Hello, Jonathan Tripathy a écrit : > > I'm just trailing out ipv6 on my network. Currently, all my bridge ports > are protected from MAC address spoofing by using ebtables: > > /usr/local/sbin/ebtables -I FORWARD -p ARP -o "$vif" -j ACCEPT > /usr/local/sbin/ebtables -I FORWARD -i "$vif" -s "$mac" -j ACCEPT > /usr/local/sbin/ebtables -I FORWARD -o "$vif" -d "$mac" -j ACCEPT > > As you can see above, I allow all ARP packets to flow to the host > (who-has). This allows ARP resolution to work. Is-at works at the source > MAC address is set in the frame. > > However, adding IPv6 to the mix is a little trickier. As it turns out, > IPv6 doesn't use ARP, but uses NDP. > > Is there any way to make NDP work with ebtables, but still preventing > MAC address spoofing? Sure : don't filter on the destination address, or at least accept related multicast addresses (see "ip -f link maddr" on the host). Spoofing is about the source, not the destination. If the bridge code decides to forward a packet to some port even when the destination address is not the address of a host connected to that port, it has some reason to do so : - the destination is multicast of broadcast, - the destination is unicast but unknown, thus treated as broadcast. You can safely drop in the latter case, not in the former. Note that your 3rd rule accepts packets from any source address, thus not preventing spoofing. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
