Bug 988168

Summary: RFE: Rich rule support for MAC address matching
Product: [Fedora] Fedora Reporter: Anthony Messina <amessina>
Component: firewalldAssignee: Thomas Woerner <twoerner>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: amessina, jmhannon.ucdavis, jpopelka, twoerner, whanlon
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-02-03 15:35:00 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Anthony Messina 2013-07-25 00:29:45 UTC 
Please add support for MAC address matching via the rich rules interface to support MAC address filtering capabilities.  Currently, I only use something simple like:

-A IN_ZONE_internal_allow -m mac --mac-source 00:AA:BB:CC:DD:EE -j ACCEPT

Perhaps something like (copied and edited from http://fedoraproject.org/wiki/Features/FirewalldRichLanguage):

<rule [family="<rule family>"]>
  [ <mac address="<mac_address>" [invert="True"]/> ]
  element
  [ <log [prefix="<prefix text>"] [level="<log level>"]/> ]
  [ <audit type="<audit type>"/> ]
  action
</rule>

I'm not sure what the element would need to be (or if it could be made optional).  I was thinking if the element was required, I could simply set it to the protocol, but then I'd need two rules (to cover IPv4 and IPv6), which would be less than ideal, but still reasonable in the short term.

This could be helpful in implementing firewalling and client-filtering around wireless access points, etc.
Comment 1 Thomas Woerner 2013-11-22 16:11:24 UTC 
How about extending source?

source { address="address[/mask]" | mac="mac-address" } [invert="True"]
Comment 2 Anthony Messina 2013-11-22 21:41:49 UTC 
(In reply to Thomas Woerner from comment #1)
> How about extending source?
> 
> source { address="address[/mask]" | mac="mac-address" } [invert="True"]

That seems reasonable.  Thanks.
Comment 3 Thomas Woerner 2016-02-03 15:35:00 UTC 
Fixed in rawhide in firewalld-0.4.0-1 or newer.