On 2016-06-09 02:50, Simon Walter wrote:
> Hi everyone,
>
> After some testing, I have a question about an option in
> /etc/default/shorewall:
> wait_interface
> If I add the bridge interface to that line, shorewall will not start
> unless a container is brought up. I suppose that is why I was thinking
> of bridging the bridge inerface with a tap interface so that it's always
> available.
>
> It seems that bridges do not start with ifup (-a) unless one of their
> bridged interfaces are up.
That doesn't sound right.
Here's a bridge I have defined for LXC containers:
auto lxcbr0
iface lxcbr0 inet static
pre-up brctl addbr $IFACE
address 10.0.0.1
netmask 255.255.0.0
network 10.0.0.0
broadcast 10.0.255.255
bridge_stp off # disable Spanning Tree Protocol
bridge_waitport 0 # no delay before a port becomes available
bridge_fd 0 # no forwarding delay
up ip link set $IFACE up
down ip link set $IFACE down
post-down brctl delbr $IFACE
The IP address is assigned as part of the bridge definition. Like Rainer
said, no tap device needed.
Due to the "auto lxcbr0" the bridge is brought up automatically during
system startup.
It comes up just fine with *no* containers running.
Here's the ifstate resulting from ifup:
# grep lxcbr0 /run/network/ifstate
lxcbr0=lxcbr0
I've never had the need to specify a *bridge* interface on the Shorewall
wait_interface list.
/etc/default/shorewall "wait_interface" is used when you need to detect
a dynamically assigned IP. I.e. so 'find_first_interface_address' can
return an IP, which it can't do if one hasn't been assigned yet.
However as can be seen in the example above, it already has an IP and
therefore no need for Shorewall to *wait* for one to be assigned. I
suggest leaving the bridge off the wait list.
In my setup Dnsmasq is configured to listen on the bridge IP. When
dnsmasq starts up, the bridge is already there. The LXC containers are
then DHCP assigned the bridge IP as their default GW. And the kernel
handles the routing from there, provided IP forwarding is turned on.
To have Shorewall turn on forwarding for you, just specify
"IP_FORWARDING=On" in /etc/shorewall/shorewall.conf.
Or you can specify "net.ipv4.ip_forward=1" in /etc/sysctl.conf. However,
I think it's better to let Shorewall control it.
Hope that helps.
>
> Or I could do as Mr. Hobson does and run shorewall in a container. Would
> that actually be a more insulated "secure" approach?
>
> Thanks and kind regards,
>
> Simon
>