remove allow_bridge_route setting

Not needed for new network model with additional bridge.
2025-10-04 07:00:55 +00:00 · 2014-05-06 11:12:21 +02:00 · 2014-05-06 11:12:21 +02:00 · fb8f4a70bb
commit fb8f4a70bb
parent 9e553e576b
6 changed files with 11 additions and 153 deletions
--- a/debian/README
+++ b/debian/README
@ -84,51 +84,13 @@ There are a number of restrictions when using iptables to filter
 bridged traffic. The physdev match feature does not work correctly
 when traffic is routed from host to bridge:

-  * when a packet being sent through a bridge entered the firewall on another interface 
-    and was being forwarded to the bridge.
+  * when a packet being sent through a bridge entered the firewall on 
+    another interface and was being forwarded to the bridge.

-  * when a packet originating on the firewall itself is being sent through a bridge.
+  * when a packet originating on the firewall itself is being sent through 
+    a bridge.

-So we disable the firewall if we detect such case (bridge with assigned IP address).
-You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw".
-
-The correct workaround is to remove the IP address from the bridge device, and
-use a veth device which is plugged into the bridge:
-
---/etc/network/interfaces----
-
-...
-
-auto vmbr0
-iface vmbr0 inet manual
-	bridge_ports bond0
-	bridge_stp off
-	bridge_fd 0
-
-# this create the veth device and plug it into vmbr0
-auto pm0
-iface pm0 inet static
-	address  192.168.10.10
-	netmask  255.255.255.0
-	gateway  192.168.10.1
-	VETH_BRIDGETO vmbr0
-
-auto vmbr1
-iface vmbr1 inet manual
-      bridge_ports none
-      bridge_stp off
-      bridge_fd 0
-
-# setup masqueraded bridge port vmbr1/pm1 using pm0
-# NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone) 
-auto pm1
-iface pm1 inet static
-       address 10.10.10.1
-       netmask 255.255.255.0
-       VETH_BRIDGETO vmbr1
-       VETH_MASQUERADE pm0
-
-...
-
--------------------------------
+We use a second bridge for each interface to avoid above problem.

+eth0-->vmbr0<--tapXiY (non firewalled tap)
+            <--linkXiY-->linkXiYp-->fwbrXiY-->tapXiY (firewalled tap)
--- a/debian/example/host.fw
+++ b/debian/example/host.fw
@ -14,11 +14,6 @@ nf_conntrack_max: 196608
 # reduce conntrack established timeout (default is 432000 - 5days)
 nf_conntrack_tcp_timeout_established: 7875

-# Enable firewall when bridges contains IP address.
-# The firewall is not fully functional in that case, so
-# you need to enable that explicitly
-allow_bridge_route: 1
-
 # disable SMURFS filter
 nosmurfs: 0

--- a/debian/ifupdown.sh
+++ b/debian/ifupdown.sh
@ -1,61 +0,0 @@
-#!/bin/sh
-
-# create a VETH device and plug it into bridge ${IF_VETH_BRIDGETO}
-
-if [ -z "${IF_VETH_BRIDGETO}" ]; then
-    exit 0
-fi
-
-if [ ! -x /sbin/brctl ]
-then
-    exit 0
-fi
-
-if [ "${MODE}" = "start" ]; then
-    
-    case "$PHASE" in
-        pre-up)
- 
-	    test -d "/sys/class/net/${IF_VETH_BRIDGETO}" || ifup "${IF_VETH_BRIDGETO}" || exit 1
-	    ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1
-	    ip link set "${IFACE}peer" up || exit 1
-	    brctl addif "${IF_VETH_BRIDGETO}" "${IFACE}peer" || exit 1
-	    ;;
-
-        post-up)
-	    test -n "${IF_VETH_MASQUERADE}" || exit 0
-	    if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then 
-		iptables -t raw -A PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
-		iptables -t raw -A PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i  "${IF_VETH_BRIDGETO}" -j CT --zone 1
-		iptables -t nat -A POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o  "${IF_VETH_MASQUERADE}"  -j MASQUERADE
-	    else
-		echo "unable to setup VETH_MASQUERADE - no address/network"
-		exit 0
-	    fi
-	    ;;
-    esac
-  
-elif [ "${MODE}" = "stop" ]; then
-
-    case "$PHASE" in
-        post-down)
-  
-	    brctl delif "${IF_VETH_BRIDGETO}" "${IFACE}peer"
-	    ip link set "${IFACE}peer" down || exit 1
-	    ip link del "${IFACE}" || exit 1
-	    ;;
-
-        pre-down)
-	    test -n "${IF_VETH_MASQUERADE}" || exit 0
-	    if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then 
-		iptables -t raw -D PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
-		iptables -t raw -D PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i  "${IF_VETH_BRIDGETO}" -j CT --zone 1
-		iptables -t nat -D POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o  "${IF_VETH_MASQUERADE}"  -j MASQUERADE
-	    fi
-	    ;;
-
-    esac
-
-fi
-
-exit 0
--- a/debian/install
+++ b/debian/install
@ -1 +0,0 @@
-debian/ifupdown.sh usr/share/pve-firewall/scripts
--- a/debian/links
+++ b/debian/links
@ -1,4 +0,0 @@
-usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-up.d/pve-firewall
-usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-down.d/pve-firewall
-usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-pre-up.d/pve-firewall
-usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-post-down.d/pve-firewall
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@ -1402,13 +1402,10 @@ sub ruleset_addlog {
 }

