Bug 988168 - RFE: Rich rule support for MAC address matching
RFE: Rich rule support for MAC address matching
Product: Fedora
Classification: Fedora
Component: firewalld (Show other bugs)
Unspecified Unspecified
unspecified Severity unspecified
: ---
: ---
Assigned To: Thomas Woerner
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2013-07-24 20:29 EDT by Anthony Messina
Modified: 2016-02-03 10:35 EST (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2016-02-03 10:35:00 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Anthony Messina 2013-07-24 20:29:45 EDT
Please add support for MAC address matching via the rich rules interface to support MAC address filtering capabilities.  Currently, I only use something simple like:

-A IN_ZONE_internal_allow -m mac --mac-source 00:AA:BB:CC:DD:EE -j ACCEPT

Perhaps something like (copied and edited from http://fedoraproject.org/wiki/Features/FirewalldRichLanguage):

<rule [family="<rule family>"]>
  [ <mac address="<mac_address>" [invert="True"]/> ]
  [ <log [prefix="<prefix text>"] [level="<log level>"]/> ]
  [ <audit type="<audit type>"/> ]

I'm not sure what the element would need to be (or if it could be made optional).  I was thinking if the element was required, I could simply set it to the protocol, but then I'd need two rules (to cover IPv4 and IPv6), which would be less than ideal, but still reasonable in the short term.

This could be helpful in implementing firewalling and client-filtering around wireless access points, etc.
Comment 1 Thomas Woerner 2013-11-22 11:11:24 EST
How about extending source?

source { address="address[/mask]" | mac="mac-address" } [invert="True"]
Comment 2 Anthony Messina 2013-11-22 16:41:49 EST
(In reply to Thomas Woerner from comment #1)
> How about extending source?
> source { address="address[/mask]" | mac="mac-address" } [invert="True"]

That seems reasonable.  Thanks.
Comment 3 Thomas Woerner 2016-02-03 10:35:00 EST
Fixed in rawhide in firewalld-0.4.0-1 or newer.

Note You need to log in before you can comment on or make changes to this bug.