ebtables IP - MAC restriction

Discussion in 'Proxmox VE: Networking and Firewall' started by BelCloud, May 18, 2018.

  1. BelCloud

    BelCloud Member
    Proxmox VE Subscriber

    Joined:
    Dec 15, 2015
    Messages:
    66
    Likes Received:
    2
    Hello

    Considering ebtables has been addded to proxmox, what options do we have to restrict an IP to specific IPs. Does the 5.2 version have any API option to update the ebtables for a specific VM interface?
    Is there any way to use the "ipfilter" option to block everything if IP does not match the MAC?

    Thank you
     
  2. wbumiller

    wbumiller Proxmox Staff Member
    Staff Member

    Joined:
    Jun 23, 2015
    Messages:
    589
    Likes Received:
    67
    The ebtables support is currently mostly a backend change and some improvements are still planned. Eg. you currently cannot add custom rules and due to the way the command line tools work it doesn't currently integrate well with manually managed rules (but we'll work on that).
    As for the ipfilter - not yet. Note that it would only affect IPv4 here anyway since IPv6 doesn't use ARP but rather does discovery via ICMP (iow. on the IP layer). So currently ebtables only handles mac filtering.
    Essentially there are 2 more changes planned for the ipfilter very soon, the more important one is reordering connection tracking and ip filtering so incoming connections don't get accepted via conntrack too early. The other is adding it to ebtables to handle the ARP traffic. Both are required for that to be fully functional.
     
  3. BelCloud

    BelCloud Member
    Proxmox VE Subscriber

    Joined:
    Dec 15, 2015
    Messages:
    66
    Likes Received:
    2
    Thank you very much for the answer.
     
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice