[pve-devel] pve-firewall : ip6tables + ebtables v4
Alexandre DERUMIER
aderumier at odiso.com
Wed Jul 16 10:38:46 CEST 2014
>>i get the following ebtables:
>>
>>active layer2filters (ARP):
>>
>>Bridge chain: tap102i0-OUT, entries: 4, policy: ACCEPT
>>-s ! d2:d6:ce:ec:ae:b8 -j DROP
>>-p ARP -j ACCEPT
>>-j DROP
>>-j ACCEPT
>>
>>This looks wrong (DROP / ACCEPT)
I don't think it's a problem, you'll go to DROP, if you don't match layer2filter,
and never go to the final accept.
do you have tested it ?
----- Mail original -----
De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
Envoyé: Mercredi 16 Juillet 2014 10:31:15
Objet: Re: [pve-devel] pve-firewall : ip6tables + ebtables v4
Hi,
Am 16.07.2014 01:14, schrieb Alexandre Derumier:
> changelog:
>
> - clean all trailing whitespaces
> - add remove_pvefw_chains for ip6tables (for firewall stop)
> - add last stefan patch for ebtables mac parsing
i get the following ebtables:
active layer2filters (ARP):
Bridge chain: tap102i0-OUT, entries: 4, policy: ACCEPT
-s ! d2:d6:ce:ec:ae:b8 -j DROP
-p ARP -j ACCEPT
-j DROP
-j ACCEPT
This looks wrong (DROP / ACCEPT)
no layer2filters:
Bridge chain: tap103i0-OUT, entries: 2, policy: ACCEPT
-s ! e:df:d:91:a8:60 -j DROP
-j ACCEPT
Stefan
More information about the pve-devel
mailing list