[pve-devel] [RFC firewall 0/8] rebased ebtables patches

[Wolfgang Bumiller]

While on the one hand I'd like to move to nftables, and on the other
hand I like the idea of attaching xdp programs to interfaces for the
purpose of eg. MAC filtering, we do still have this patch series around
which wasn't much work to rebase to the current code base and does its
job...
Back when the series was originally posted the issue was mostly the lack
of a (proper) ebtables package (missing ebtables-save/restore). We don't
have this problem anymore, so why not give this a go?

The changes I made to the patches I took off the list should be rather
obvious: openvz -> lxc, and replcing the hardcoded ethertype list with
reading /etc/ethertypes (which gets shipped with the ebtables package).
Some whitespace cleanup and I renamed 'layer2filter_protocols' to just
'layer2_protocols' (and avoided the generation of `-j DROP` followed by
`-j ACCEPT`).

(Oh and, patch 4 is actually unrelated, I just came across that while
adding the ethertypes file parsing...)

@Alexandre, @Stefan Priebe:
if you're still using the patches it might be good to
compare/check/update, not sure if you kept rebasing them?

Alexandre Derumier (2):
  compile ebtables rules
  apply ebtables_ruleset

Wolfgang Bumiller (6):
  split parser out of get_etc_protocols
  parse_protocol_file: support lines without end comments
  add get_etc_ethertypes
  /etc/services can also define 'sctp' services
  avoid double spaces in ruleset_addrule
  add ebtables dependency

 debian/control                  |   3 +-
 debian/example/100.fw           |   3 +
 src/PVE/Firewall.pm             | 240 +++++++++++++++++++++++++++++++++++++---
 src/PVE/Service/pve_firewall.pm |  14 ++-
 4 files changed, 241 insertions(+), 19 deletions(-)

-- 
2.11.0