:: Re: [DNG] ifconfig vs ip
トップ ページ
このメッセージを削除
このメッセージに返信
著者: Greg Olsen
日付:  
To: dng
題目: Re: [DNG] ifconfig vs ip
On 2016-06-09 02:50, Simon Walter wrote:
> Hi everyone,
>
> After some testing, I have a question about an option in
> /etc/default/shorewall:
> wait_interface
> If I add the bridge interface to that line, shorewall will not start
> unless a container is brought up. I suppose that is why I was thinking
> of bridging the bridge inerface with a tap interface so that it's always
> available.
>
> It seems that bridges do not start with ifup (-a) unless one of their
> bridged interfaces are up.


That doesn't sound right.
Here's a bridge I have defined for LXC containers:

auto lxcbr0
iface lxcbr0 inet static
         pre-up    brctl addbr $IFACE
         address   10.0.0.1
         netmask   255.255.0.0
         network   10.0.0.0
         broadcast 10.0.255.255
         bridge_stp off           # disable Spanning Tree Protocol
         bridge_waitport 0        # no delay before a port becomes available
         bridge_fd 0              # no forwarding delay
         up        ip link set $IFACE up
         down      ip link set $IFACE down
         post-down brctl delbr $IFACE


The IP address is assigned as part of the bridge definition. Like Rainer
said, no tap device needed.

Due to the "auto lxcbr0" the bridge is brought up automatically during
system startup.
It comes up just fine with *no* containers running.

Here's the ifstate resulting from ifup:
# grep lxcbr0 /run/network/ifstate
lxcbr0=lxcbr0

I've never had the need to specify a *bridge* interface on the Shorewall
wait_interface list.

/etc/default/shorewall "wait_interface" is used when you need to detect
a dynamically assigned IP. I.e. so 'find_first_interface_address' can
return an IP, which it can't do if one hasn't been assigned yet.

However as can be seen in the example above, it already has an IP and
therefore no need for Shorewall to *wait* for one to be assigned. I
suggest leaving the bridge off the wait list.

In my setup Dnsmasq is configured to listen on the bridge IP. When
dnsmasq starts up, the bridge is already there. The LXC containers are
then DHCP assigned the bridge IP as their default GW. And the kernel
handles the routing from there, provided IP forwarding is turned on.

To have Shorewall turn on forwarding for you, just specify
"IP_FORWARDING=On" in /etc/shorewall/shorewall.conf.
Or you can specify "net.ipv4.ip_forward=1" in /etc/sysctl.conf. However,
I think it's better to let Shorewall control it.

Hope that helps.

>
> Or I could do as Mr. Hobson does and run shorewall in a container. Would
> that actually be a more insulated "secure" approach?
>
> Thanks and kind regards,
>
> Simon
>