While on the one hand I'd like to move to nftables, and on the other hand I like the idea of attaching xdp programs to interfaces for the purpose of eg. MAC filtering, we do still have this patch series around which wasn't much work to rebase to the current code base and does its job... Back when the series was originally posted the issue was mostly the lack of a (proper) ebtables package (missing ebtables-save/restore). We don't have this problem anymore, so why not give this a go?
The changes I made to the patches I took off the list should be rather obvious: openvz -> lxc, and replcing the hardcoded ethertype list with reading /etc/ethertypes (which gets shipped with the ebtables package). Some whitespace cleanup and I renamed 'layer2filter_protocols' to just 'layer2_protocols' (and avoided the generation of `-j DROP` followed by `-j ACCEPT`). (Oh and, patch 4 is actually unrelated, I just came across that while adding the ethertypes file parsing...) @Alexandre, @Stefan Priebe: if you're still using the patches it might be good to compare/check/update, not sure if you kept rebasing them? Alexandre Derumier (2): compile ebtables rules apply ebtables_ruleset Wolfgang Bumiller (6): split parser out of get_etc_protocols parse_protocol_file: support lines without end comments add get_etc_ethertypes /etc/services can also define 'sctp' services avoid double spaces in ruleset_addrule add ebtables dependency debian/control | 3 +- debian/example/100.fw | 3 + src/PVE/Firewall.pm | 240 +++++++++++++++++++++++++++++++++++++--- src/PVE/Service/pve_firewall.pm | 14 ++- 4 files changed, 241 insertions(+), 19 deletions(-) -- 2.11.0 _______________________________________________ pve-devel mailing list pve-devel@pve.proxmox.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-devel