[pve-devel] [PATCH v2 pve-firewall 0/2] ebtables: arp filtering

Alexandre Derumier aderumier at odiso.com
Sun Mar 10 08:25:05 CET 2019

This add support for arp filtering in ebtables.
We can't use ipset, so ip need to be tested 1 by 1 in a separate chain.

layer2_protocols test need to be done also in a separate chain,
to be able to have the final accept in tap chain.

net0: virtio=12:ED:5E:CE:7D:91,bridge=vmbr0,firewall=1,tag=100

enable: 1
layer2_protocols: ARP,IPX

[IPSET ipfilter-net0]
FE80::0202:B3FF:FE1E:8329    #will be exclude, as we don't have arp in ipv6

ebtables generate rules:

-A tap997i0-OUT -s ! 12:ed:5e:ce:7d:91 -j DROP
-A tap997i0-OUT -p ARP -j tap997i0-OUT-ARP
-A tap997i0-OUT -j tap997i0-OUT-PROTO
-A tap997i0-OUT -j ACCEPT

-A tap997i0-OUT-ARP -p ARP --arp-ip-src -j RETURN
-A tap997i0-OUT-ARP -p ARP --arp-ip-src -j RETURN
-A tap997i0-OUT-ARP -p ARP --arp-ip-src -j RETURN
-A tap997i0-OUT-ARP -j DROP

-A tap997i0-OUT-PROTO -p ARP -j RETURN
-A tap997i0-OUT-PROTO -p IPX -j RETURN
-A tap997i0-OUT-PROTO -j DROP

Changelog v2:

- code cleanup
- add support for filter-net ipset for lxc
- lxc: only filter main ip address if ipfilter option is enable
- split the layer2_protocols change in separate commit

Alexandre Derumier (2):
  ebtables: add arp filtering
  ebtables: test layer2_protocols in an external chain

 src/PVE/Firewall.pm | 50 +++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 41 insertions(+), 9 deletions(-)


More information about the pve-devel mailing list