Hi, I am in the process of conteinerization of server infrastructure, and my idea is to run telephony server appliance Trixbox under KVM (which in tuen uses QEMU codebase) on SuSE Linux. KVM networking is rather primitive, and the only way to make KVM''ed OS seen as "normal" computer is to use virtual bridge as I found on net. The questions are (based on the http://www.shorewall.net/bridge.html): 1) What should be included in /etc/shorewall/interfaces and /etc/shorewall/hosts - "br0" or "qtap0", "qtap1", etc? 2) Why the author of this script used "$USERID" in "tunctl -b -u $USERID -t qtap$i"? If the user is non-root, may it somehow affect Shorewall bridging setup? ------------------------------ # id of the user running qemu (kvm) USERID=1000 # number of TUN/TAP devices to setup NUM_OF_DEVICES=5 case $1 in start) modprobe tun echo -n "Setting up bridge device br0" brctl addbr br0 ifconfig br0 192.168.100.254 netmask 255.255.255.0 up for ((i=0; i < NUM_OF_DEVICES ; i++)); do echo -n "Setting up " tunctl -b -u $USERID -t qtap$i brctl addif br0 qtap$i ifconfig qtap$i up 0.0.0.0 promisc done ;; stop) ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/
Andrei Verovski (aka MacGuru) wrote:> > The questions are (based on the http://www.shorewall.net/bridge.html): >That URL no longer exists. The information previously contained there is available at http://www.shorewall.net/3.0/bridge.html. In that article is the following large warning: Warning SUPPORT FOR BRIDGING AS DESCRIBED IN THIS ARTICLE IS DISCONTINUED IN LINUX KERNEL 2.6.20. The underlying Netfilter features that Shorewall Bridge/Firewall support relies on were removed from Netfilter and it is no longer possible to define Shorewall zones in terms of physical bridge ports. So surely you don''t want to base your new infrastructure on a facility that isn''s supported by current and future kernels. I''ll try to answer your questions with respect to http://www.shorewall.net/bridge-Shorewall-perl.html which describes the preferred method of supporting bridge/firewalls.> 1) What should be included in /etc/shorewall/interfaces > and /etc/shorewall/hosts - "br0" or "qtap0", "qtap1", etc?br0, br0:qtap0, br0:qtap1 -- that''s assuming that you want to define Shorewall policies and rules that control connections through the bridge. If you don''t have that requirement then use a simple bridge (http://www1.shorewall.net/SimpleBridge.html) and just define br0 in /etc/shorewall/interfaces.> > 2) Why the author of this script used "$USERID" in "tunctl -b -u $USERID -t > qtap$i"?You''ll have to ask the author of that script. If the user is non-root, may it somehow affect Shorewall bridging setup? Not unless your Shorewall configuration limits access to particular users using the USER/GROUP column in the rules file. Note that such limits only apply to traffic originating on the firewall -Tom -- Tom Eastep \ Nothing is foolproof to a sufficiently talented fool Shoreline, \ http://shorewall.net Washington USA \ teastep@shorewall.net PGP Public Key \ https://lists.shorewall.net/teastep.pgp.key ------------------------------------------------------------------------- This SF.net email is sponsored by: Splunk Inc. Still grepping through log files to find problems? Stop. Now Search log events and configuration files using AJAX and a browser. Download your FREE copy of Splunk now >> http://get.splunk.com/