[pve-devel] [PATCH] ebtables: drop packets from wrong mac addresses - instead of ACCEPT / CONTINUE. Only DROP by default if layer2filter_protocols is set

Stefan Priebe s.priebe at profihost.ag
Tue Jul 15 15:42:59 CEST 2014


Signed-off-by: Stefan Priebe <s.priebe at profihost.ag>
---
 src/PVE/Firewall.pm |    4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 9511c13..81487a5 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3278,9 +3278,7 @@ sub generate_tap_layer2filter {
 
     ruleset_create_chain($ruleset, $tapchain);
     if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
-	    $filter_enabled = 1;
-	    my $target = (defined($options->{layer2filter_protocols})) ? "CONTINUE" : "ACCEPT";
-	    ruleset_addrule($ruleset, $tapchain, "-s $macaddr -j $target");
+	    ruleset_addrule($ruleset, $tapchain, "-s ! $macaddr -j DROP");
     }
 
     if (defined($options->{layer2filter_protocols})){
-- 
1.7.10.4



More information about the pve-devel mailing list