bridged traffic. The physdev match feature does not work correctly
when traffic is routed from host to bridge:
- * when a packet being sent through a bridge entered the firewall on another interface
- and was being forwarded to the bridge.
+ * when a packet being sent through a bridge entered the firewall on
+ another interface and was being forwarded to the bridge.
- * when a packet originating on the firewall itself is being sent through a bridge.
+ * when a packet originating on the firewall itself is being sent through
+ a bridge.
-So we disable the firewall if we detect such case (bridge with assigned IP address).
-You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw".
-
-The correct workaround is to remove the IP address from the bridge device, and
-use a veth device which is plugged into the bridge:
-
----/etc/network/interfaces----
-
-...
-
-auto vmbr0
-iface vmbr0 inet manual
- bridge_ports bond0
- bridge_stp off
- bridge_fd 0
-
-# this create the veth device and plug it into vmbr0
-auto pm0
-iface pm0 inet static
- address 192.168.10.10
- netmask 255.255.255.0
- gateway 192.168.10.1
- VETH_BRIDGETO vmbr0
-
-auto vmbr1
-iface vmbr1 inet manual
- bridge_ports none
- bridge_stp off
- bridge_fd 0
-
-# setup masqueraded bridge port vmbr1/pm1 using pm0
-# NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone)
-auto pm1
-iface pm1 inet static
- address 10.10.10.1
- netmask 255.255.255.0
- VETH_BRIDGETO vmbr1
- VETH_MASQUERADE pm0
-
-...
-
---------------------------------
+We use a second bridge for each interface to avoid above problem.
+eth0-->vmbr0<--tapXiY (non firewalled tap)
+ <--linkXiY-->linkXiYp-->fwbrXiY-->tapXiY (firewalled tap)
+++ /dev/null
-#!/bin/sh
-
-# create a VETH device and plug it into bridge ${IF_VETH_BRIDGETO}
-
-if [ -z "${IF_VETH_BRIDGETO}" ]; then
- exit 0
-fi
-
-if [ ! -x /sbin/brctl ]
-then
- exit 0
-fi
-
-if [ "${MODE}" = "start" ]; then
-
- case "$PHASE" in
- pre-up)
-
- test -d "/sys/class/net/${IF_VETH_BRIDGETO}" || ifup "${IF_VETH_BRIDGETO}" || exit 1
- ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1
- ip link set "${IFACE}peer" up || exit 1
- brctl addif "${IF_VETH_BRIDGETO}" "${IFACE}peer" || exit 1
- ;;
-
- post-up)
- test -n "${IF_VETH_MASQUERADE}" || exit 0
- if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then
- iptables -t raw -A PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
- iptables -t raw -A PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
- iptables -t nat -A POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o "${IF_VETH_MASQUERADE}" -j MASQUERADE
- else
- echo "unable to setup VETH_MASQUERADE - no address/network"
- exit 0
- fi
- ;;
- esac
-
-elif [ "${MODE}" = "stop" ]; then
-
- case "$PHASE" in
- post-down)
-
- brctl delif "${IF_VETH_BRIDGETO}" "${IFACE}peer"
- ip link set "${IFACE}peer" down || exit 1
- ip link del "${IFACE}" || exit 1
- ;;
-
- pre-down)
- test -n "${IF_VETH_MASQUERADE}" || exit 0
- if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then
- iptables -t raw -D PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
- iptables -t raw -D PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
- iptables -t nat -D POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o "${IF_VETH_MASQUERADE}" -j MASQUERADE
- fi
- ;;
-
- esac
-
-fi
-
-exit 0
}
sub generate_bridge_chains {
- my ($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config) = @_;
+ my ($ruleset, $hostfw_conf, $bridge, $bridges_config) = @_;
my $options = $hostfw_conf->{options} || {};
- die "error: detected direct route to bridge '$bridge'\n"
- if !$options->{allow_bridge_route} && $routing_table->{$bridge};
-
if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
ruleset_create_chain($ruleset, "$bridge-FW");
ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-out -j $bridge-FW");
my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
- if ($line =~ m/^(enable|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) {
+ if ($line =~ m/^(enable|nosmurfs|tcpflags|optimize):\s*(0|1)\s*$/i) {
$opt = lc($1);
$value = int($2);
} elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
return $status;
}
-# fixme: move to pve-common PVE::ProcFSTools
-sub read_proc_net_route {
- my $filename = "/proc/net/route";
-
- my $res = {};
-
- my $fh = IO::File->new ($filename, "r");
- return $res if !$fh;
-
- my $int_to_quad = sub {
- return join '.' => map { ($_[0] >> 8*(3-$_)) % 256 } (3, 2, 1, 0);
- };
-
- while (defined(my $line = <$fh>)) {
- next if $line =~/^Iface\s+Destination/; # skip head
- my ($iface, $dest, $gateway, $metric, $mask, $mtu) = (split(/\s+/, $line))[0,1,2,6,7,8];
- push @{$res->{$iface}}, {
- dest => &$int_to_quad(hex($dest)),
- gateway => &$int_to_quad(hex($gateway)),
- mask => &$int_to_quad(hex($mask)),
- metric => $metric,
- mtu => $mtu,
- };
- }
-
- return $res;
-}
-
sub load_clusterfw_conf {
my $cluster_conf = {};
my $vmdata = read_local_vm_config();
my $vmfw_configs = read_vm_firewall_configs($vmdata);
- my $routing_table = read_proc_net_route();
-
my $bridges_config = read_bridges_config();
my $ipset_ruleset = {};
$bridge .= "v$net->{tag}" if $net->{tag};
- generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config);
+ generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $bridges_config);
my $macaddr = $net->{macaddr};
generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
next; # fixme?
}
- generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config);
+ generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $bridges_config);
my $macaddr = $d->{mac};
my $iface = $d->{host_ifname};
projects / pve-firewall.git / commitdiff