Re: NDP and ebtables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Jonathan Tripathy a écrit :
>>
>> So, do you think I should just have my second rule then? The thing is 
>> though, is that bridges are know to "broadcast" all traffic everywhere 
>> for a few seconds when their configuration changes. I don't really 
>> want this to happen. Can you please help me with some rules to prevent 
>> yet, and also stop spoofing?
>>
> How about something like this:
> 
> /usr/local/sbin/ebtables -N OUT
> /usr/local/sbin/ebtables -P OUT DROP
> /usr/local/sbin/ebtables -I OUT -o "$vif" -d "$mac" -j ACCEPT
> /usr/local/sbin/ebtables -I OUT -p ARP -o "$vif" -j ACCEPT
> 
> /usr/local/sbin/ebtables -I FORWARD -i "$vif" -s "$mac" -j OUT
> 
> Woudn't that work nicely?

I guess so, except for IPv6 NDP (see below).
Note that you don't need a separate ARP rule for each port.

> That is, stop source address spoofing, as well 
> as make sure that outgoing traffic is set for the correct MAC address..

> I appreciate that my above rules would block all multicast/broadcast 
> traffic (except ARP), however since this is in a hosting environment, 
> that's probably ok isn't it?

NDP uses multicast and will break if you drop all multicast. You can
however accept only the multicast addresses the host listens to (see my
first reply for how to get the list).
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux