ebtables inverse flags


I am using Cumulus Linux 2.5.7.

I need to be able to specify ebtable drop rules on "all MAC address not equal to AA:AA:AA:AA:AA:AA". I see that the inverse flag to ebtables is not supported in the 2.5.7. When attempting to apply the following rule:

-A FORWARD -o swp3 -d ! AA:AA:AA:AA:AA:AA -j DROP

I receive the following error:

Installing acl policy
error: hw sync failed (Cannot process ebtables,FORWARD,21, Inverse flags for SRC/DST MAC, IN/OUT/logical interface, Protocol not supported)

I am hoping to find out if there is a version of Cumulus Linux that supports the inverse flag or if there is a recommended way to accomplish the same thing.

Thanks!

3 replies

Userlevel 1
Bryan,

I'll look into the inverse flag in the ebtables acltool config for you.

In the mean time, you could try permitting AA:AA:AA:AA:AA:AA and dropping everything else. A rule like this may work:
[ebtables]
-A FORWARD -o swp3 -d AA:AA:AA:AA:AA:AA -j ACCEPT
-A FORWARD -o swp3 -j DROP
I haven't specifically tested this, but it would accomplish the same functionality.

Regards,
Rama

Userlevel 1
Rama Darbha wrote:

Bryan,

I'll look into the inverse flag in the ebtables acltool config for you.

In the mean time...

Bryan,

I just verified that the current hardware doesn't support the inverse flag. It would be best to implement the "default deny" style policy instead of the inverse config.

Regards,
Rama
Rama Darbha wrote:

Bryan,

I'll look into the inverse flag in the ebtables acltool config for you.

In the mean time...

Your suggestion works great for my application. I will try to find a good guide so I can brush up on my ebtable knowledge.

Thanks!

Reply