[ebtables] install ebtables in base image and install filter rules (#2805)
- Add ebtables package, and install some filter rules: 1. ebtables -A FORWARD -d BGA -j DROP 2. ebtables -A FORWARD -p ARP -j DROP Basically, we let the ARP packets in the VLAN being forwarded by the ASIC, kernel gets a copy of these ARP packets and the forwarding from Kenerl gets dropped. So there is always only one copy of ARP/response in the VLAN. Signed-off-by: Ying Xie <ying.xie@microsoft.com>
This commit is contained in:
parent
38ad2a8dad
commit
9efcf1759a
@ -230,6 +230,7 @@ sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y in
|
|||||||
usbutils \
|
usbutils \
|
||||||
pciutils \
|
pciutils \
|
||||||
iptables-persistent \
|
iptables-persistent \
|
||||||
|
ebtables \
|
||||||
logrotate \
|
logrotate \
|
||||||
curl \
|
curl \
|
||||||
kexec-tools \
|
kexec-tools \
|
||||||
@ -412,6 +413,10 @@ if [ "${enable_organization_extensions}" = "y" ]; then
|
|||||||
fi
|
fi
|
||||||
fi
|
fi
|
||||||
|
|
||||||
|
## Setup ebtable rules (rule file is in binary format)
|
||||||
|
sudo sed -i 's/EBTABLES_LOAD_ON_START="no"/EBTABLES_LOAD_ON_START="yes"/g' ${FILESYSTEM_ROOT}/etc/default/ebtables
|
||||||
|
sudo cp files/image_config/ebtables/ebtables.filter ${FILESYSTEM_ROOT}/etc
|
||||||
|
|
||||||
## Remove gcc and python dev pkgs
|
## Remove gcc and python dev pkgs
|
||||||
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove gcc libpython2.7-dev
|
sudo LANG=C DEBIAN_FRONTEND=noninteractive chroot $FILESYSTEM_ROOT apt-get -y remove gcc libpython2.7-dev
|
||||||
|
|
||||||
|
BIN
files/image_config/ebtables/ebtables.filter
Normal file
BIN
files/image_config/ebtables/ebtables.filter
Normal file
Binary file not shown.
Loading…
Reference in New Issue
Block a user