Bug 988168 - RFE: Rich rule support for MAC address matching
Summary: RFE: Rich rule support for MAC address matching
Keywords:
Status: CLOSED NEXTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: firewalld
Version: rawhide
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2013-07-25 00:29 UTC by Anthony Messina
Modified: 2016-02-03 15:35 UTC (History)
5 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2016-02-03 15:35:00 UTC
Type: Bug
Embargoed:


Attachments (Terms of Use)

Description Anthony Messina 2013-07-25 00:29:45 UTC
Please add support for MAC address matching via the rich rules interface to support MAC address filtering capabilities.  Currently, I only use something simple like:

-A IN_ZONE_internal_allow -m mac --mac-source 00:AA:BB:CC:DD:EE -j ACCEPT

Perhaps something like (copied and edited from http://fedoraproject.org/wiki/Features/FirewalldRichLanguage):

<rule [family="<rule family>"]>
  [ <mac address="<mac_address>" [invert="True"]/> ]
  element
  [ <log [prefix="<prefix text>"] [level="<log level>"]/> ]
  [ <audit type="<audit type>"/> ]
  action
</rule>

I'm not sure what the element would need to be (or if it could be made optional).  I was thinking if the element was required, I could simply set it to the protocol, but then I'd need two rules (to cover IPv4 and IPv6), which would be less than ideal, but still reasonable in the short term.

This could be helpful in implementing firewalling and client-filtering around wireless access points, etc.

Comment 1 Thomas Woerner 2013-11-22 16:11:24 UTC
How about extending source?

source { address="address[/mask]" | mac="mac-address" } [invert="True"]

Comment 2 Anthony Messina 2013-11-22 21:41:49 UTC
(In reply to Thomas Woerner from comment #1)
> How about extending source?
> 
> source { address="address[/mask]" | mac="mac-address" } [invert="True"]

That seems reasonable.  Thanks.

Comment 3 Thomas Woerner 2016-02-03 15:35:00 UTC
Fixed in rawhide in firewalld-0.4.0-1 or newer.


Note You need to log in before you can comment on or make changes to this bug.