[pve-devel] pve-firewall : ip6tables + ebtables v4

Stefan Priebe - Profihost AG s.priebe at profihost.ag
Wed Jul 16 10:42:01 CEST 2014


Am 16.07.2014 10:38, schrieb Alexandre DERUMIER:
>>> i get the following ebtables:
>>>
>>> active layer2filters (ARP):
>>>
>>> Bridge chain: tap102i0-OUT, entries: 4, policy: ACCEPT
>>> -s ! d2:d6:ce:ec:ae:b8 -j DROP
>>> -p ARP -j ACCEPT
>>> -j DROP
>>> -j ACCEPT
>>>
>>> This looks wrong (DROP / ACCEPT)
> 
> I don't think it's a problem, you'll go to DROP, if you don't match layer2filter,
> and never go to the final accept.
> 
> 
> do you have tested it ?

Yes it isn't it just looks strange ;-)

Stefan


> ----- Mail original ----- 
> 
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag> 
> À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com 
> Envoyé: Mercredi 16 Juillet 2014 10:31:15 
> Objet: Re: [pve-devel] pve-firewall : ip6tables + ebtables v4 
> 
> Hi, 
> 
> Am 16.07.2014 01:14, schrieb Alexandre Derumier: 
>> changelog: 
>>
>> - clean all trailing whitespaces 
>> - add remove_pvefw_chains for ip6tables (for firewall stop) 
>> - add last stefan patch for ebtables mac parsing 
> 
> i get the following ebtables: 
> 
> active layer2filters (ARP): 
> 
> Bridge chain: tap102i0-OUT, entries: 4, policy: ACCEPT 
> -s ! d2:d6:ce:ec:ae:b8 -j DROP 
> -p ARP -j ACCEPT 
> -j DROP 
> -j ACCEPT 
> 
> This looks wrong (DROP / ACCEPT) 
> 
> no layer2filters: 
> 
> Bridge chain: tap103i0-OUT, entries: 2, policy: ACCEPT 
> -s ! e:df:d:91:a8:60 -j DROP 
> -j ACCEPT 
> 
> Stefan 
> 


More information about the pve-devel mailing list