search for: arptables

Hi! The Netfilter project presents: arptables 0.0.5 arptables is the userspace command line program used to configure the Linux 2.4.x and later ARP packet filtering ruleset. It is targeted towards system administrators. NOTE: This is a release of legacy software. Patches may still be accepted and pushed out to the git repository, which will...

...tables: vlan: fix userspace/kernel headers collision xtables-monitor: fix build with older glibc include: fix build with kernel headers before 4.2 xtables-monitor: fix build with musl libc include: extend the headers conflict workaround to in6.h Florian Westphal (12): arptables-nft: use generic expression parsing function xtables: rename opcodes to arp_opcodes xtables: make all nft_parse_ helpers static arptables-nft: fix decoding of hlen on bigendian platforms tests: return-codes script is bash specific xtables: unify user chain add/flush fo...

https://bugzilla.netfilter.org/show_bug.cgi?id=1307 Bug ID: 1307 Summary: Implement interface for 'ipv4_addr' in arptables Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: enhancement Priority: P5 Component: nft Assignee: pablo at netfilter.org Reporter: kvapss at gmail.com...

...ackets to appear coming from public ip and not from 192.168.X.X ? For example , at the application layer, i can produce icmp packets with `ping -I my.public.ip/32 remote.host.on.internet` that come back but of course nothing with a traditionnal `ping remote.host.on.internet` I've had a look at arptables and tested ` arptables -A OUT -s 192.168.X.X ! -d 192.168.X.0/24 -o eth3 -j mangle --mangle-ip-s my.public.ip` but that doesn't seem to do the trick .. Any ideas ? I just hope that it was clear enough :-p -- Fabian Arrotin idea=`grep -i clue /dev/brain` ; test -z "$idea" &&...

Hi Everyone, In order to prevent DomU from entering promiscuous mode, is it just a matter of adding these 2 rules when the vif is created? # Accept packets leaving the bridge going to the domU only if # the destination IP for that packet matches an authorized IPv4 # address for that domU. iptables -A FORWARD -m physdev --physdev-out vif1.0 \ --destination 216.146.46.43 -j ACCEPT

...================= --- xen/tools/examples/network-bridge (revision 991) +++ xen/tools/examples/network-bridge (revision 992) @@ -158,9 +158,9 @@ # Don''t create the bridge if it already exists. if ! brctl show | grep -q ${bridge} ; then - sysctl -w "net.bridge.bridge-nf-call-arptables=0" - sysctl -w "net.bridge.bridge-nf-call-ip6tables=0" - sysctl -w "net.bridge.bridge-nf-call-iptables=0" + ! sysctl -w "net.bridge.bridge-nf-call-arptables=0" + ! sysctl -w "net.bridge.bridge-nf-call-ip6tables=0" + ! sysctl -w "net.bridge.bridge-nf...

.../iptables Version: unspecified Hardware: arm OS: other Status: NEW Severity: critical Priority: P5 Component: bridging Assignee: netfilter-buglog at lists.netfilter.org Reporter: xinshenbj at sina.com arptables 0.0.4 (latested) doesn't work on Linux3.2.0 kernel. I traced the arptables code, found kernel doesn't recoginize ARPT_SO_GETINFO(96) etc. calls. Want to confirm if arptables still supported on this version of kernel. Which version of kernel still suppot it? And what similar utilities we can...

...eover, this release includes the first official release of the iptables over nftables infrastructure, which includes the following utilities: * iptables-compat * iptables-compat-save * iptables-compat-restore * ip6tables-compat * ip6tables-compat-save * ip6tables-compat-restore * ebtables-compat * arptables-compat that have the same getopt-based parser as the native tool, so the syntax remains the same, eg. # iptables-compat -P INPUT DROP # iptables-compat -A INPUT -m state --state ESTABLISHED,RELATED # iptables-compat -A INPUT -m state --state NEW -p tcp --dport 22 -j ACCEPT # iptables-compat -...

Hi everyone, When i start a libvirt domain (on KVM) with network filtering (using filterref clean-traffic for example), the filter works ! But ... i don't understand how/why it works :( Indeed when i look at ebtables -L iptables-save & arptables-save (and KVM command), I see no filtering rules (which is surprising because clean-traffic requires at least ebtables to be installed). Is it normal ? Do i miss some xxtables administration command to see them ? What appends if i do a arptables-restore, iptables-restore after the vm startup ? D...

