From: Dimitris Aragiorgis <dimara@grnet.gr>
Date: Thu, 27 Feb 2014 11:28:24 +0000 (+0200)
Subject: Fix ebtables
X-Git-Tag: 0.15.7~5
X-Git-Url: https://code.grnet.gr/git/snf-network/commitdiff_plain/52366a2383cf046632fdc414a74763e316393f05

Fix ebtables

1) Add ebtables in INPUT/OUTPUT chains too
   This is needed because multicast packets
   (e.g. with dst address 01:00:83:xx:xx:xx) do NOT go through forward chain

2) In case of nfdhpcd allow DHCP replies only with src address the
   MAC address of incoming device (e.g. prv0)

Signed-off-by: Dimitris Aragiorgis <dimara@grnet.gr>
---

diff --git a/common.sh b/common.sh
index c89cc2a..fe090c8 100755
--- a/common.sh
+++ b/common.sh
@@ -33,8 +33,9 @@ function clear_routed_setup_firewall {
 function clear_ebtables {
 
   runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -i $INTERFACE -j $FROM
+  runlocked $RUNLOCKED_OPTS ebtables -D INPUT -i $INTERFACE -j $FROM
   runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -o $INTERFACE -j $TO
-  #runlocked $RUNLOCKED_OPTS ebtables -D OUTPUT -o $INTERFACE -j $TO
+  runlocked $RUNLOCKED_OPTS ebtables -D OUTPUT -o $INTERFACE -j $TO
 
   runlocked $RUNLOCKED_OPTS ebtables -X $FROM
   runlocked $RUNLOCKED_OPTS ebtables -X $TO
@@ -133,8 +134,13 @@ function init_ebtables {
 
   runlocked $RUNLOCKED_OPTS ebtables -N $FROM
   runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -i $INTERFACE -j $FROM
+  # This is needed for multicast packets
+  runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM
+
   runlocked $RUNLOCKED_OPTS ebtables -N $TO
   runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -o $INTERFACE -j $TO
+  # This is needed for multicast packets
+  runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO
 
 }
 
@@ -147,7 +153,7 @@ function setup_ebtables {
   fi
   runlocked $RUNLOCKED_OPTS ebtables -A $FROM -s \! $MAC -j DROP
   #accept dhcp responses from host (nfdhcpd)
-  runlocked $RUNLOCKED_OPTS ebtables -A $TO -p ipv4 --ip-protocol=udp  --ip-destination-port=68 -j ACCEPT
+  runlocked $RUNLOCKED_OPTS ebtables -A $TO -s $INDEV_MAC -p ipv4 --ip-protocol=udp  --ip-destination-port=68 -j ACCEPT
   # allow only packets from the same mac prefix
   runlocked $RUNLOCKED_OPTS ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP
 }
diff --git a/kvm-vif-bridge b/kvm-vif-bridge
index e83c104..8adba37 100755
--- a/kvm-vif-bridge
+++ b/kvm-vif-bridge
@@ -25,6 +25,8 @@ elif [ "$MODE" = "bridged" ]; then
   brctl addif $BRIDGE $INTERFACE
   INDEV=$BRIDGE
   try init_ebtables
+  # nfdhcpd creates responses with src mac the mac of indec
+  INDEV_MAC=$(cat /sys/class/net/$INDEV/address)
   DROPDHCPREQCMD="runlocked $RUNLOCKED_OPTS ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP"
 fi
 
diff --git a/vif-custom b/vif-custom
index 3422ae5..6f9be4f 100755
--- a/vif-custom
+++ b/vif-custom
@@ -41,6 +41,8 @@ elif [ "$MODE" = "bridged" ]; then
   success
   INDEV=$BRIDGE
   try init_ebtables
+  # nfdhcpd creates responses with src mac the mac of indec
+  INDEV_MAC=$(cat /sys/class/net/$INDEV/address)
   DROPDHCPREQCMD="runlocked $RUNLOCKED_OPTS ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP"
 fi