Question

vlan+ iptables match


The documentation ( https://docs.cumulusnetworks.com/display/DOCS/Netfilter+-+ACLs ) seems to suggest that only swp+ and bond+ are supported in access lists.

However, vlan+ seems to work fine, despite not being documented. Is this the proper way to protect vlan interfaces?

In our case, we have an IP address assigned to a vlan, and do not want to allow SSH from the entire internet to the switch.

3 replies

Userlevel 4
Hi @Brian Rak I just checked with engineering and we only support those two wildcards (swp+ and bond+). They think vlan+ would be treated like an unknown interface name. Your best bet is to specify the VLANs by name.
Hmm, I'm not sure that's correct though. If I don't include vlan+ in in-interfaces, I can SSH to any of the VLAN IPs. If I do include it, SSH is blocked like I'd expect.

If this were an unrecognized interface, I'd expect it to have no effect at all.
Userlevel 4
Interesting, thanks for letting me know. I'll look into this some more.

Reply