[pve-devel] pve-firewall : ebtables

Alexandre DERUMIER aderumier at odiso.com
Tue Jul 15 12:42:54 CEST 2014


>>macfilter works even if the vm has firewall=0 

Currently, it's not true,

the tap chain (including mac filtering), is not generated if firewall=0


               next if !$net->{firewall};
                my $iface = "tap${vmid}i$1";

                my $macaddr = $net->{macaddr};
                generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
                                             $vmfw_conf, $vmid, 'IN', $ipversion);
                generate_tap_rules_direction($ruleset, $cluster_conf, $iface, $netid, $macaddr,
                                             $vmfw_conf, $vmid, 'OUT', $ipversion);



>>So why do we want to filter macs if the admin disabled the whole firewall on the interface? 

But,yes, maybe it's more a permission problem.
(Maybe Stefan want to disallow user from remove mac filtering, but be able to manage the firewall ?)

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Alexandre DERUMIER" <aderumier at odiso.com>, "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mardi 15 Juillet 2014 12:32:35 
Objet: RE: [pve-devel] pve-firewall : ebtables 

> >>2.) Generally i would like to see the macfilter enabled for iptables 
> >>and ebtables even if the network card has firewall=0 but the vm has 
> >>firewall=1. Does this makes sense? 
> 
> Just send a patch. 

I am quit unsure if this makes sense. It works the opposite way: 

macfilter works even if the vm has firewall=0 

So why do we want to filter macs if the admin disabled the whole firewall on the interface? 


More information about the pve-devel mailing list