[pve-devel] pve-firewall : ip6tables + ebtables v4
Stefan Priebe - Profihost AG
s.priebe at profihost.ag
Wed Jul 16 10:42:01 CEST 2014
Am 16.07.2014 10:38, schrieb Alexandre DERUMIER:
>>> i get the following ebtables:
>>>
>>> active layer2filters (ARP):
>>>
>>> Bridge chain: tap102i0-OUT, entries: 4, policy: ACCEPT
>>> -s ! d2:d6:ce:ec:ae:b8 -j DROP
>>> -p ARP -j ACCEPT
>>> -j DROP
>>> -j ACCEPT
>>>
>>> This looks wrong (DROP / ACCEPT)
>
> I don't think it's a problem, you'll go to DROP, if you don't match layer2filter,
> and never go to the final accept.
>
>
> do you have tested it ?
Yes it isn't it just looks strange ;-)
Stefan
> ----- Mail original -----
>
> De: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>
> À: "Alexandre Derumier" <aderumier at odiso.com>, pve-devel at pve.proxmox.com
> Envoyé: Mercredi 16 Juillet 2014 10:31:15
> Objet: Re: [pve-devel] pve-firewall : ip6tables + ebtables v4
>
> Hi,
>
> Am 16.07.2014 01:14, schrieb Alexandre Derumier:
>> changelog:
>>
>> - clean all trailing whitespaces
>> - add remove_pvefw_chains for ip6tables (for firewall stop)
>> - add last stefan patch for ebtables mac parsing
>
> i get the following ebtables:
>
> active layer2filters (ARP):
>
> Bridge chain: tap102i0-OUT, entries: 4, policy: ACCEPT
> -s ! d2:d6:ce:ec:ae:b8 -j DROP
> -p ARP -j ACCEPT
> -j DROP
> -j ACCEPT
>
> This looks wrong (DROP / ACCEPT)
>
> no layer2filters:
>
> Bridge chain: tap103i0-OUT, entries: 2, policy: ACCEPT
> -s ! e:df:d:91:a8:60 -j DROP
> -j ACCEPT
>
> Stefan
>
More information about the pve-devel
mailing list