Red Hat Bugzilla – Bug 988168
RFE: Rich rule support for MAC address matching
Last modified: 2016-02-03 10:35:00 EST
Please add support for MAC address matching via the rich rules interface to support MAC address filtering capabilities. Currently, I only use something simple like: -A IN_ZONE_internal_allow -m mac --mac-source 00:AA:BB:CC:DD:EE -j ACCEPT Perhaps something like (copied and edited from http://fedoraproject.org/wiki/Features/FirewalldRichLanguage): <rule [family="<rule family>"]> [ <mac address="<mac_address>" [invert="True"]/> ] element [ <log [prefix="<prefix text>"] [level="<log level>"]/> ] [ <audit type="<audit type>"/> ] action </rule> I'm not sure what the element would need to be (or if it could be made optional). I was thinking if the element was required, I could simply set it to the protocol, but then I'd need two rules (to cover IPv4 and IPv6), which would be less than ideal, but still reasonable in the short term. This could be helpful in implementing firewalling and client-filtering around wireless access points, etc.
How about extending source? source { address="address[/mask]" | mac="mac-address" } [invert="True"]
(In reply to Thomas Woerner from comment #1) > How about extending source? > > source { address="address[/mask]" | mac="mac-address" } [invert="True"] That seems reasonable. Thanks.
Fixed in rawhide in firewalld-0.4.0-1 or newer.