[pve-devel] pve-firewall : ebtables

Alexandre DERUMIER aderumier at odiso.com
Tue Jul 15 17:26:30 CEST 2014 

>>Problems spotted: 
>>
>>1.) VM 102: i think it must be: 
>>-s ! d2:d6:ce:ec:ae:b8 -j DROP 
>>
>>otherwise a wrong mac sending ARP is allowed. 

I had in mind to allow macfilter or|and layer2_procotol filter
But it's a bug indeed,I'll rework my patch


>>2.) for VM 103: we have now the situation that IPV4 and IPV6 is 
>>generally allowed but ARP is not. 
>>
>>How should this VM work without ARP? Or is the idea if enable the mac 
>>filter i always have to add my protocols to layer2filter? 

should be related to previous bug,
we should be able to define macfilter and layer2filter independently.



----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Mardi 15 Juillet 2014 15:38:09 
Objet: Re: [pve-devel] pve-firewall : ebtables 

Am 15.07.2014 14:57, schrieb Stefan Priebe - Profihost AG: 
> Am 15.07.2014 11:35, schrieb Stefan Priebe - Profihost AG: 
>> 
>> Am 15.07.2014 10:48, schrieb Stefan Priebe - Profihost AG: 
>>> 
>>> Am 15.07.2014 06:39, schrieb Alexandre Derumier: 
>>>> Hi, 
>>>> here the ebtables patches, details are in commits. 
>>>> 
>>>> Please comment, feel free to change and adapt them. 

I've started with two VMs having one (102) having layer2filter_protocols 
to ARP. 

The following filters get generated: 

Bridge chain: tap102i0-OUT, entries: 3, policy: ACCEPT 
-s d2:d6:ce:ec:ae:b8 -j CONTINUE 
-p ARP -j ACCEPT 
-j DROP 

Bridge chain: tap103i0-OUT, entries: 2, policy: ACCEPT 
-s e:df:d:91:a8:60 -j ACCEPT 
-j DROP 

I can adapt the code i just want to know if i'm wrong or not. 

Problems spotted: 

1.) VM 102: i think it must be: 
-s ! d2:d6:ce:ec:ae:b8 -j DROP 

otherwise a wrong mac sending ARP is allowed. 

2.) for VM 103: we have now the situation that IPV4 and IPV6 is 
generally allowed but ARP is not. 

How should this VM work without ARP? Or is the idea if enable the mac 
filter i always have to add my protocols to layer2filter? 

Stefan

More information about the pve-devel mailing list