Fix error handling bridge devices on host systems.

2026-01-15 17:02:40 +01:00
parent 16eb4d7e0f
commit 7dd1a17e10
3 changed files with 189 additions and 189 deletions
--- a/181
+++ b/181
@@ -84,33 +84,6 @@ if command -v ip6tables >/dev/null 2>&1; then
 fi


-# - Check if running inside a container
-# -
-host_is_vm=false
-
-# - If running in a LXC container 'cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc'
-# - returns "container=lxc"
-# -
-r_val="$(cat /proc/1/environ | tr '\0' '\n' | grep ^container | grep lxc)"
-if [[ -n "$r_val" ]] ; then
-   host_is_vm=true
-else
-
-   # ---
-   # -  For other container types we need a few more tricks
-   # ---
-
-   # Detect old-style libvirt
-   [ -n "$LIBVIRT_LXC_UUID" ] && host_is_vm=true
-
-   # Detect vserver
-   if ! $host_is_vm ; then
-      VXID="$(cat /proc/self/status | grep ^VxID | cut -f2)" || true
-      [ "${VXID:-0}" -gt 1 ] && host_is_vm=true
-   fi
-fi
-
-
 # -------------
 # --- Ensure required modules for this script (best effort; host-side in containers)
 # -------------
@@ -121,23 +94,24 @@ echononl "\tEnsure required modules are loaded.."
 if is_container ; then
   echo_skipped
 else
+
+   ensure_mod nf_conntrack
+   ensure_mod nf_nat
+   ensure_mod nf_conntrack_ftp
+   ensure_mod nf_nat_ftp
+   ensure_mod xt_recent
+   ensure_mod xt_hashlimit
+   ensure_mod xt_connlimit
+   ensure_mod xt_owner
+   ensure_mod xt_helper
+   ensure_mod br_netfilter
+
   echo_done
 fi

-ensure_mod nf_conntrack
-ensure_mod nf_nat
-ensure_mod nf_conntrack_ftp
-ensure_mod nf_nat_ftp
-ensure_mod xt_recent
-ensure_mod xt_hashlimit
-ensure_mod xt_connlimit
-ensure_mod xt_owner
-ensure_mod xt_helper
-ensure_mod br_netfilter
-

 # Disable automatic conntrack helper assignment (keep explicit CT --helper rules)
-if ! $host_is_vm ; then
+if ! is_container; then
   sysctl -w net.netfilter.nf_conntrack_helper=0 >/dev/null 2>&1 || true
 fi

@@ -176,7 +150,7 @@ echo
 # --- Activate IP Forwarding
 # -------------

-if ! $host_is_vm ; then
+if ! is_container ; then

   # ---
   # - Disable ip forwarding between interfaces
@@ -199,7 +173,7 @@ fi

 echononl "\tAdjust Kernel Parameters (Security/Tuning).."

-if ! $host_is_vm ; then
+if ! is_container ; then

   # ---
   # - Deactivate Source Routed Packets
@@ -222,7 +196,82 @@ if ! $host_is_vm ; then
 else
   echo_skipped

-fi # if ! $host_is_vm
+fi # if ! is_container
+
+
+
+# -------------
+# --- Prevent bridged traffic getting pushed through the host's iptables rules
+# -------------
+
+echo
+echononl "\tDo not firewall bridged / LX Gust System traffic"
+
+if ${do_not_firewall_bridged_traffic} || ${do_not_firewall_lx_guest_systems} ; then
+
+   if ! is_container; then
+
+      _done=false
+
+      for _dev in ${ext_if_arr[@]} ; do
+
+         # Try to detect  virtual interfaces (veth*)) and the master interface 
+         # of the given bridge  dynamically
+         #
+         #     ports="$(get_bridge_ports "$br")"
+         #
+         # or directly here:
+         #
+         # ports="$(ip -o link show master "${_dev}" 2>/dev/null | awk -F': ' '{print $2}')"
+         #
+         #     ports="$(ip -o link show master "${_dev}" 2>/dev/null | awk -F': ' '{print $2}')"
+         #
+         ports="$(ip -o link show master "${_dev}" 2>/dev/null | awk -F': ' '{print $2}')"
+
+         for _port in $ports ; do
+            $ip6t -A FORWARD -i "${_port}" -j ACCEPT
+            $ip6t -A FORWARD -o "${_port}" -j ACCEPT
+            _done=true
+         done
+
+      done
+
+      if ! ${_done} ; then
+         $ip6t -A FORWARD -i veth+ -j ACCEPT
+         $ip6t -A FORWARD -o veth+ -j ACCEPT
+      fi
+
+      echo_done
+   else
+      echo_skipped
+   fi
+else
+   echo_skipped
+fi
+
+
+echononl "\tTake care 'net.bridge.bridge-nf-call-ip6tables' is set to '1'.."
+if ${do_not_firewall_bridged_traffic} || ${do_not_firewall_lx_guest_systems} ; then
+
+   if ! is_container; then
+
+      _bridge_sysctl_ok=true
+
+      # IPv6: keep bridge netfilter on, but bypass host filtering for container ports
+      # (do NOT set bridge-nf-call-ip6tables=0)
+      sysctl -w net.bridge.bridge-nf-call-ip6tables=1 >/dev/null 2>&1 || _bridge_sysctl_ok=false
+
+      if ${_bridge_sysctl_ok} ; then
+         echo_done
+      else
+         echo_failed
+      fi
+
+   else
+      echo_skipped
+   fi
+fi
+


 # ------------- Fail2ban handling (do not stop/start; keep bans stable) -------------
@@ -292,54 +341,6 @@ else
 fi
 echo

-
-
-# -------------
-# --- Prevent bridged traffic getting pushed through the host's iptables rules
-# -------------
-
-echononl "\tDo not firewall bridged traffic"
-if $do_not_firewall_bridged_traffic ; then
-
-   # - Matches if the packet is being bridged and therefore is not being routed.
-   # - This is only useful in the FORWARD and POSTROUTING chains.
-   # -
-   $ip6t -I FORWARD -m physdev --physdev-is-bridged -j ACCEPT
-
-   # - Matches if the packet has entered through a bridge interface.
-   # -
-   $ip6t -I FORWARD -m physdev --physdev-is-in -j ACCEPT
-   # - Matches if the packet will leave through a bridge interface.
-   # -
-   $ip6t -I FORWARD -m physdev --physdev-is-out -j ACCEPT
-
-   echo_done
-else
-   echo_skipped
-fi
-echo
-
-
-# -------------
-# --- Do not firewall traffic from and to LX Gust Systems
-# -------------
-
-echononl "\tDo not firewall traffic from and to LX Gust Systems"
-if $do_not_firewall_lx_guest_systems && [[ ${#lxc_guest_ip_arr[@]} -gt 0 ]]; then
-
-   for _ip in ${lxc_guest_ip_arr[@]} ; do
-
-      $ip6t -I FORWARD -p all -d $_ip -j ACCEPT
-      $ip6t -I FORWARD -p all -s $_ip -j ACCEPT
-
-   done
-   echo_done
-else
-   echo_skipped
-fi
-echo
-
-
 # -------------
 # ---- Log given IP Addresses
 # -------------