Linux bridge leaking traffic of shutdown vms

Andrew

6/15/23, 9:24 PM

I've a linux bridge (br0) setup with netplan as the following:

  version: 2
  renderer: networkd
  ethernets:
    eno1:
      dhcp4: no
      dhcp6: no
  bridges:
    probr:
      interfaces:
        - eno1
      macaddress: ab:cd:ef:01:02:03
      addresses:
        - 51.x.y.z/24
      nameservers:
        addresses:
          - 8.8.8.8
          - 1.1.1.1
      parameters:
        stp: false
        forward-delay: 0
      dhcp4: no
      dhcp6: no
      routes:
        - to: 0.0.0.0/0
          via: 55.x.y.254
        - to: 55.x.y.z/28
          scope: link

I use libvirt virt-install with the network argument: virt-install ... --network type=bridge,source=br0,model=virtio,filterref=clean-traffic,mac=00:11:22:33:44:55

The network work as expected but what I've noticed is that if I have multiple VMs the traffic destined to a VM that is shut off will be broadcasted to all running VMs. This will leak information of connections. Is there any way to configure the bridge not to do this? Perhaps with ebtables? I've noticed that the following ebtables rule will work but I'm looking for something more generic as I don't know the interface name on beforehand (vnet1): ebtables -A FORWARD -p IPv4 --ip-destination 55.x.y.z -o ! vnet1 -j DROP Doing a filter on not to mac will not work as the IP and MAC is for the shutoff vm but the bridge still for some reasons decides to broadcast it.

0 + 0

bridge

libvirt

qemu

ebtables

Zoredache

6/16/23, 1:19 AM

`the traffic destined to a VM that is shut off will be broadcasted` - You need to elaborate. Is it just an ARP for the destination IP? The ARP would be from the local router, to try to locate a who has the IP, that wouldn't get reported back. Are you getting TCP packets with the SYN flag? That would mean you have something replying to the ARP somewhere, or you have a long ARP cache?. Is it UDP traffic?

Andrew

6/16/23, 2:16 AM

It's not only ARP traffic, it's TCP SYN packets and UDP. Any ip that routes to bridge but is either not yet allocated to a vm yet or the vm is shutdown will be seen inside the other vms when running tshark.

Andrew

6/16/23, 2:30 AM

About the ARP; I do have static arp routes set up for the running and shutdown vms, none for the not yet allocated. It does not seem to matter. No ARP entries that shouldn't be there.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: Linux bridge leaking traffic of shutdown vms

TH: Linux บริดจ์รั่วทราฟฟิกของการปิดระบบ vms

RO: Linux bridge scurge trafic de închidere vms

RU: Linux-мост пропускает трафик выключения vms

VI: Cầu Linux bị rò rỉ lưu lượng tắt máy vms

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.