The patch file has a little bug as I commented out the else branch in
the last if section. Now it works again...
--- vif-common.sh 2018-11-02 17:13:30.813238234 +0100
+++ vif-common.sh.new 2018-11-06 22:24:45.331845798 +0100
@@ -124,15 +124,30 @@
{
if [ "$command" == "online" -o "$command" == "add" ]
then
- local c="-I"
+### local c="-I"
+ local ci="-I"
+ local ca="-A"
else
- local c="-D"
+### local c="-D"
+ local ci="-D"
+ local ca="-D"
fi
- iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in
"$dev" \
- "$@" -j ACCEPT 2>/dev/null &&
- iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-out
"$dev" \
- -j ACCEPT 2>/dev/null
+### entfernt, da Antispoofing-Regel nicht funktioniert
+### iptables "$c" FORWARD -m physdev --physdev-is-bridged --physdev-in
"$dev" \
+### "$@" -j ACCEPT 2>/dev/null &&
+### entfernt, da Antispoofing-Regel nicht funktioniert
+### iptables "$c" FORWARD -m physdev --physdev-is-bridged
--physdev-out "$dev" \
+### -j ACCEPT 2>/dev/null
+### neue Antispoofing-Regeln
+ iptables "$ca" domu -m physdev --physdev-is-bridged --physdev-out
"$dev" \
+ -p all -d "$2" -j ACCEPT 2>/dev/null &&
+ iptables "$ca" domu -m physdev --physdev-is-bridged --physdev-in "$dev" \
+ -p all -s "$2" -j ACCEPT 2>/dev/null &&
+ iptables "$ci" domu -m physdev --physdev-is-bridged --physdev-out
"$dev" \
+ -p all ! -d "$2" -j DROP 2>/dev/null &&
+ iptables "$ci" domu -m physdev --physdev-is-bridged --physdev-in "$dev" \
+ -p all ! -s "$2" -j DROP 2>/dev/null
if [ \( "$command" == "online" -o "$command" == "add" \) -a $? -ne 0 ]
then
@@ -170,10 +185,14 @@
done
# Always allow the domain to talk to a DHCP server.
- frob_iptable -p udp --sport 68 --dport 67
+### entfernt, da DomUs kein DHCP benötigen, IP@ fix
+### frob_iptable -p udp --sport 68 --dport 67
else
# No IP addresses have been specified, so allow anything.
- frob_iptable
+ # needs revision, currently not covered by iptables rules in
frob_iptable,
+ # therefore commented out
+ # frob_iptable
+ true
fi
release_lock "iptables"
