0

I've a linux bridge (br0) setup with netplan as the following:

  version: 2
  renderer: networkd
  ethernets:
    eno1:
      dhcp4: no
      dhcp6: no
  bridges:
    probr:
      interfaces:
        - eno1
      macaddress: ab:cd:ef:01:02:03
      addresses:
        - 51.x.y.z/24
      nameservers:
        addresses:
          - 8.8.8.8
          - 1.1.1.1
      parameters:
        stp: false
        forward-delay: 0
      dhcp4: no
      dhcp6: no
      routes:
        - to: 0.0.0.0/0
          via: 55.x.y.254
        - to: 55.x.y.z/28
          scope: link

I use libvirt virt-install with the network argument: virt-install ... --network type=bridge,source=br0,model=virtio,filterref=clean-traffic,mac=00:11:22:33:44:55

The network work as expected but what I've noticed is that if I have multiple VMs the traffic destined to a VM that is shut off will be broadcasted to all running VMs. This will leak information of connections. Is there any way to configure the bridge not to do this? Perhaps with ebtables? I've noticed that the following ebtables rule will work but I'm looking for something more generic as I don't know the interface name on beforehand (vnet1): ebtables -A FORWARD -p IPv4 --ip-destination 55.x.y.z -o ! vnet1 -j DROP Doing a filter on not to mac will not work as the IP and MAC is for the shutoff vm but the bridge still for some reasons decides to broadcast it.

Andrew
  • 11
  • 1
  • `the traffic destined to a VM that is shut off will be broadcasted` - You need to elaborate. Is it just an ARP for the destination IP? The ARP would be from the local router, to try to locate a who has the IP, that wouldn't get reported back. Are you getting TCP packets with the SYN flag? That would mean you have something replying to the ARP somewhere, or you have a long ARP cache?. Is it UDP traffic? – Zoredache Feb 16 '22 at 01:19
  • It's not only ARP traffic, it's TCP SYN packets and UDP. Any ip that routes to bridge but is either not yet allocated to a vm yet or the vm is shutdown will be seen inside the other vms when running tshark. – Andrew Feb 16 '22 at 02:16
  • About the ARP; I do have static arp routes set up for the running and shutdown vms, none for the not yet allocated. It does not seem to matter. No ARP entries that shouldn't be there. – Andrew Feb 16 '22 at 02:30

0 Answers0