From: Alexandre Derumier <aderumier@odiso.com>
Date: Sun, 10 Mar 2019 07:25:07 +0000 (+0100)
Subject: ebtables: test layer2_protocols in an external chain
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=33efd363ab32d3f8f6a9c49e481cb62a8da40b5d

ebtables: test layer2_protocols in an external chain

We need the not matching DROP outside the main tapchain,
in a specific proto chain, and a ACCEPT in the main tap chain.

Signed-off-by: Alexandre Derumier <aderumier@odiso.com>
---

diff --git a/src/PVE/Firewall.pm b/src/PVE/Firewall.pm
index 33f558c..6ac3038 100644
--- a/src/PVE/Firewall.pm
+++ b/src/PVE/Firewall.pm
@@ -3770,14 +3770,18 @@ sub generate_tap_layer2filter {
     }
 
     if (defined($options->{layer2_protocols})){
+	my $protochain = $tapchain."-PROTO";
+	ruleset_addrule($ruleset, $tapchain, '', "-j $protochain");
+	ruleset_create_chain($ruleset, $protochain);
+
 	foreach my $proto (split(/,/, $options->{layer2_protocols})) {
-	    ruleset_addrule($ruleset, $tapchain, "-p $proto", '-j ACCEPT');
+	    ruleset_addrule($ruleset, $protochain, "-p $proto", '-j RETURN');
 	}
-	ruleset_addrule($ruleset, $tapchain, '', "-j DROP");
-    } else {
-	ruleset_addrule($ruleset, $tapchain, '', '-j ACCEPT');
+	ruleset_addrule($ruleset, $protochain, '', '-j DROP');
     }
 
+    ruleset_addrule($ruleset, $tapchain, '', '-j ACCEPT');
+
     ruleset_addrule($ruleset, 'PVEFW-FWBR-OUT', "-i $iface", "-j $tapchain");
 }