[pve-devel] pve-firewall : ebtables

[Stefan Priebe - Profihost AG]

Am 15.07.2014 14:57, schrieb Stefan Priebe - Profihost AG:
> Am 15.07.2014 11:35, schrieb Stefan Priebe - Profihost AG:
>>
>> Am 15.07.2014 10:48, schrieb Stefan Priebe - Profihost AG:
>>>
>>> Am 15.07.2014 06:39, schrieb Alexandre Derumier:
>>>> Hi,
>>>> here the ebtables patches, details are in commits.
>>>>
>>>> Please comment, feel free to change and adapt them.

I've started with two VMs having one (102) having layer2filter_protocols
to ARP.

The following filters get generated:

Bridge chain: tap102i0-OUT, entries: 3, policy: ACCEPT
-s d2:d6:ce:ec:ae:b8 -j CONTINUE
-p ARP -j ACCEPT
-j DROP

Bridge chain: tap103i0-OUT, entries: 2, policy: ACCEPT
-s e:df:d:91:a8:60 -j ACCEPT
-j DROP

I can adapt the code i just want to know if i'm wrong or not.

Problems spotted:

1.) VM 102: i think it must be:
-s ! d2:d6:ce:ec:ae:b8 -j DROP

otherwise a wrong mac sending ARP is allowed.

2.) for VM 103: we have now the situation that IPV4 and IPV6 is
generally allowed but ARP is not.

How should this VM work without ARP? Or is the idea if enable the mac
filter i always have to add my protocols to layer2filter?

Stefan