Setup ebtables only for mac filtered setups

We used to drop DHCP requests for all bridged setups in case of
nfdhcpd. This requires ebtables setup for private vlans as well.

Dropping DHCP requests in case of nfdhcpd is not really needed
because they are dropped in user space
(payload.set_verdict(nfqueue.NF_DROP)) if a binding file exists.

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

diff --git a/kvm-vif-bridge b/kvm-vif-bridge
index 8adba37..24266ae 100755 (executable)
--- a/kvm-vif-bridge
+++ b/kvm-vif-bridge
@@ -19,15 +19,14 @@ if [ "$MODE" = "routed" ]; then
   TABLE=$LINK
   ip link set $INTERFACE addr $TAP_CONSTANT_MAC up
   INDEV=$INTERFACE
-  DROPDHCPREQCMD="iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP"
+  # DROPDHCPREQCMD="iptables -A FORWARD -i $INTERFACE -p udp --dport 67 -j DROP"
 elif [ "$MODE" = "bridged" ]; then
   ip link set $INTERFACE up
   brctl addif $BRIDGE $INTERFACE
   INDEV=$BRIDGE
-  try init_ebtables
   # nfdhcpd creates responses with src mac the mac of indec
   INDEV_MAC=$(cat /sys/class/net/$INDEV/address)
-  DROPDHCPREQCMD="runlocked $RUNLOCKED_OPTS ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP"
+  # DROPDHCPREQCMD="runlocked $RUNLOCKED_OPTS ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP"
 fi
 
 
@@ -40,10 +39,11 @@ for tag in $NETWORK_TAGS; do
   ;;
   $NFDHCPD_TAG)
     # Drop unicast BOOTP/DHCP packets
-    $DROPDHCPREQCMD
+    # $DROPDHCPREQCMD
     try setup_nfdhcpd
   ;;
   $MAC_FILTERED_TAG)
+    try init_ebtables
     try setup_ebtables
   ;;
   $MASQ_TAG)