bridge master not set automatically (affects firejail, qemu)

fau · 2021-08-18 03:51:28

Hello,

On my fresh Arch install (image 2021-07-01) the bridge master is not set automatically. This affects for example firejail and qemu such that the network is not functional (tun/tap/veth not connected to bridge). The network only becomes functional after I set the bridge master manually. I can neither observe this behavior on my older Arch install nor on my Fedora system. Of course all my systems are up-to-date.

I'll demonstrate this with firejail:

# terminal 1: create the bridge
ip link add br0 type bridge
ip addr add 172.16.1.1/24 dev br0
ip link set br0 up

# terminal 2: start firejail
firejail --net=br0 --ip=172.16.1.2 --noprofile

# terminal 2 (sandbox): ping fails
ping 172.16.1.1
PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data.
From 172.16.1.2 icmp_seq=1 Destination Host Unreachable

# terminal 1: diagnose; master not set; why???
ip link show master br0 
# shows nothing

# terminal 1: fix; add master manually
ip link show type veth
5: veth7898eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP mode DEFAULT group default qlen 1000
    link/ether 5e:99:a1:8c:3a:c4 brd ff:ff:ff:ff:ff:ff link-netnsid 0
ip link set master br0 veth7898eth0

# terminal 1: verify
ip link show master br0
5: veth7898eth0@if2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP mode DEFAULT group default qlen 1000
    link/ether 5e:99:a1:8c:3a:c4 brd ff:ff:ff:ff:ff:ff link-netnsid 0

# terminal 2 (sandbox): ping succeeds
ping 172.16.1.1
PING 172.16.1.1 (172.16.1.1) 56(84) bytes of data.
64 bytes from 172.16.1.1: icmp_seq=1 ttl=64 time=0.058 ms

For some weird reason the bridge master is not set. I can observe the same with qemu. I made an install with the image in a VM and it shows the same behavior. On my other (older but up-to-date) Arch and Fedora systems the bridge master is properly set automatically.

What is causing this?

Lone_Wolf · 2021-08-18 10:46:26

https://wiki.archlinux.org/title/Networ … h_iproute2 does mention you have to add an interface to the bridge manually .

The output of ip link and bridge link after executing those first 3 commands from all systems (new arch, older arch, fedora ) might help to clarify the difference.

Welcome to Archlinux forums

fau · 2021-08-19 00:16:11

firejail adds itself to the bridge of course. I checked the source of firejail which delegates this task to the fnet utility (part of firejail).

If I'm not mistaken the code for this is to be found in src/fnet/interface.c:

#ifdef SIOCBRADDIF
        ifr.ifr_ifindex = ifindex;
        err = ioctl(sock, SIOCBRADDIF, &ifr);
        if (err < 0)
#endif
        {
                unsigned long args[4] = { BRCTL_ADD_IF, ifindex, 0, 0 };

                ifr.ifr_data = (char *) args;
                err = ioctl(sock, SIOCDEVPRIVATE, &ifr);
        }

We can confirm that this code is indeed called with strace:

strace -ff -o firejail -- firejail --net=br0 --ip=172.16.1.2 --noprofile

grep  'SIOCBRADDIF|SIOCDEVPRIVATE|create' *
firejail.2081:execveat(3, "", ["/usr/local/lib/firejail/fnet", "create", "veth", "veth2080eth0", "eth0", "br0", "2079"], 0x7fff72446790 /* 2 vars */, AT_EMPTY_PATH) = 0
firejail.2081:ioctl(3, SIOCBRADDIF, {ifr_ifindex=if_nametoindex("veth2080eth0")}) = 0

So firejail adds itself to the bridge without an error. However, for some reason this does not take effect on my new install. On my other systems it does take effect and works as intended (no need to set master manually). Like I mentioned before qemu shows the same defect on my new install so I don't believe this has anything to do with firejail in particular.

Arch Linux

#1 2021-08-18 03:51:28

bridge master not set automatically (affects firejail, qemu)

#2 2021-08-18 10:46:26

Re: bridge master not set automatically (affects firejail, qemu)

#3 2021-08-19 00:16:11

Re: bridge master not set automatically (affects firejail, qemu)

Board footer