[pve-devel] applied: [PATCH v2 pve-firewall 0/2] ebtables: arp filtering
Thomas Lamprecht
t.lamprecht at proxmox.com
Tue Mar 12 11:51:24 CET 2019
On 3/10/19 8:25 AM, Alexandre Derumier wrote:
> This add support for arp filtering in ebtables.
> We can't use ipset, so ip need to be tested 1 by 1 in a separate chain.
>
> layer2_protocols test need to be done also in a separate chain,
> to be able to have the final accept in tap chain.
>
>
applied series, thanks!
>
>
> 997.conf
> --------
> net0: virtio=12:ED:5E:CE:7D:91,bridge=vmbr0,firewall=1,tag=100
>
> 997.fw
> ------
> [OPTIONS]
> enable: 1
> layer2_protocols: ARP,IPX
>
> [IPSET ipfilter-net0]
>
> 192.168.2.10
> 192.168.2.11
> 192.168.1.0/24
> FE80::0202:B3FF:FE1E:8329 #will be exclude, as we don't have arp in ipv6
>
>
> ebtables generate rules:
> ------------------------
>
> -A tap997i0-OUT -s ! 12:ed:5e:ce:7d:91 -j DROP
> -A tap997i0-OUT -p ARP -j tap997i0-OUT-ARP
> -A tap997i0-OUT -j tap997i0-OUT-PROTO
> -A tap997i0-OUT -j ACCEPT
>
> -A tap997i0-OUT-ARP -p ARP --arp-ip-src 192.168.2.10 -j RETURN
> -A tap997i0-OUT-ARP -p ARP --arp-ip-src 192.168.2.11 -j RETURN
> -A tap997i0-OUT-ARP -p ARP --arp-ip-src 192.168.1.0/24 -j RETURN
> -A tap997i0-OUT-ARP -j DROP
>
> -A tap997i0-OUT-PROTO -p ARP -j RETURN
> -A tap997i0-OUT-PROTO -p IPX -j RETURN
> -A tap997i0-OUT-PROTO -j DROP
>
>
> Changelog v2:
>
> - code cleanup
> - add support for filter-net ipset for lxc
> - lxc: only filter main ip address if ipfilter option is enable
> - split the layer2_protocols change in separate commit
>
>
>
> Alexandre Derumier (2):
> ebtables: add arp filtering
> ebtables: test layer2_protocols in an external chain
>
> src/PVE/Firewall.pm | 50 +++++++++++++++++++++++++++++++++++++++++---------
> 1 file changed, 41 insertions(+), 9 deletions(-)
>
More information about the pve-devel
mailing list