+
+my $create_firewall_bridge_linux = sub {
+ my ($iface, $bridge) = @_;
+
+ my ($vmid, $devid) = &$parse_tap_devive_name($iface);
+ my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names_linux($vmid, $devid);
+
+ my $bridgemtu = &$read_bridge_mtu($bridge);
+
+ &$cond_create_bridge($fwbr);
+ &$activate_interface($fwbr);
+
+ copy_bridge_config($bridge, $fwbr);
+ # create veth pair
+ if (! -d "/sys/class/net/$vethfw") {
+ system("/sbin/ip link add name $vethfw type veth peer name $vethfwpeer mtu $bridgemtu") == 0 ||
+ die "can't create interface $vethfw\n";
+ }
+
+ # up vethpair
+ &$activate_interface($vethfw);
+ &$activate_interface($vethfwpeer);
+
+ &$bridge_add_interface($bridge, $vethfw);
+ &$bridge_add_interface($fwbr, $vethfwpeer);
+
+ return $fwbr;
+};
+
+my $cleanup_firewall_bridge_linux = sub {
+ my ($iface) = @_;
+
+ my ($vmid, $devid) = &$parse_tap_devive_name($iface);
+ my ($fwbr, $vethfw, $vethfwpeer) = &$compute_fwbr_names_linux($vmid, $devid);
+
+ # delete old vethfw interface
+ if (-d "/sys/class/net/$vethfw") {
+ run_command("/sbin/ip link delete dev $vethfw", outfunc => sub {}, errfunc => sub {});
+ }
+
+ # cleanup fwbr bridge
+ if (-d "/sys/class/net/$fwbr") {
+ run_command("/sbin/ip link set dev $fwbr down", outfunc => sub {}, errfunc => sub {});
+ run_command("/sbin/brctl delbr $fwbr", outfunc => sub {}, errfunc => sub {});
+ }
+};
+