[pve-devel] [PATCH] ebtables: drop packets from wrong mac addresses - instead of ACCEPT / CONTINUE. Only DROP by default if layer2filter_protocols is set
Stefan Priebe
s.priebe at profihost.ag
Tue Jul 15 15:42:59 CEST 2014
Signed-off-by: Stefan Priebe <s.priebe at profihost.ag>
---
src/PVE/Firewall.pm | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 9511c13..81487a5 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3278,9 +3278,7 @@ sub generate_tap_layer2filter {
ruleset_create_chain($ruleset, $tapchain);
if (defined($macaddr) && !(defined($options->{macfilter}) && $options->{macfilter} == 0)) {
- $filter_enabled = 1;
- my $target = (defined($options->{layer2filter_protocols})) ? "CONTINUE" : "ACCEPT";
- ruleset_addrule($ruleset, $tapchain, "-s $macaddr -j $target");
+ ruleset_addrule($ruleset, $tapchain, "-s ! $macaddr -j DROP");
}
if (defined($options->{layer2filter_protocols})){
--
1.7.10.4
More information about the pve-devel
mailing list