On Wed, Apr 11, 2018 at 04:02:05PM +0200, Mark Schouten wrote: > Hi, > > We've been struggling with ipfilter for a few days, thinking it doesn't > work, because inbound connections kept working, even though there was > not a single IP in the ipfilter-net0 IPSet. > > But, it looks like only outbound connections are dropped, but inbound > connections work. While this is functional, it doesn't prevent anyone > from spoofing a neighbours address, so it's not completely functional.
This is currently due to the connection tracking rules happening too early. Similarly MAC filtering only happens for IP packets. If you do not need to disable MAC filtering you can try the pve-firewall >= 3.0-8 package from pvetest which will setup ebtables for MAC filtering, that should help. But to make it work completely as most users expect it we'll have to move the conntrack rules from the forward chain into the device specific chains. It's on my todo list along with another round of nftables testing. @Tom: not sure if you're currently doing anything in the firewall code, but I thought I'd ping/Cc you to let you know the ebtables patch set landed in pvetest. _______________________________________________ pve-user mailing list email@example.com https://pve.proxmox.com/cgi-bin/mailman/listinfo/pve-user