Commit c8da063e authored by David Johnson's avatar David Johnson

Change Linux firewall bridge STP to off, and stop it from fwding BPDUs.

Given that in an Emulab per-experiment firewall, there is only one
switch port in the experiment that is in the default control net vlan
(the firewalled nodes' ports are only in the per-experiment private
control net vlan), there is no risk of a control net loop, so it is safe
to turn off STP for the firewall's control net bridge.

However, when STP is off, Linux then seems to forward BPDUs across the
bridge (i.e. https://lists.linuxfoundation.org/pipermail/bridge/2007-April/005406.html),
which we don't want.  They intended it to support transparent bridges,
but this is not a transparent bridge, and there is no risk of it causing
a loop scenario.
parent fe371963
......@@ -1470,7 +1470,10 @@ sub os_fwconfig_line($@) {
$upline .= "vconfig add $pdev $vlanno > /dev/null\n";
$upline .= "ifconfig $vlandev up\n";
$upline .= "brctl addbr br0\n";
$upline .= "brctl stp br0 on\n";
$upline .= "brctl stp br0 off\n";
$upline .= "ebtables -A FORWARD -d BGA --stp-type 0x0 -j DROP\n";
$upline .= "ebtables -A FORWARD -d BGA --stp-type 0x80 -j DROP\n";
$upline .= "ebtables -A FORWARD -d BGA --stp-type 0x02 -j DROP\n";
$upline .= "ifconfig br0 up\n";
#
# This is very, very messy. We have to save the
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment