On Fri, 24 May 2024 15:59:04 +0200 Marek Marczykowski-Górecki wrote:
> Can you clarify your description of the downstream set here? I think you
> do need to have some drop rule somewhere.
Here is what the updated script gives for 2 client qubes: one IPv4-only
and one IPv6:
table netdev antispoof {
set downstream_ipv4 {
type ipv4_addr
elements = { 10.137.0.11, 10.137.0.88 }
}
set downstream_ipv6 {
type ipv6_addr
elements = { fd09:24ef:4179::a89:b }
}
chain downstream {
type filter hook ingress device "eth0" priority -500; policy
accept;
ip saddr @downstream_ipv4 counter packets 0 bytes 0 drop
ip6 saddr @downstream_ipv6 counter packets 0 bytes 0 drop
}
chain antispoof-vif18-0 {
type filter hook ingress device "vif18.0" priority -500; policy
drop;
iifgroup 2 ip saddr 10.137.0.11 accept
iifgroup 2 ip6 saddr fd09:24ef:4179::a89:b accept
counter packets 14 bytes 968
}
chain antispoof-vif30-0 {
type filter hook ingress device "vif30.0" priority -500; policy
drop;
iifgroup 2 ip saddr 10.137.0.88 accept
counter packets 11 bytes 704
}
}
Maybe we should get rid of the "iifgroup 2", since it is clear which
exact device each chain handles?
--
You received this message because you are subscribed to the Google Groups
"qubes-devel" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-devel/20240528190756.6f3cf515%40localhost.
