bridge call iptables being forced

[Juan Rossi <juan@rimuhosting.com>]

Hi

I am sending this due the change of behaviour in some parts, and perhaps 
it needs some code amendments, unsure if the devel list is the best 
place, fell free to point me to the right place for this. Let me know if 
I should load a bug instead.

Per the documentation 
http://wiki.xenproject.org/wiki/Network_Configuration_Examples_(Xen_4.1%2B) 
it is suggested to use:

net.bridge.bridge-nf-call-ip6tables = 0
net.bridge.bridge-nf-call-iptables = 0
net.bridge.bridge-nf-call-arptables = 0

We use that setup currently, but we are experiencing the following side 
effects:

1. We manage the firewall in dom0 ourselves, and there seems not to be a 
parameter for the hotplug scripts to avoid the insertion of random rules 
in iptables, or proper checks that will ensure populated iptables rules 
are valid in the case they are needed. Why one will want FORWARD rules 
to be populated that are not required for the above bridge settings?

2. After the change in the kernel:
http://permalink.gmane.org/gmane.comp.security.firewalls.netfilter.devel/54334 


There is no module loaded br_netfilter by default now, so the settings 
for net.bridge.bridge-nf-call-* do not exist and cannot be setup at 
/etc/sysctl.conf at boot time.

The vif-bridge hotplug script calls (via  handle_iptable() 
frob_iptable() in vif-common.sh ) the for insertion of iptables rules in 
the FORWARD chain with module physdev, that calls for the module load 
br_netfilter, when br_netfilter is loaded has as defaults 
net.bridge.bridge-nf-call-*=1. So we end up using iptables over a bridge 
when we do not want it.

So, to solve this I come up with the following solutions:

A. blacklist modules br_netfilter and xt_physdev, but perhaps not great 
if there is some other uses for them

B. load br_netfilter at boot and set the right parameters 
net.bridge.bridge-nf-call-* = 0 as it should and continue to ignore the 
iptables populated rules.

C. Add some proper code changes to handle the rules insertions, unsure 
if something like this is ok or if it is in the right place. I do not 
know much about the other setups, like nat and routed.

I see there is not much around ip6tables either.

###############################

diff --git a/tools/hotplug/Linux/vif-bridge b/tools/hotplug/Linux/vif-bridge
index 3d72ca4..7fc6650 100644
--- a/tools/hotplug/Linux/vif-bridge
+++ b/tools/hotplug/Linux/vif-bridge
@@ -93,7 +93,16 @@ case "$command" in
          ;;
  esac

-handle_iptable
+brcalliptables=$(sysctl -n net.bridge.bridge-nf-call-iptables 2>/dev/null)
+brcalliptables=${brcalliptables:-0}
+
+brcallip6tables=$(sysctl -n net.bridge.bridge-nf-call-ip6tables 
2>/dev/null)
+brcallip6tables=${brcallip6tables:-0}
+
+if [ "$brcalliptables" -eq "1" -a "$brcallip6tables" -eq "1" ];
+then
+       handle_iptable
+fi

  call_hooks vif post


###############################

Thanks in advance


Regards.

Juan.-
http://ri.mu - Startups start here. Hosting; DNS; monitoring; backups; 
email; web programming