From 0e841a5523e14ba75cda6f7e361634dbf94c19a1 Mon Sep 17 00:00:00 2001 From: Ying Xie Date: Fri, 19 Apr 2019 00:30:24 +0000 Subject: [PATCH] [ebtables] install ebtables in base image and install filter rules - Add ebtables package, and install some filter rules: 1. ebtables -A FORWARD -d BGA -j DROP 2. ebtables -A FORWARD -p ARP -j DROP Basically, we let the ARP packets in the VLAN being forwarded by the ASIC, kernel gets a copy of these ARP packets and the forwarding from Kenerl gets dropped. So there is always only one copy of ARP/response in the VLAN. Signed-off-by: Ying Xie --- build_debian.sh | 5 +++++ files/image_config/ebtables/ebtables.filter | Bin 0 -> 616 bytes 2 files changed, 5 insertions(+) create mode 100644 files/image_config/ebtables/ebtables.filter diff --git a/build_debian.sh b/build_debian.sh index 614f2168e4b3..ea1fc2748a2d 100755 --- a/build_debian.sh +++ b/build_debian.sh @@ -230,6 +230,7 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in usbutils \ pciutils \ iptables-persistent \ + ebtables \ logrotate \ curl \ kexec-tools \ @@ -411,6 +412,10 @@ if [ "${enable_organization_extensions}" = "y" ]; then fi fi +## Setup ebtable rules (rule file is in binary format) +sudo sed -i 's/EBTABLES_LOAD_ON_START="no"/EBTABLES_LOAD_ON_START="yes"/g' ${FILESYSTEM_ROOT}/etc/default/ebtables +sudo cp files/image_config/ebtables/ebtables.filter ${FILESYSTEM_ROOT}/etc + ## Remove gcc and python dev pkgs sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove gcc libpython2.7-dev diff --git a/files/image_config/ebtables/ebtables.filter b/files/image_config/ebtables/ebtables.filter new file mode 100644 index 0000000000000000000000000000000000000000..4faad1f5f4bdbe57c1bb0378a4b959e209067ed9 GIT binary patch literal 616 zcmYex%qdANVql2SJ|?SE&wv5=fFevle1Q=nRcO3Y9;B||+^xtpp$rTQptQgR2)_<0 z4^=5pDpuHd# zNIl5C!VqCNc@WKAFbQ+0e(m&=V1L2f4U;$IfU!U{W5XdJ39+0V%G?Js#y>O!6hUCn QhQ)qRI731Lq6Qxc07O|=rvLx| literal 0 HcmV?d00001