....rmem_max = 16777216 net.core.wmem_max = 16777216 net.ipv4.tcp_rmem = 1048576 4194304 16777216 net.ipv4.tcp_wmem = 1048576 4194304 16777216 # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 # Virtual machines special kernel params vm.swappiness = 0 Do I need to configure something more?? Any tips?? Thanks. -- CL Martinez carlopmart {at} gmail {d0t} com

Greetings, all: OS: CentOS 6.4 x86_64 Kernel: 2.6.32-358.14.1 I could use some assistance with setting up pulse to load balance my dns servers. I've configured tcp and udp port 53 with the piranha gui, set up arptable rules on the real servers and added the virtual ip to the bond0 interface on the real servers, but I'm still having no luck in getting things going. A dig against the

Hello, I'm just wondering why I can't manage my network interfaces through libvirt when the following kernel parameters are turned on: net.bridge.bridge-nf-call-ip6tables net.bridge.bridge-nf-call-iptables net.bridge.bridge-nf-call-arptables Is it a bug or by design? If the latter, could someone explain me premises of such decision? I'm aware of security implications of mixing conntrack and bridge bits, so we can skip that point. This behaviour is noticeable when using: libvirt-0.8.1-1.fc13.x86_64 netcf-libs-0.1.6-1.fc13.x86_64...

...ersion and test it. The iptables functions in bridge mode,but the ipv6 doesn't work well.In the bridge mode,ip6tables can¡¯t prevent the packet when I use ¡°ip6tables ¨CA FORWARD ¨Cj DROP¡±. I use the command"ls/proc/sys/net/bridge",it shows bridge-nf-call-iptables,bridge-nf-call-arptables,bridge-nf-filter-vlan-tagged.The problem is I can't find bridge-nf-call-ip6tables. I have searched a lot of information,all said that the kernel2.6 have the bridge-nf code.Could you please tell me how to let the bridged packets be 'seen' by ip6tables? Thank you very much!...

...iptables is already disabled, when I add more lines to sysctl.conf with augeas and run sysctl -p, the following lines (which are already there) cause a failure. # Disable netfilter on bridges. net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 So, I figured I''d staty with a default sysctl.conf (which didn''t have these lines), and then add more lines to it with augeas. However, even if I get the dependancies right and push the file out before running augeas, augeas will re-add the lines every time because they aren&...

...rk NETWORKING=yes NETWORKING_IPV6=no HOSTNAME=host GATEWAY=192.168.4.1 /etc/resolv.conf search domain.com nameserver 68.87.xx.xx nameserver 68.87.xx.xx /etc/sysctl.conf net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-ip6tables = 0 net.bridge.bridge-nf-call-iptables = 0 net.bridge.bridge-nf-call-arptables = 0 /etc/sysconfig/network-scripts/ifcfg-em2 DEVICE=em2 NM_CONTROLLED=no BOOTPROTO=none HWADDR=... ONBOOT=yes HOTPLUG=no BRIDGE=br2 /etc/sysconfig/network-scripts/ifcfg-br2 DEVICE=br2 TYPE=Bridge BOOTPROTO=none ONBOOT=yes DELAY=0 /etc/sysconfig/network-scripts/ifcfg-em3 DEVICE=em3 NM_CONTROLLED=...

...etwork device on the host - try running tcpdump there as well. I've never encountered a Linux system that rejected outgoing arp requests for any reason, but this sysctl makes me wonder how that might get screwed up: root@vlap /home/laine>sysctl -a | grep bridge net.bridge.bridge-nf-call-arptables = 1 [...]

https://bugzilla.netfilter.org/show_bug.cgi?id=1155 Bug ID: 1155 Summary: arp forward filter doesn't work Product: nftables Version: unspecified Hardware: x86_64 OS: All Status: NEW Severity: normal Priority: P5 Component: kernel Assignee: pablo at netfilter.org

...IP address, unroutable. eth0 is the public address. CentOS will reply sometimes once every 3 days or every 14mins~ saying "My public IP is on eth1" to arp requests when it's not, it's eth0. This freezes traffic and causes issues. We've looked at arp* /etc/sysctl.conf etc. and arptables, but wondered if anyone had a recipe? We have this already which didn't help as it happened Christmas Eve too as we kept eth1 up for a few days to test: # For the dual interface - 06.12.12 net.ipv4.conf.eth0.arp_filter = 1 net.ipv4.conf.eth0.arp_ignore = 1 net.ipv4.conf.eth1.arp_filter = 1 ne...

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Is there a way to prevent hwaddr/mac address spoofing between DomU''s? So in a way ''binding'' a mac-address on boot time with a virtual interface? (with something like ebtables/arptables/etc?) Stefan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHRkLWYH1+F2Rqwn0RCn91AJsEbAidtIyvnGvW2fKrqbHQd6mXYwCfZ9dK 9vAlXrAarwWGUObhGWB+V8E= =ns5s -----END PGP SIGNATURE----- ______________________________...

Hi, Has any one know how to skip ix86 packages from installation in Centos kickstart? Most of our machines have 64bit Intel/AMD CPUs, and it make non-sense to still keep 32bit compatibility. Even worse of i*86 packages is, when upgrade we have to recompile both ix86 version and x86_64 version to get an automatic yum upgrade. I know we could use 'exclude' option to exclude i*86 packages