[pve-devel] pve-firewall: dhcp snooping

Alexandre DERUMIER aderumier at odiso.com
Thu Jun 5 07:44:12 CEST 2014


>>something like: 
>>
>>-A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
>>-A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 

I can make a patch if you want.

----- Mail original ----- 

De: "Dietmar Maurer" <dietmar at proxmox.com> 
À: "Stefan Priebe - Profihost AG" <s.priebe at profihost.ag>, "Alexandre DERUMIER" <aderumier at odiso.com> 
Cc: pve-devel at pve.proxmox.com 
Envoyé: Mercredi 4 Juin 2014 14:50:53 
Objet: RE: [pve-devel] pve-firewall: dhcp snooping 

> > The 'allowed_ips' ipset idea is very easy to implement ... 
> > 
> 
> OK so adding option IP to each netX. 

No, I talk about an IPSet defined inside the <VMID>.fw file. 

> Just don't know how to implement the 
> firewall rule to only allow packets from this MAC and IP combination. 

something like: 

-A tap100i0-OUT -m mac ! --mac-source 0E:0B:38:B8:B3:21 -j DROP # we already have this 
-A tap100i0-OUT --m set ! --match-set PVEFW-100-allowed-ips src -J DROP 



More information about the pve-devel mailing list