[pve-devel] [PATCH v2 pve-firewall 2/2] ebtables: test layer2_protocols in an external chain

Sun Mar 10 08:25:07 CET 2019

We need the not matching DROP outside the main tapchain,
in a specific proto chain, and a ACCEPT in the main tap chain.

Signed-off-by: Alexandre Derumier <aderumier at odiso.com>
---
 src/PVE/Firewall.pm | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 33f558c..6ac3038 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3770,14 +3770,18 @@ sub generate_tap_layer2filter {
     }
 
     if (defined($options->{layer2_protocols})){
+	my $protochain = $tapchain."-PROTO";
+	ruleset_addrule($ruleset, $tapchain, '', "-j $protochain");
+	ruleset_create_chain($ruleset, $protochain);
+
 	foreach my $proto (split(/,/, $options->{layer2_protocols})) {
-	    ruleset_addrule($ruleset, $tapchain, "-p $proto", '-j ACCEPT');
+	    ruleset_addrule($ruleset, $protochain, "-p $proto", '-j RETURN');
 	}
-	ruleset_addrule($ruleset, $tapchain, '', "-j DROP");
-    } else {
-	ruleset_addrule($ruleset, $tapchain, '', '-j ACCEPT');
+	ruleset_addrule($ruleset, $protochain, '', '-j DROP');
     }
 
+    ruleset_addrule($ruleset, $tapchain, '', '-j ACCEPT');
+
     ruleset_addrule($ruleset, 'PVEFW-FWBR-OUT', "-i $iface", "-j $tapchain");
 }
 
-- 
2.11.0


