[Ferm] [PATCH 2/7] Use per-protocol options in ebtables
Faidon Liambotis
paravoid at debian.org
Wed Jul 6 02:21:22 CEST 2011
Currently, rules such as
domain eb chain INPUT ip-source 192.168.1.1 DROP;
were considered valid, while ebtables rejected them with:
For IP filtering the protocol must be specified as IPv4.
This was caused by having ip-source (and its equivalents) added
globally, instead of per-protocol as they should be.
Reuse the existing infrastructure and move IPv4, ARP, RARP and 802_1Q
arguments from add_match_def_x() to add_proto_def_x() where they belong.
---
src/ferm | 23 ++++++++++++++---------
test/ebtables/basic.ferm | 3 ++-
test/ebtables/basic.result | 3 ++-
3 files changed, 18 insertions(+), 11 deletions(-)
diff --git a/src/ferm b/src/ferm
index 78d52bc..ee58163 100755
--- a/src/ferm
+++ b/src/ferm
@@ -328,9 +328,21 @@ add_match_def_x 'arp', '',
qw(h-length=s opcode=s h-type=s proto-type=s),
qw(mangle-ip-s=s mangle-ip-d=s mangle-mac-s=s mangle-mac-d=s mangle-target=s);
+add_proto_def_x 'eb', 'IPv4',
+ qw(ip-source! ip-destination! ip-tos! ip-protocol! ip-sport! ip-dport!);
+
+add_proto_def_x 'eb', 'ARP',
+ qw(arp-opcode! arp-htype!=ss arp-ptype!=ss),
+ qw(arp-ip-src! arp-ip-dst! arp-mac-src! arp-mac-dst!);
+
+add_proto_def_x 'eb', 'RARP',
+ qw(arp-opcode! arp-htype!=ss arp-ptype!=ss),
+ qw(arp-ip-src! arp-ip-dst! arp-mac-src! arp-mac-dst!);
+
+add_proto_def_x 'eb', '802_1Q',
+ qw(vlan-id! vlan-prio! vlan-encap!),
+
add_match_def_x 'eb', '',
- # protocol
- qw(protocol! proto:=protocol),
# --in-interface
qw(in-interface! interface:=in-interface if:=in-interface),
# --out-interface
@@ -341,11 +353,6 @@ add_match_def_x 'eb', '',
qw(source! saddr:=source destination! daddr:=destination),
# 802.3
qw(802_3-sap! 802_3-type!),
- # arp
- qw(arp-opcode! arp-htype!=ss arp-ptype!=ss),
- qw(arp-ip-src! arp-ip-dst! arp-mac-src! arp-mac-dst!),
- # ip
- qw(ip-source! ip-destination! ip-tos! ip-protocol! ip-sport! ip-dport!),
# mark_m
qw(mark!),
# pkttype
@@ -354,8 +361,6 @@ add_match_def_x 'eb', '',
qw(stp-type! stp-flags! stp-root-prio! stp-root-addr! stp-root-cost!),
qw(stp-sender-prio! stp-sender-addr! stp-port! stp-msg-age! stp-max-age!),
qw(stp-hello-time! stp-forward-delay!),
- # vlan
- qw(vlan-id! vlan-prio! vlan-encap!),
# log
qw(log*0 log-level=s log-prefix=s log-ip*0 log-arp*0);
diff --git a/test/ebtables/basic.ferm b/test/ebtables/basic.ferm
index 98d94c1..5aac859 100644
--- a/test/ebtables/basic.ferm
+++ b/test/ebtables/basic.ferm
@@ -1,7 +1,8 @@
domain eb chain INPUT {
saddr 00:11:22:33:44:55 DROP;
proto IPv4 ip-source 192.168.1.1 DROP;
- proto ARP ACCEPT;
+ proto ARP arp-mac-src 00:11:22:33:44:55 ACCEPT;
+ proto 0x8137 DROP;
interface eth0 logical-in br0 outerface eth1 logical-out br1 ACCEPT;
saddr Multicast daddr Broadcast DROP;
}
diff --git a/test/ebtables/basic.result b/test/ebtables/basic.result
index 67effe8..d74884d 100644
--- a/test/ebtables/basic.result
+++ b/test/ebtables/basic.result
@@ -3,6 +3,7 @@ ebtables -t filter -F
ebtables -t filter -X
ebtables -t filter -A INPUT --source 00:11:22:33:44:55 -j DROP
ebtables -t filter -A INPUT --protocol IPv4 --ip-source 192.168.1.1 -j DROP
-ebtables -t filter -A INPUT --protocol ARP -j ACCEPT
+ebtables -t filter -A INPUT --protocol ARP --arp-mac-src 00:11:22:33:44:55 -j ACCEPT
+ebtables -t filter -A INPUT --protocol 0x8137 -j DROP
ebtables -t filter -A INPUT --in-interface eth0 --logical-in br0 --out-interface eth1 --logical-out br1 -j ACCEPT
ebtables -t filter -A INPUT --source Multicast --destination Broadcast -j DROP
--
1.7.2.5
More information about the Ferm
mailing list