;
    esac
 elif [ "${MODE}" = "stop" ]; then
    case "$PHASE" in
        post-down)
 	    brctl delif "${IF_VETH_BRIDGETO}" "${IFACE}peer"
 	    ip link set "${IFACE}peer" down || exit 1
 	    ip link del "${IFACE}" || exit 1
 	    ;;
        pre-down)
 	    test -n "${IF_VETH_MASQUERADE}" || exit 0
 	    if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then 
 		iptables -t raw -D PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
 		iptables -t raw -D PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i  "${IF_VETH_BRIDGETO}" -j CT --zone 1
 		iptables -t nat -D POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o  "${IF_VETH_MASQUERADE}"  -j MASQUERADE
 	    fi
 	    ;;
    esac
 fi
 exit 0
--- a/debian/install
+++ b/debian/install
@ -1 +0,0 @@
 debian/ifupdown.sh usr/share/pve-firewall/scripts
--- a/debian/links
+++ b/debian/links
@ -1,4 +0,0 @@
 usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-up.d/pve-firewall
 usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-down.d/pve-firewall
 usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-pre-up.d/pve-firewall
 usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-post-down.d/pve-firewall
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@ -1402,13 +1402,10 @@ sub ruleset_addlog {
 }
 sub generate_bridge_chains {
-    my ($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config) = @_;
+    my ($ruleset, $hostfw_conf, $bridge, $bridges_config) = @_;
    my $options = $hostfw_conf->{options} || {};
    die "error: detected direct route to bridge '$bridge'\n"
 	if !$options->{allow_bridge_route} && $routing_table->{$bridge};
    if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
 	ruleset_create_chain($ruleset, "$bridge-FW");
 	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-out -j $bridge-FW");
@ -1913,7 +1910,7 @@ sub parse_hostfw_option {
    my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
-    if ($line =~ m/^(enable|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) {
+    if ($line =~ m/^(enable|nosmurfs|tcpflags|optimize):\s*(0|1)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
    } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
@ -2519,34 +2516,6 @@ sub read_pvefw_status {
    return $status;
 }
 # fixme: move to pve-common PVE::ProcFSTools
 sub read_proc_net_route {
    my $filename = "/proc/net/route";
    my $res = {};
    my $fh = IO::File->new ($filename, "r");
    return $res if !$fh;
    my $int_to_quad = sub {
 	return join '.' => map { ($_[0] >> 8*(3-$_)) % 256 } (3, 2, 1, 0);
    };
    while (defined(my $line = <$fh>)) {
 	next if $line =~/^Iface\s+Destination/; # skip head
 	my ($iface, $dest, $gateway, $metric, $mask, $mtu) = (split(/\s+/, $line))[0,1,2,6,7,8];
 	push @{$res->{$iface}}, {
 	    dest => &$int_to_quad(hex($dest)),
 	    gateway => &$int_to_quad(hex($gateway)),
 	    mask => &$int_to_quad(hex($mask)),
 	    metric => $metric,
 	    mtu => $mtu,
 	};
    }
    return $res;
 }
 sub load_clusterfw_conf {
    my $cluster_conf = {};
@ -2639,8 +2608,6 @@ sub compile {
    my $vmdata = read_local_vm_config();
    my $vmfw_configs = read_vm_firewall_configs($vmdata);
    my $routing_table = read_proc_net_route();
    my $bridges_config = read_bridges_config();
    my $ipset_ruleset = {};
@ -2694,7 +2661,7 @@ sub compile {
 	    $bridge .= "v$net->{tag}" if $net->{tag};
-	    generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config);
+	    generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $bridges_config);
 	    my $macaddr = $net->{macaddr};
 	    generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
@ -2728,7 +2695,7 @@ sub compile {
 		    next; # fixme?
 		}
-		generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config);
+		generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $bridges_config);
 		my $macaddr = $d->{mac};
 		my $iface = $d->{host_ifname};
		`@ -1 +0,0 @@`
			`debian/ifupdown.sh usr/share/pve-firewall/scripts`