function clear_ebtables {
runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -i $INTERFACE -j $FROM
+ runlocked $RUNLOCKED_OPTS ebtables -D INPUT -i $INTERFACE -j $FROM
runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -o $INTERFACE -j $TO
- #runlocked $RUNLOCKED_OPTS ebtables -D OUTPUT -o $INTERFACE -j $TO
+ runlocked $RUNLOCKED_OPTS ebtables -D OUTPUT -o $INTERFACE -j $TO
runlocked $RUNLOCKED_OPTS ebtables -X $FROM
runlocked $RUNLOCKED_OPTS ebtables -X $TO
runlocked $RUNLOCKED_OPTS ebtables -N $FROM
runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -i $INTERFACE -j $FROM
+ # This is needed for multicast packets
+ runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
+
runlocked $RUNLOCKED_OPTS ebtables -N $TO
runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -o $INTERFACE -j $TO
+ # This is needed for multicast packets
+ runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO
}
function setup_ebtables {
# do not allow changes in ip-mac pair
- if [ -n "$IP"]; then
- runlocked $RUNLOCKED_OPTS ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
+ if [ -n "$IP" ]; then
+ :; # runlocked $RUNLOCKED_OPTS ebtables -A $FROM --ip-source \! $IP -p ipv4 -j DROP
fi
runlocked $RUNLOCKED_OPTS ebtables -A $FROM -s \! $MAC -j DROP
- #accept dhcp responses from host (nfdhcpd)
- runlocked $RUNLOCKED_OPTS ebtables -A $TO -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
+ # accept dhcp responses from host (nfdhcpd)
+ # this is actually not needed because nfdhcpd opens a socket and binds is with
+ # tap interface so dhcp response does not go through bridge
+ # runlocked $RUNLOCKED_OPTS ebtables -A $TO -s $INDEV_MAC -p ipv4 --ip-protocol=udp --ip-destination-port=68 -j ACCEPT
# allow only packets from the same mac prefix
runlocked $RUNLOCKED_OPTS ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
}
projects / snf-network / blobdiff