From effe87b9a3581a16fbda9c72bf86b33fc6f9a4b4 Mon Sep 17 00:00:00 2001 From: Felix Kaechele Date: Sat, 9 Apr 2022 20:25:16 -0400 Subject: [PATCH 1/2] update sample scripts to use iproute Old `ioctl` based tools like `brctl` are deprecated and have been removed from the default package set of some distributions. Also drop usage of ebtables in favour of native bridge port isolation available in kernels 4.18 and newer. Signed-off-by: Felix Kaechele --- broker/scripts/bridge_functions.sh | 4 +--- broker/scripts/session.down.sh | 2 +- broker/scripts/session.mtu-changed.sh | 10 +++------- broker/scripts/session.up.sh | 7 +++---- 4 files changed, 8 insertions(+), 15 deletions(-) diff --git a/broker/scripts/bridge_functions.sh b/broker/scripts/bridge_functions.sh index da88c62d..5348794c 100644 --- a/broker/scripts/bridge_functions.sh +++ b/broker/scripts/bridge_functions.sh @@ -7,7 +7,7 @@ ensure_policy() ensure_bridge() { local brname="$1" - brctl addbr $brname 2>/dev/null + ip link add $brname type bridge 2>/dev/null if [[ "$?" == "0" ]]; then # Bridge did not exist before, we have to initialize it @@ -16,8 +16,6 @@ ensure_bridge() ip addr add 10.254.0.2/16 dev $brname # TODO Policy routing should probably not be hardcoded here? ensure_policy from all iif $brname lookup mesh prio 1000 - # Disable forwarding between bridge ports - ebtables -A FORWARD --logical-in $brname -j DROP fi } diff --git a/broker/scripts/session.down.sh b/broker/scripts/session.down.sh index 79e0854b..94aba486 100755 --- a/broker/scripts/session.down.sh +++ b/broker/scripts/session.down.sh @@ -9,5 +9,5 @@ UUID="$8" LOCAL_BROKER_PORT="$9" # Remove the interface from our bridge -brctl delif digger${MTU} $INTERFACE +ip link set dev $INTERFACE nomaster diff --git a/broker/scripts/session.mtu-changed.sh b/broker/scripts/session.mtu-changed.sh index 8a8094ce..619c8c68 100755 --- a/broker/scripts/session.mtu-changed.sh +++ b/broker/scripts/session.mtu-changed.sh @@ -7,12 +7,8 @@ NEW_MTU="$5" . scripts/bridge_functions.sh # Remove interface from old bridge -brctl delif digger${OLD_MTU} $INTERFACE +ip link set dev $INTERFACE nomaster -# Change interface MTU -ip link set dev $INTERFACE mtu $NEW_MTU - -# Add interface to new bridge +# Change interface MTU and add to new bridge ensure_bridge digger${NEW_MTU} -brctl addif digger${NEW_MTU} $INTERFACE - +ip link set dev $INTERFACE master digger${NEW_MTU} mtu $NEW_MTU up diff --git a/broker/scripts/session.up.sh b/broker/scripts/session.up.sh index 9684742f..2f75dd1c 100755 --- a/broker/scripts/session.up.sh +++ b/broker/scripts/session.up.sh @@ -11,10 +11,9 @@ LOCAL_BROKER_PORT="$9" . scripts/bridge_functions.sh -# Set the interface to UP state -ip link set dev $INTERFACE up mtu $MTU - # Add the interface to our bridge ensure_bridge digger${MTU} -brctl addif digger${MTU} $INTERFACE +ip link set dev $INTERFACE master digger${MTU} mtu $MTU up +# Turn on bridge port isolation +bridge link set dev $INTERFACE isolated on From ccff44d7f67042310bd32ec5a0e4bffaa188dbc9 Mon Sep 17 00:00:00 2001 From: Felix Kaechele Date: Mon, 7 Aug 2023 23:38:23 -0400 Subject: [PATCH 2/2] ensure bridge port isolation is on before setting link up Signed-off-by: Felix Kaechele --- broker/scripts/session.mtu-changed.sh | 8 +++++++- broker/scripts/session.up.sh | 5 ++++- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/broker/scripts/session.mtu-changed.sh b/broker/scripts/session.mtu-changed.sh index 619c8c68..8f1577e1 100755 --- a/broker/scripts/session.mtu-changed.sh +++ b/broker/scripts/session.mtu-changed.sh @@ -11,4 +11,10 @@ ip link set dev $INTERFACE nomaster # Change interface MTU and add to new bridge ensure_bridge digger${NEW_MTU} -ip link set dev $INTERFACE master digger${NEW_MTU} mtu $NEW_MTU up +ip link set dev $INTERFACE master digger${NEW_MTU} mtu $NEW_MTU + +# Turn on bridge port isolation +bridge link set dev $INTERFACE isolated on + +# Bring the tunnel interface up only after port isolation is enabled +ip link set dev $INTERFACE up diff --git a/broker/scripts/session.up.sh b/broker/scripts/session.up.sh index 2f75dd1c..d07032eb 100755 --- a/broker/scripts/session.up.sh +++ b/broker/scripts/session.up.sh @@ -13,7 +13,10 @@ LOCAL_BROKER_PORT="$9" # Add the interface to our bridge ensure_bridge digger${MTU} -ip link set dev $INTERFACE master digger${MTU} mtu $MTU up +ip link set dev $INTERFACE master digger${MTU} mtu $MTU # Turn on bridge port isolation bridge link set dev $INTERFACE isolated on + +# Bring the tunnel interface up only after port isolation is enabled +ip link set dev $INTERFACE up