[pve-devel] pve-firewall : ebtables

[Stefan Priebe - Profihost AG]

Am 15.07.2014 11:35, schrieb Stefan Priebe - Profihost AG:
> 
> Am 15.07.2014 10:48, schrieb Stefan Priebe - Profihost AG:
>>
>> Am 15.07.2014 06:39, schrieb Alexandre Derumier:
>>> Hi,
>>> here the ebtables patches, details are in commits.
>>>
>>> Please comment, feel free to change and adapt them.

i found a very crazy bug in ebtables-restore and save. If a mac starts
with a 0 it simply removes it when running ebtables-save. So the
computation of the digest always fails.

Example:
# echo <<"END" | ebtables-restore
> *filter
> :INPUT ACCEPT
> :FORWARD ACCEPT
> :OUTPUT ACCEPT
> :PVEFW-FORWARD ACCEPT
> :PVEFW-FWBR-OUT ACCEPT
> :tap102i0-OUT ACCEPT
> :tap103i0-OUT ACCEPT
> -A FORWARD -j PVEFW-FORWARD
> -A PVEFW-FORWARD -p IPv4 -j ACCEPT
> -A PVEFW-FORWARD -p IPv6 -j ACCEPT
> -A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
> -A PVEFW-FWBR-OUT -i tap103i0 -j tap103i0-OUT
> -A PVEFW-FWBR-OUT -i tap102i0 -j tap102i0-OUT
> -A tap102i0-OUT -s d2:d6:ce:ec:ae:b8 -j CONTINUE
> -A tap102i0-OUT -p ARP -j ACCEPT
> -A tap102i0-OUT -j DROP
> -A tap103i0-OUT -s 0e:df:d:91:a8:60 -j ACCEPT
> -A tap103i0-OUT -j DROP
> END

# ebtables-save
# Generated by ebtables-save v1.0 on Tue Jul 15 14:55:51 CEST 2014
*filter
:INPUT ACCEPT
:FORWARD ACCEPT
:OUTPUT ACCEPT
:PVEFW-FORWARD ACCEPT
:PVEFW-FWBR-OUT ACCEPT
:tap102i0-OUT ACCEPT
:tap103i0-OUT ACCEPT
-A FORWARD -j PVEFW-FORWARD
-A PVEFW-FORWARD -p IPv4 -j ACCEPT
-A PVEFW-FORWARD -p IPv6 -j ACCEPT
-A PVEFW-FORWARD -o fwln+ -j PVEFW-FWBR-OUT
-A PVEFW-FWBR-OUT -i tap103i0 -j tap103i0-OUT
-A PVEFW-FWBR-OUT -i tap102i0 -j tap102i0-OUT
-A tap102i0-OUT -s d2:d6:ce:ec:ae:b8 -j CONTINUE
-A tap102i0-OUT -p ARP -j ACCEPT
-A tap102i0-OUT -j DROP
-A tap103i0-OUT -s e:df:d:91:a8:60 -j ACCEPT
-A tap103i0-OUT -j DROP

As you can see -A tap103i0-OUT -s e:df:d:91:a8:60 -j ACCEPT does no
longer starts with a leading 0.

Also ebtables -L does not list this 0. Any idea how to fix this?

Stefan