 sub generate_bridge_chains {
-    my ($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config) = @_;
+    my ($ruleset, $hostfw_conf, $bridge, $bridges_config) = @_;

    my $options = $hostfw_conf->{options} || {};

-    die "error: detected direct route to bridge '$bridge'\n"
-	if !$options->{allow_bridge_route} && $routing_table->{$bridge};
-
    if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
 	ruleset_create_chain($ruleset, "$bridge-FW");
 	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-out -j $bridge-FW");
@ -1913,7 +1910,7 @@ sub parse_hostfw_option {

    my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";

-    if ($line =~ m/^(enable|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) {
+    if ($line =~ m/^(enable|nosmurfs|tcpflags|optimize):\s*(0|1)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
    } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
@ -2519,34 +2516,6 @@ sub read_pvefw_status {
    return $status;
 }

-# fixme: move to pve-common PVE::ProcFSTools
-sub read_proc_net_route {
-    my $filename = "/proc/net/route";
-
-    my $res = {};
-
-    my $fh = IO::File->new ($filename, "r");
-    return $res if !$fh;
-
-    my $int_to_quad = sub {
-	return join '.' => map { ($_[0] >> 8*(3-$_)) % 256 } (3, 2, 1, 0);
-    };
-
-    while (defined(my $line = <$fh>)) {
-	next if $line =~/^Iface\s+Destination/; # skip head
-	my ($iface, $dest, $gateway, $metric, $mask, $mtu) = (split(/\s+/, $line))[0,1,2,6,7,8];
-	push @{$res->{$iface}}, {
-	    dest => &$int_to_quad(hex($dest)),
-	    gateway => &$int_to_quad(hex($gateway)),
-	    mask => &$int_to_quad(hex($mask)),
-	    metric => $metric,
-	    mtu => $mtu,
-	};
-    }
-
-    return $res;
-}
-
 sub load_clusterfw_conf {

    my $cluster_conf = {};
@ -2639,8 +2608,6 @@ sub compile {
    my $vmdata = read_local_vm_config();
    my $vmfw_configs = read_vm_firewall_configs($vmdata);

-    my $routing_table = read_proc_net_route();
-    
    my $bridges_config = read_bridges_config();

    my $ipset_ruleset = {};
@ -2694,7 +2661,7 @@ sub compile {

 	    $bridge .= "v$net->{tag}" if $net->{tag};

-	    generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config);
+	    generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $bridges_config);

 	    my $macaddr = $net->{macaddr};
 	    generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
@ -2728,7 +2695,7 @@ sub compile {
 		    next; # fixme?
 		}

-		generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config);
+		generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $bridges_config);

 		my $macaddr = $d->{mac};
 		my $iface = $d->{host_ifname};
				`@ -1 +0,0 @@`
				`debian/ifupdown.sh usr/share/pve-firewall/scripts`