[pve-devel] [PATCH v2 pve-firewall 0/2] ebtables: arp filtering

[Alexandre Derumier]

This add support for arp filtering in ebtables.
We can't use ipset, so ip need to be tested 1 by 1 in a separate chain.

layer2_protocols test need to be done also in a separate chain,
to be able to have the final accept in tap chain.




997.conf
--------
net0: virtio=12:ED:5E:CE:7D:91,bridge=vmbr0,firewall=1,tag=100

997.fw
------
[OPTIONS]
enable: 1
layer2_protocols: ARP,IPX

[IPSET ipfilter-net0]

192.168.2.10
192.168.2.11
192.168.1.0/24
FE80::0202:B3FF:FE1E:8329    #will be exclude, as we don't have arp in ipv6


ebtables generate rules:
------------------------

-A tap997i0-OUT -s ! 12:ed:5e:ce:7d:91 -j DROP
-A tap997i0-OUT -p ARP -j tap997i0-OUT-ARP
-A tap997i0-OUT -j tap997i0-OUT-PROTO
-A tap997i0-OUT -j ACCEPT

-A tap997i0-OUT-ARP -p ARP --arp-ip-src 192.168.2.10 -j RETURN
-A tap997i0-OUT-ARP -p ARP --arp-ip-src 192.168.2.11 -j RETURN
-A tap997i0-OUT-ARP -p ARP --arp-ip-src 192.168.1.0/24 -j RETURN
-A tap997i0-OUT-ARP -j DROP

-A tap997i0-OUT-PROTO -p ARP -j RETURN
-A tap997i0-OUT-PROTO -p IPX -j RETURN
-A tap997i0-OUT-PROTO -j DROP


Changelog v2:

- code cleanup
- add support for filter-net ipset for lxc
- lxc: only filter main ip address if ipfilter option is enable
- split the layer2_protocols change in separate commit



Alexandre Derumier (2):
  ebtables: add arp filtering
  ebtables: test layer2_protocols in an external chain

 src/PVE/Firewall.pm | 50 +++++++++++++++++++++++++++++++++++++++++---------
 1 file changed, 41 insertions(+), 9 deletions(-)

-- 
2.11.0