Revision 52366a23

b/common.sh
33 33 
function clear_ebtables {
34 34 

  		





  35
  35
  
    
  runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -i $INTERFACE -j $FROM


  		





  
  36
  
    
  runlocked $RUNLOCKED_OPTS ebtables -D INPUT -i $INTERFACE -j $FROM


  		





  36
  37
  
    
  runlocked $RUNLOCKED_OPTS ebtables -D FORWARD -o $INTERFACE -j $TO


  		





  37
  
  
    
  #runlocked $RUNLOCKED_OPTS ebtables -D OUTPUT -o $INTERFACE -j $TO


  		





  
  38
  
    
  runlocked $RUNLOCKED_OPTS ebtables -D OUTPUT -o $INTERFACE -j $TO


  		





  38
  39
  
    

  		





  39
  40
  
    
  runlocked $RUNLOCKED_OPTS ebtables -X $FROM


  		





  40
  41
  
    
  runlocked $RUNLOCKED_OPTS ebtables -X $TO


  		





  ......




  133
  134
  
    

  		





  134
  135
  
    
  runlocked $RUNLOCKED_OPTS ebtables -N $FROM


  		





  135
  136
  
    
  runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -i $INTERFACE -j $FROM


  		





  
  137
  
    
  # This is needed for multicast packets


  		





  
  138
  
    
  runlocked $RUNLOCKED_OPTS ebtables -A INPUT -i $INTERFACE -j $FROM


  		





  
  139
  
    

  		





  136
  140
  
    
  runlocked $RUNLOCKED_OPTS ebtables -N $TO


  		





  137
  141
  
    
  runlocked $RUNLOCKED_OPTS ebtables -A FORWARD -o $INTERFACE -j $TO


  		





  
  142
  
    
  # This is needed for multicast packets


  		





  
  143
  
    
  runlocked $RUNLOCKED_OPTS ebtables -A OUTPUT -o $INTERFACE -j $TO


  		





  138
  144
  
    

  		





  139
  145
  
    
}


  		





  140
  146
  
    

  		





  ......




  147
  153
  
    
  fi


  		





  148
  154
  
    
  runlocked $RUNLOCKED_OPTS ebtables -A $FROM -s \! $MAC -j DROP


  		





  149
  155
  
    
  #accept dhcp responses from host (nfdhcpd)


  		





  150
  
  
    
  runlocked $RUNLOCKED_OPTS ebtables -A $TO -p ipv4 --ip-protocol=udp  --ip-destination-port=68 -j ACCEPT


  		





  
  156
  
    
  runlocked $RUNLOCKED_OPTS ebtables -A $TO -s $INDEV_MAC -p ipv4 --ip-protocol=udp  --ip-destination-port=68 -j ACCEPT


  		





  151
  157
  
    
  # allow only packets from the same mac prefix


  		





  152
  158
  
    
  runlocked $RUNLOCKED_OPTS ebtables -A $TO -s \! $MAC/$MAC_MASK -j DROP


  		





  153
  159
  
    
}


  		












  

    
      b/kvm-vif-bridge
    
  






  25
  25
  
    
  brctl addif $BRIDGE $INTERFACE


  		





  26
  26
  
    
  INDEV=$BRIDGE


  		





  27
  27
  
    
  try init_ebtables


  		





  
  28
  
    
  # nfdhcpd creates responses with src mac the mac of indec


  		





  
  29
  
    
  INDEV_MAC=$(cat /sys/class/net/$INDEV/address)


  		





  28
  30
  
    
  DROPDHCPREQCMD="runlocked $RUNLOCKED_OPTS ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP"


  		





  29
  31
  
    
fi


  		





  30
  32
  
    

  		












  

    
      b/vif-custom
    
  






  41
  41
  
    
  success


  		





  42
  42
  
    
  INDEV=$BRIDGE


  		





  43
  43
  
    
  try init_ebtables


  		





  
  44
  
    
  # nfdhcpd creates responses with src mac the mac of indec


  		





  
  45
  
    
  INDEV_MAC=$(cat /sys/class/net/$INDEV/address)


  		





  44
  46
  
    
  DROPDHCPREQCMD="runlocked $RUNLOCKED_OPTS ebtables -A $FROM -p ipv4 --ip-protocol udp --ip-destination-port 67 -j DROP"


  		





  45
  47
  
    
fi


  		





  46
  48
  
    

  		












Also available in:
  Unified diff