On 27/06/10 00:17, Pascal Hambourg wrote:
Hello,
Jonathan Tripathy a écrit :
I'm trying to set up ebtables on my Xen host. What I'm trying to do, is
make sure that each guest can only access the bridge on the xen host
using the "legal" mac address assigned to it.
The 2 rules I'm using are this:
ebtables -I FORWARD -d $legal_mac_of_guest -o $vif_of_guest -j ACCPET
ebtables -I FORWARD -s $legal_mac_of_guest -i $vif_of_guest -j ACCPET
Note : s/ACCPET/ACCEPT/
While the above 2 rules do allow normal IP traffic, they seem to block
ARP requests/replies working properly.
By allowing only the unicast host address as a destination, you block
any broadcast and multicast traffic. ARP requests use broadcast, IPv6
neighbour discovery uses multicast. Note that IP broadcast and multicast
traffic is also blocked.
You must also allow broadcast/multicast addresses as a destination :
ebtables -I FORWARD -d multicast -o $vif_of_guest -j ACCEPT
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Thanks for the reply. What I ended up doing was this:
ebtables -I FORWARD -p ARP -o $vif_of_guest -j ACCPET
The ARP-Reply (is-at) frame seems to have the source field set properly,
so no new rule was required to allow arp replies from the respective guest.
Think that's safe enough?
Thanks
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
