From fb8f4a70bb759ffdf9dce4a1210b2b17b54ab3f5 Mon Sep 17 00:00:00 2001
From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 6 May 2014 11:12:21 +0200
Subject: [PATCH] remove allow_bridge_route setting

Not needed for new network model with additional bridge.
---
 debian/README          | 52 +++++------------------------------
 debian/example/host.fw |  5 ----
 debian/ifupdown.sh     | 61 ------------------------------------------
 debian/install         |  1 -
 debian/links           |  4 ---
 src/PVE/Firewall.pm    | 41 +++-------------------------
 6 files changed, 11 insertions(+), 153 deletions(-)
 delete mode 100755 debian/ifupdown.sh
 delete mode 100644 debian/install
 delete mode 100644 debian/links

diff --git a/debian/README b/debian/README
index 653423b..2d0e6d1 100644
--- a/debian/README
+++ b/debian/README
@@ -84,51 +84,13 @@ There are a number of restrictions when using iptables to filter
 bridged traffic. The physdev match feature does not work correctly
 when traffic is routed from host to bridge:
 
-  * when a packet being sent through a bridge entered the firewall on another interface 
-    and was being forwarded to the bridge.
+  * when a packet being sent through a bridge entered the firewall on 
+    another interface and was being forwarded to the bridge.
 
-  * when a packet originating on the firewall itself is being sent through a bridge.
+  * when a packet originating on the firewall itself is being sent through 
+    a bridge.
 
-So we disable the firewall if we detect such case (bridge with assigned IP address).
-You can enable it again (if you do not care) by setting "allow_bridge_route: 1" in "host.fw".
-
-The correct workaround is to remove the IP address from the bridge device, and
-use a veth device which is plugged into the bridge:
-
----/etc/network/interfaces----
-
-...
-
-auto vmbr0
-iface vmbr0 inet manual
-	bridge_ports bond0
-	bridge_stp off
-	bridge_fd 0
-
-# this create the veth device and plug it into vmbr0
-auto pm0
-iface pm0 inet static
-	address  192.168.10.10
-	netmask  255.255.255.0
-	gateway  192.168.10.1
-	VETH_BRIDGETO vmbr0
-
-auto vmbr1
-iface vmbr1 inet manual
-      bridge_ports none
-      bridge_stp off
-      bridge_fd 0
-
-# setup masqueraded bridge port vmbr1/pm1 using pm0
-# NOTE: this needs kernel 3.10.0 or newer (for conntrack --zone) 
-auto pm1
-iface pm1 inet static
-       address 10.10.10.1
-       netmask 255.255.255.0
-       VETH_BRIDGETO vmbr1
-       VETH_MASQUERADE pm0
-
-...
-
---------------------------------
+We use a second bridge for each interface to avoid above problem.
 
+eth0-->vmbr0<--tapXiY (non firewalled tap)
+            <--linkXiY-->linkXiYp-->fwbrXiY-->tapXiY (firewalled tap)
diff --git a/debian/example/host.fw b/debian/example/host.fw
index a8ae568..77f7f4b 100644
--- a/debian/example/host.fw
+++ b/debian/example/host.fw
@@ -14,11 +14,6 @@ nf_conntrack_max: 196608
 # reduce conntrack established timeout (default is 432000 - 5days)
 nf_conntrack_tcp_timeout_established: 7875
 
-# Enable firewall when bridges contains IP address.
-# The firewall is not fully functional in that case, so
-# you need to enable that explicitly
-allow_bridge_route: 1
-
 # disable SMURFS filter
 nosmurfs: 0
 
diff --git a/debian/ifupdown.sh b/debian/ifupdown.sh
deleted file mode 100755
index e36c2b9..0000000
--- a/debian/ifupdown.sh
+++ /dev/null
@@ -1,61 +0,0 @@
-#!/bin/sh
-
-# create a VETH device and plug it into bridge ${IF_VETH_BRIDGETO}
-
-if [ -z "${IF_VETH_BRIDGETO}" ]; then
-    exit 0
-fi
-
-if [ ! -x /sbin/brctl ]
-then
-    exit 0
-fi
-
-if [ "${MODE}" = "start" ]; then
-    
-    case "$PHASE" in
-        pre-up)
- 
-	    test -d "/sys/class/net/${IF_VETH_BRIDGETO}" || ifup "${IF_VETH_BRIDGETO}" || exit 1
-	    ip link add name "${IFACE}" type veth peer name "${IFACE}peer" || exit 1
-	    ip link set "${IFACE}peer" up || exit 1
-	    brctl addif "${IF_VETH_BRIDGETO}" "${IFACE}peer" || exit 1
-	    ;;
-
-        post-up)
-	    test -n "${IF_VETH_MASQUERADE}" || exit 0
-	    if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then 
-		iptables -t raw -A PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
-		iptables -t raw -A PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i  "${IF_VETH_BRIDGETO}" -j CT --zone 1
-		iptables -t nat -A POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o  "${IF_VETH_MASQUERADE}"  -j MASQUERADE
-	    else
-		echo "unable to setup VETH_MASQUERADE - no address/network"
-		exit 0
-	    fi
-	    ;;
-    esac
-  
-elif [ "${MODE}" = "stop" ]; then
-
-    case "$PHASE" in
-        post-down)
-  
-	    brctl delif "${IF_VETH_BRIDGETO}" "${IFACE}peer"
-	    ip link set "${IFACE}peer" down || exit 1
-	    ip link del "${IFACE}" || exit 1
-	    ;;
-
-        pre-down)
-	    test -n "${IF_VETH_MASQUERADE}" || exit 0
-	    if [ -n "${IF_ADDRESS}" -a -n "${IF_NETMASK}" ]; then 
-		iptables -t raw -D PREROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -i "${IF_VETH_BRIDGETO}" -j CT --zone 1
-		iptables -t raw -D PREROUTING -d "${IF_ADDRESS}/${IF_NETMASK}" -i  "${IF_VETH_BRIDGETO}" -j CT --zone 1
-		iptables -t nat -D POSTROUTING -s "${IF_ADDRESS}/${IF_NETMASK}" -o  "${IF_VETH_MASQUERADE}"  -j MASQUERADE
-	    fi
-	    ;;
-
-    esac
-
-fi
-
-exit 0
diff --git a/debian/install b/debian/install
deleted file mode 100644
index 29fa088..0000000
--- a/debian/install
+++ /dev/null
@@ -1 +0,0 @@
-debian/ifupdown.sh usr/share/pve-firewall/scripts
diff --git a/debian/links b/debian/links
deleted file mode 100644
index 8c3a9a3..0000000
--- a/debian/links
+++ /dev/null
@@ -1,4 +0,0 @@
-usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-up.d/pve-firewall
-usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-down.d/pve-firewall
-usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-pre-up.d/pve-firewall
-usr/share/pve-firewall/scripts/ifupdown.sh etc/network/if-post-down.d/pve-firewall
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index c4bc308..398a015 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -1402,13 +1402,10 @@ sub ruleset_addlog {
 }
 
