Create ebtables chains with RETURN policy

This fixes inter-node private networks in case of multicast packets.
Multicast packets are forwarded to all interfaces bridged
on the bridge. Lets assume the following:

prv0 bridge with tap0, tap1, and eth1.
From tap0 comes a multicast packet.
We will see:
 forward IN=tap0 OUT=tap1
 forward IN=tap0 OUT=eth1
 input IN=tap0

In FORWARD chain we have:

 -i tap0 -j FROMTAP0
 -o tap0 -j TOTAP0
 -i tap1 -j FROMTAP1
 -0 tap1 -j TOTAP1

So the first packet will match the first rule. FROMTAP0 does not
drop it since the src MAC is correct and ACCEPTs it!

We fix this by changing the policy to RETURN.

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>

diff --git a/common.sh b/common.sh
index c2f4a69..af80017 100755 (executable)
--- a/common.sh
+++ b/common.sh
@@ -132,12 +132,12 @@ function routed_setup_firewall {
 
 function init_ebtables {
 
-  runlocked $RUNLOCKED_OPTS ebtables -N $FROM
+  runlocked $RUNLOCKED_OPTS ebtables -N $FROM -P RETURN
   runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -i $INTERFACE -j $FROM
   # This is needed for multicast packets
   runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
 
-  runlocked $RUNLOCKED_OPTS ebtables -N $TO
+  runlocked $RUNLOCKED_OPTS ebtables -N $TO -P RETURN
   runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -o $INTERFACE -j $TO
   # This is needed for multicast packets
   runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO