[pve-devel] [PATCH 3/3] add firewall bridge support for linux bridge

[Alexandre Derumier]

    eth0------->vmbr0
    eth0.94---->vmbr0v94<-----tapXiY (non firewalled tap)
                        <--linkXiY----->linkXiYp--->fwbrXiY---->tapXiY (firewalled tap)

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 data/PVE/Network.pm |   67 ++++++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 66 insertions(+), 1 deletion(-)

diff --git a/data/PVE/Network.pm b/data/PVE/Network.pm
index 64be5d2..a765466 100644
--- a/data/PVE/Network.pm
+++ b/data/PVE/Network.pm
@@ -97,7 +97,8 @@ sub tap_plug {
     if (-d "/sys/class/net/$bridge/bridge") {
 	my $newbridge = activate_bridge_vlan($bridge, $tag);
 	copy_bridge_config($bridge, $newbridge) if $bridge ne $newbridge;
-
+	$newbridge = fwbridge_create($iface, $newbridge) if $fwenable;
+	
 	system("/sbin/brctl addif $newbridge $iface") == 0 ||
 	    die "can't add interface to bridge\n";
     } else {
@@ -329,4 +330,68 @@ sub ovs_firewall_tap_plug {
 
 }
 
+sub fwbridge_create {
+    my ($iface, $bridge) = @_;
+
+	my $iface_suffix = undef;
+	my $vmid = undef;
+
+	if ($iface =~ m/^tap((\d+)i(\d+))$/){
+	    $iface_suffix = $1;
+	    $vmid = $2;
+	}elsif ($iface =~ m/^veth((\d+)\.(\d+))$/){
+	    $iface_suffix = $1;
+	    $vmid = $2;
+	}else{
+	    die "wrong interface name $iface";
+	}
+
+	my $bridgetap = "fwbr$iface_suffix";
+
+	my $vethfw = "link$iface_suffix";
+ 	my $vethfwpeer = $vethfw."p";
+
+
+	my $bridgemtu = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/mtu");
+	die "bridge '$bridge' does not exist\n" if !$bridgemtu;
+        #avoid insecure dependency;
+	($bridgemtu) = $bridgemtu =~ /(\d+)/;
+
+        # add bridgetap if it doesn't already exist
+        if (! -d "/sys/class/net/$bridgetap") {
+        system("/sbin/brctl addbr $bridgetap") == 0 ||
+            die "can't add bridge $bridgetap\n";
+        }
+
+        # be sure to have the bridgetap up
+        system("/sbin/ip link set $bridgetap up") == 0 ||
+            die "can't up bridge $bridgetap\n";
+
+	copy_bridge_config($bridge, $bridgetap);
+	# create veth pair
+        if (! -d "/sys/class/net/$vethfw") {
+           system("/sbin/ip link add name $vethfw type veth peer name $vethfwpeer mtu $bridgemtu") == 0 ||
+               die "can't create interface $vethfw\n";
+	}
+
+	#up vethpair
+        system("/sbin/ip link set up dev $vethfw") == 0 ||
+            die "can't up veth $vethfw\n";
+
+        system("/sbin/ip link set up dev $vethfwpeer") == 0 ||
+            die "can't up veth $vethfw\n";
+
+
+        # add veth to main bridge
+        system("/sbin/brctl addif $bridge $vethfw") == 0 ||
+            die "can't add interface $vethfw to bridge $bridge\n";
+
+        # add vethpeer to bridgetap
+        system("/sbin/brctl addif $bridgetap $vethfwpeer") == 0 ||
+            die "can't add interface $vethfwpeer to bridge $bridgetap\n";
+
+	return $bridgetap;
+
+}
+
 1;
-- 
1.7.10.4