[ebtables] install ebtables in base image and install filter rules (#2805)

- Add ebtables package, and install some filter rules:
  1. ebtables -A FORWARD -d BGA -j DROP
  2. ebtables -A FORWARD -p ARP -j DROP

Basically, we let the ARP packets in the VLAN being forwarded by the ASIC,
kernel gets a copy of these ARP packets and the forwarding from Kenerl gets
dropped. So there is always only one copy of ARP/response in the VLAN.

Signed-off-by: Ying Xie <ying.xie@microsoft.com>
This commit is contained in:
Ying Xie 2019-05-09 09:44:41 -07:00 committed by GitHub
parent 38ad2a8dad
commit 9efcf1759a
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 5 additions and 0 deletions

View File

@ -230,6 +230,7 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
usbutils \ usbutils \
pciutils \ pciutils \
iptables-persistent \ iptables-persistent \
ebtables \
logrotate \ logrotate \
curl \ curl \
kexec-tools \ kexec-tools \
@ -412,6 +413,10 @@ if [ "${enable_organization_extensions}" = "y" ]; then
fi fi
fi fi
## Setup ebtable rules (rule file is in binary format)
sudo sed -i 's/EBTABLES_LOAD_ON_START="no"/EBTABLES_LOAD_ON_START="yes"/g' ${FILESYSTEM_ROOT}/etc/default/ebtables
sudo cp files/image_config/ebtables/ebtables.filter ${FILESYSTEM_ROOT}/etc
## Remove gcc and python dev pkgs ## Remove gcc and python dev pkgs
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove gcc libpython2.7-dev sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove gcc libpython2.7-dev

Binary file not shown.