[pve-devel] [PATCH 3/3] add firewall bridge support for linux bridge
Alexandre Derumier
aderumier at odiso.com
Tue May 6 10:50:47 CEST 2014
eth0------->vmbr0
eth0.94---->vmbr0v94<-----tapXiY (non firewalled tap)
<--linkXiY----->linkXiYp--->fwbrXiY---->tapXiY (firewalled tap)
Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
data/PVE/Network.pm | 67 ++++++++++++++++++++++++++++++++++++++++++++++++++-
1 file changed, 66 insertions(+), 1 deletion(-)
diff --git a/data/PVE/Network.pm b/data/PVE/Network.pm
index f0b24b5..ee48231 100644
--- a/data/PVE/Network.pm
+++ b/data/PVE/Network.pm
@@ -91,7 +91,8 @@ sub tap_plug {
if (-d "/sys/class/net/$bridge/bridge") {
my $newbridge = activate_bridge_vlan($bridge, $tag);
copy_bridge_config($bridge, $newbridge) if $bridge ne $newbridge;
-
+ $newbridge = fwbridge_create($iface, $newbridge) if $fwenable;
+
system("/sbin/brctl addif $newbridge $iface") == 0 ||
die "can't add interface to bridge\n";
} else {
@@ -323,4 +324,68 @@ sub ovs_firewall_tap_plug {
}
+sub fwbridge_create {
+ my ($iface, $bridge) = @_;
+
+ my $iface_suffix = undef;
+ my $vmid = undef;
+
+ if ($iface =~ m/^tap((\d+)i(\d+))$/){
+ $iface_suffix = $1;
+ $vmid = $2;
+ }elsif ($iface =~ m/^veth((\d+)\.(\d+))$/){
+ $iface_suffix = $1;
+ $vmid = $2;
+ }else{
+ die "wrong interface name $iface";
+ }
+
+ my $bridgetap = "fwbr$iface_suffix";
+
+ my $vethfw = "link$iface_suffix";
+ my $vethfwpeer = $vethfw."p";
+
+
+ my $bridgemtu = PVE::Tools::file_read_firstline("/sys/class/net/$bridge/mtu");
+ die "bridge '$bridge' does not exist\n" if !$bridgemtu;
+ #avoid insecure dependency;
+ ($bridgemtu) = $bridgemtu =~ /(\d+)/;
+
+ # add bridgetap if it doesn't already exist
+ if (! -d "/sys/class/net/$bridgetap") {
+ system("/sbin/brctl addbr $bridgetap") == 0 ||
+ die "can't add bridge $bridgetap\n";
+ }
+
+ # be sure to have the bridgetap up
+ system("/sbin/ip link set $bridgetap up") == 0 ||
+ die "can't up bridge $bridgetap\n";
+
+ copy_bridge_config($bridge, $bridgetap);
+ # create veth pair
+ if (! -d "/sys/class/net/$vethfw") {
+ system("/sbin/ip link add name $vethfw type veth peer name $vethfwpeer mtu $bridgemtu") == 0 ||
+ die "can't create interface $vethfw\n";
+ }
+
+ #up vethpair
+ system("/sbin/ip link set up dev $vethfw") == 0 ||
+ die "can't up veth $vethfw\n";
+
+ system("/sbin/ip link set up dev $vethfwpeer") == 0 ||
+ die "can't up veth $vethfw\n";
+
+
+ # add veth to main bridge
+ system("/sbin/brctl addif $bridge $vethfw") == 0 ||
+ die "can't add interface $vethfw to bridge $bridge\n";
+
+ # add vethpeer to bridgetap
+ system("/sbin/brctl addif $bridgetap $vethfwpeer") == 0 ||
+ die "can't add interface $vethfwpeer to bridge $bridgetap\n";
+
+ return $bridgetap;
+
+}
+
1;
--
1.7.10.4
More information about the pve-devel
mailing list