0

I have a topology like below:

          ....enp0s9.256...
enp0s9....                 .... br0 (1.1.1.1/24) (dhcp server)
          ....enp0s9.257...

enp0s9.256 and enp0s9.257 are vlan interfaces.

br0 is a vlan-aware bridge.

root@kmaster:/home/user# bridge vlan show
port    vlan ids
enp0s9.256   1 Egress Untagged
     100 PVID

enp0s9.257   1 Egress Untagged
     100 PVID


br100    1 Egress Untagged
     100 PVID Egress Untagged

Expectation is only dhcp traffics should be allowed on enp0s9.256. enp0s9.257 can carry any traffic.

Below are the rules I confugured in ebtables:

root@kmaster:/home/user# ebtables -t filter -A OUTPUT -p IPv4 -o enp0s9.256 --ip-proto udp --ip-dport 67:68 -j ACCEPT 
root@kmaster:/home/user# ebtables -t filter -A OUTPUT -o enp0s9.256 -j DROP
root@kmaster:/home/user# ebtables -t filter -A INPUT -p IPv4 -i enp0s9.256 --ip-proto udp --ip-dport 67:68 -j ACCEPT 
root@kmaster:/home/user# ebtables -t filter -A INPUT -i enp0s9.256 -j DROP

After initiating a DORA process, I can see the dhcp traffic is hitting the INPUT chain properly but it is not hitting the OUTPUT chain dhcp rule. It hits the DROP rule. Can anyone please suggest a way to solve this?

root@kmaster:/home/user# ebtables -L --Lc
Bridge table: filter

Bridge chain: INPUT, entries: 2, policy: ACCEPT
-p IPv4 -i enp0s9.256 --ip-proto udp --ip-dport 67:68 -j ACCEPT , pcnt = 0 -- bcnt = 0
-i enp0s9.256 -j DROP , pcnt = 0 -- bcnt = 0


Bridge chain: FORWARD, entries: 0, policy: ACCEPT


Bridge chain: OUTPUT, entries: 2, policy: ACCEPT
-p IPv4 -o enp0s9.256 --ip-proto udp --ip-dport 67:68 -j ACCEPT , pcnt = 0 -- bcnt = 0
-o enp0s9.256 -j DROP , pcnt = 0 -- bcnt = 0


Bridge chain: drop_chain, entries: 0, policy: ACCEPT
root@kmaster:/home/user# ebtables -L --Lc
Bridge table: filter


Bridge chain: INPUT, entries: 2, policy: ACCEPT
-p IPv4 -i enp0s9.256 --ip-proto udp --ip-dport 67:68 -j ACCEPT , pcnt = 2 -- bcnt = 656
-i enp0s9.256 -j DROP , pcnt = 0 -- bcnt = 0


Bridge chain: FORWARD, entries: 0, policy: ACCEPT


Bridge chain: OUTPUT, entries: 2, policy: ACCEPT
-p IPv4 -o enp0s9.256 --ip-proto udp --ip-dport 67:68 -j ACCEPT , pcnt = 0 -- bcnt = 0
-o enp0s9.256 -j DROP , pcnt = 2 -- bcnt = 656


Bridge chain: drop_chain, entries: 0, policy: ACCEPT
Subrata Paul
  • 1

0 Answers0