Jonathan Tripathy a écrit : >> >>> I'm trying to set up ebtables on my Xen host. What I'm trying to do, is >>> make sure that each guest can only access the bridge on the xen host >>> using the "legal" mac address assigned to it. >>> >>> The 2 rules I'm using are this: >>> >>> ebtables -I FORWARD -d $legal_mac_of_guest -o $vif_of_guest -j ACCPET >>> ebtables -I FORWARD -s $legal_mac_of_guest -i $vif_of_guest -j ACCPET >>> >>> While the above 2 rules do allow normal IP traffic, they seem to block >>> ARP requests/replies working properly. >>> >> By allowing only the unicast host address as a destination, you block >> any broadcast and multicast traffic. ARP requests use broadcast, IPv6 >> neighbour discovery uses multicast. Note that IP broadcast and multicast >> traffic is also blocked. >> >> You must also allow broadcast/multicast addresses as a destination : >> >> ebtables -I FORWARD -d multicast -o $vif_of_guest -j ACCEPT > > Thanks for the reply. What I ended up doing was this: > > ebtables -I FORWARD -p ARP -o $vif_of_guest -j ACCPET > > The ARP-Reply (is-at) frame seems to have the source field set properly, > so no new rule was required to allow arp replies from the respective guest. > > Think that's safe enough? Be aware that it solves the problem only for ARP, but not for the other protocols that may use broadcast or multicast. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
