[pve-devel] pve-firewall : ip6tables + ebtables v4

Alexandre DERUMIER aderumier at odiso.com
Wed Jul 16 10:38:46 CEST 2014


>>i get the following ebtables:
>>
>>active layer2filters (ARP):
>>
>>Bridge chain: tap102i0-OUT, entries: 4, policy: ACCEPT
>>-s ! d2:d6:ce:ec:ae:b8 -j DROP
>>-p ARP -j ACCEPT
>>-j DROP
>>-j ACCEPT
>>
>>This looks wrong (DROP / ACCEPT)

I don't think it's a problem, you'll go to DROP, if you don't match layer2filter,
and never go to the final accept.


do you have tested it ?




----- Mail original ----- 

De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
Envoyé: Mercredi 16 Juillet 2014 10:31:15 
Objet: Re: [pve-devel] pve-firewall : ip6tables + ebtables v4 

Hi, 

Am 16.07.2014 01:14, schrieb Alexandre Derumier: 
> changelog: 
> 
> - clean all trailing whitespaces 
> - add remove_pvefw_chains for ip6tables (for firewall stop) 
> - add last stefan patch for ebtables mac parsing 

i get the following ebtables: 

active layer2filters (ARP): 

Bridge chain: tap102i0-OUT, entries: 4, policy: ACCEPT 
-s ! d2:d6:ce:ec:ae:b8 -j DROP 
-p ARP -j ACCEPT 
-j DROP 
-j ACCEPT 

This looks wrong (DROP / ACCEPT) 

no layer2filters: 

Bridge chain: tap103i0-OUT, entries: 2, policy: ACCEPT 
-s ! e:df:d:91:a8:60 -j DROP 
-j ACCEPT 

Stefan 


More information about the pve-devel mailing list