bridge_stp off
bridge_fd 0
-# setup masqueraded bridge port vmbr1/pm1
+# setup masqueraded bridge port vmbr1/pm1 using pm0
+# NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone)
auto pm1
iface pm1 inet static
address 10.10.10.1
netmask 255.255.255.0
VETH_BRIDGETO vmbr1
- post-up iptables -t raw -A PREROUTING -s '10.10.10.0/24' -i vmbr1 -j CT --zone 1
- post-up iptables -t raw -A PREROUTING -d '10.10.10.0/24' -i vmbr1 -j CT --zone 1
- post-up iptables -t nat -A POSTROUTING -s '10.10.10.0/24' -o pm0 -j MASQUERADE
- post-down iptables -t nat -F POSTROUTING
- post-down iptables -t raw -F PREROUTING
+ VETH_MASQUERADE pm0
...
fi
if [ "${MODE}" = "start" ]; then
- test -d "/sys/class/net/${IF_VETH_BRIDGETO}" || ifup "${IF_VETH_BRIDGETO}" || exit 1
- ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1
- ip link set "${IFACE}peer" up || exit 1
- brctl addif "${IF_VETH_BRIDGETO}" "${IFACE}peer" || exit 1
+
+ case "$PHASE" in
+ pre-up)
+
+ test -d "/sys/class/net/${IF_VETH_BRIDGETO}" || ifup "${IF_VETH_BRIDGETO}" || exit 1
+ ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1
+ ip link set "${IFACE}peer" up || exit 1
+ brctl addif "${IF_VETH_BRIDGETO}" "${IFACE}peer" || exit 1
+ ;;
+
+ post-up)
+ test -n "${IF_VETH_MASQUERADE}" || exit 0
+ if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then
+ iptables -t raw -A PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
+ iptables -t raw -A PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
+ iptables -t nat -A POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o "${IF_VETH_MASQUERADE}" -j MASQUERADE
+ else
+ echo "unable to setup VETH_MASQUERADE - no address/network"
+ exit 0
+ fi
+ ;;
+ esac
+
elif [ "${MODE}" = "stop" ]; then
- brctl delif "${IF_VETH_BRIDGETO}" "${IFACE}peer"
- ip link set "${IFACE}peer" down || exit 1
- ip link del "${IFACE}" || exit 1
+
+ case "$PHASE" in
+ post-down)
+
+ brctl delif "${IF_VETH_BRIDGETO}" "${IFACE}peer"
+ ip link set "${IFACE}peer" down || exit 1
+ ip link del "${IFACE}" || exit 1
+ ;;
+
+ pre-down)
+ test -n "${IF_VETH_MASQUERADE}" || exit 0
+ if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then
+ iptables -t raw -D PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
+ iptables -t raw -D PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
+ iptables -t nat -D POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o "${IF_VETH_MASQUERADE}" -j MASQUERADE
+ fi
+ ;;
+
+ esac
+
fi
exit 0
+usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-up.d/pve-firewall
+usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-down.d/pve-firewall
usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-pre-up.d/pve-firewall
usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-post-down.d/pve-firewall