Hi Everyone,
I'm just trailing out ipv6 on my network. Currently, all my bridge ports
are protected from MAC address spoofing by using ebtables:
/usr/local/sbin/ebtables -I FORWARD -p ARP -o "$vif" -j ACCEPT
/usr/local/sbin/ebtables -I FORWARD -i "$vif" -s "$mac" -j ACCEPT
/usr/local/sbin/ebtables -I FORWARD -o "$vif" -d "$mac" -j ACCEPT
As you can see above, I allow all ARP packets to flow to the host
(who-has). This allows ARP resolution to work. Is-at works at the source
MAC address is set in the frame.
However, adding IPv6 to the mix is a little trickier. As it turns out,
IPv6 doesn't use ARP, but uses NDP.
Is there any way to make NDP work with ebtables, but still preventing
MAC address spoofing?
Many Thanks
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
