>>macfilter works even if the vm has firewall=0
Currently, it's not true,
the tap chain (including mac filtering), is not generated if firewall=0
next if !$net->{firewall};
my $iface = "tap${vmid}i$1";
my $macaddr = $net->{macaddr};
generate_tap_rules_direction($ruleset, $cluster_conf, $iface,
$netid, $macaddr,
$vmfw_conf, $vmid, 'IN',
$ipversion);
generate_tap_rules_direction($ruleset, $cluster_conf, $iface,
$netid, $macaddr,
$vmfw_conf, $vmid, 'OUT',
$ipversion);
>>So why do we want to filter macs if the admin disabled the whole firewall on
>>the interface?
But,yes, maybe it's more a permission problem.
(Maybe Stefan want to disallow user from remove mac filtering, but be able to
manage the firewall ?)
----- Mail original -----
De: "Dietmar Maurer" <diet...@proxmox.com>
À: "Alexandre DERUMIER" <aderum...@odiso.com>, "Stefan Priebe - Profihost AG"
<s.pri...@profihost.ag>
Cc: pve-devel@pve.proxmox.com
Envoyé: Mardi 15 Juillet 2014 12:32:35
Objet: RE: [pve-devel] pve-firewall : ebtables
> >>2.) Generally i would like to see the macfilter enabled for iptables
> >>and ebtables even if the network card has firewall=0 but the vm has
> >>firewall=1. Does this makes sense?
>
> Just send a patch.
I am quit unsure if this makes sense. It works the opposite way:
macfilter works even if the vm has firewall=0
So why do we want to filter macs if the admin disabled the whole firewall on
the interface?
_______________________________________________
pve-devel mailing list
pve-devel@pve.proxmox.com
http://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel
