From: Dietmar Maurer <dietmar@proxmox.com>
Date: Tue, 18 Feb 2014 10:59:01 +0000 (+0100)
Subject: add MAC filter
X-Git-Url: https://git.proxmox.com/?p=pve-firewall.git;a=commitdiff_plain;h=c29f55c97c7eca2e4db559f7e1c4b88c35b8fb10

add MAC filter
---

diff --git a/PVE/Firewall.pm b/PVE/Firewall.pm
index 0969963..24bc2c7 100644
--- a/PVE/Firewall.pm
+++ b/PVE/Firewall.pm
@@ -307,7 +307,7 @@ sub generate_bridge_chains {
 }
 
 sub generate_tap_rules_direction {
-    my ($ruleset, $iface, $netid, $rules, $bridge, $direction) = @_;
+    my ($ruleset, $iface, $netid, $macaddr, $rules, $bridge, $direction) = @_;
 
     my $tapchain = "$iface-$direction";
 
@@ -316,6 +316,10 @@ sub generate_tap_rules_direction {
     ruleset_addrule($ruleset, $tapchain, "-m state --state INVALID -j DROP");
     ruleset_addrule($ruleset, $tapchain, "-m state --state RELATED,ESTABLISHED -j ACCEPT");
 
+    if ($direction eq 'OUT' && defined($macaddr)) {
+	ruleset_addrule($ruleset, $tapchain, "-m mac ! --mac-source $macaddr -j DROP");
+    }
+
     if ($rules) {
         foreach my $rule (@$rules) {
 	    next if $rule->{iface} && $rule->{iface} ne $netid;
@@ -621,8 +625,9 @@ sub compile {
 
 	    generate_bridge_chains($ruleset, $bridge);
 
-	    generate_tap_rules_direction($ruleset, $iface, $netid, $rules->{$vmid}->{in}, $bridge, 'IN');
-	    generate_tap_rules_direction($ruleset, $iface, $netid, $rules->{$vmid}->{out}, $bridge, 'OUT');
+	    my $macaddr = $net->{macaddr};
+	    generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{in}, $bridge, 'IN');
+	    generate_tap_rules_direction($ruleset, $iface, $netid, $macaddr, $rules->{$vmid}->{out}, $bridge, 'OUT');
 	}
     }
     return $ruleset;