 sub generate_bridge_chains {
-    my ($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config) = @_;
+    my ($ruleset, $hostfw_conf, $bridge, $bridges_config) = @_;
 
     my $options = $hostfw_conf->{options} || {};
 
-    die "error: detected direct route to bridge '$bridge'\n"
-	if !$options->{allow_bridge_route} && $routing_table->{$bridge};
-
     if (!ruleset_chain_exist($ruleset, "$bridge-FW")) {
 	ruleset_create_chain($ruleset, "$bridge-FW");
 	ruleset_addrule($ruleset, "PVEFW-FORWARD", "-o $bridge -m physdev --physdev-is-out -j $bridge-FW");
@@ -1913,7 +1910,7 @@ sub parse_hostfw_option {
 
     my $loglevels = "emerg|alert|crit|err|warning|notice|info|debug|nolog";
 
-    if ($line =~ m/^(enable|nosmurfs|tcpflags|allow_bridge_route|optimize):\s*(0|1)\s*$/i) {
+    if ($line =~ m/^(enable|nosmurfs|tcpflags|optimize):\s*(0|1)\s*$/i) {
 	$opt = lc($1);
 	$value = int($2);
     } elsif ($line =~ m/^(log_level_in|log_level_out|tcp_flags_log_level|smurf_log_level):\s*(($loglevels)\s*)?$/i) {
@@ -2519,34 +2516,6 @@ sub read_pvefw_status {
     return $status;
 }
 
-# fixme: move to pve-common PVE::ProcFSTools
-sub read_proc_net_route {
-    my $filename = "/proc/net/route";
-
-    my $res = {};
-
-    my $fh = IO::File->new ($filename, "r");
-    return $res if !$fh;
-
-    my $int_to_quad = sub {
-	return join '.' => map { ($_[0] >> 8*(3-$_)) % 256 } (3, 2, 1, 0);
-    };
-
-    while (defined(my $line = <$fh>)) {
-	next if $line =~/^Iface\s+Destination/; # skip head
-	my ($iface, $dest, $gateway, $metric, $mask, $mtu) = (split(/\s+/, $line))[0,1,2,6,7,8];
-	push @{$res->{$iface}}, {
-	    dest => &$int_to_quad(hex($dest)),
-	    gateway => &$int_to_quad(hex($gateway)),
-	    mask => &$int_to_quad(hex($mask)),
-	    metric => $metric,
-	    mtu => $mtu,
-	};
-    }
-
-    return $res;
-}
-
 sub load_clusterfw_conf {
 
     my $cluster_conf = {};
@@ -2639,8 +2608,6 @@ sub compile {
     my $vmdata = read_local_vm_config();
     my $vmfw_configs = read_vm_firewall_configs($vmdata);
 
-    my $routing_table = read_proc_net_route();
-    
     my $bridges_config = read_bridges_config();
 
     my $ipset_ruleset = {};
@@ -2694,7 +2661,7 @@ sub compile {
 
 	    $bridge .= "v$net->{tag}" if $net->{tag};
 
-	    generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config);
+	    generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $bridges_config);
 
 	    my $macaddr = $net->{macaddr};
 	    generate_tap_rules_direction($ruleset, $cluster_conf, $hostfw_conf, $iface, $netid, $macaddr,
@@ -2728,7 +2695,7 @@ sub compile {
 		    next; # fixme?
 		}
 
-		generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $routing_table, $bridges_config);
+		generate_bridge_chains($ruleset, $hostfw_conf, $bridge, $bridges_config);
 
 		my $macaddr = $d->{mac};
 		my $iface = $d->{host_ifname};
-- 
2.39.2