[ebtables]add the filter rule for ARP packets with vlan tag:

[wangshengjun]

1. ebtables -t filter -A FORWARD -p 802_1Q --vlan-encap 0806 -j DROP
   The ARP packet with vlan tag can't match the default rule.

Signed-off-by: wangshengjun [email protected]

- What I did
The default rule can't match the ARP packet with vlan tag.So add a new rule for the case.
The new rule as follows:
ebtables -t filter -A FORWARD -p 802_1Q --vlan-encap 0806 -j DROP

- How I did it

- How to verify it
admin@sonic:~$ sudo ebtables -L
Bridge table: filter

Bridge chain: INPUT, entries: 0, policy: ACCEPT

Bridge chain: FORWARD, entries: 3, policy: ACCEPT
-d BGA -j DROP
-p ARP -j DROP
-p 802_1Q --vlan-encap ARP -j DROP

Bridge chain: OUTPUT, entries: 0, policy: ACCEPT

- Description for the changelog

- A picture of a cute animal (not mandatory but encouraged)

[lguohan]

why the checked in file is a binary file? can we have text file for the rule?

[lguohan]

need text file, not binary file.

[wangshengjun]

@lguohan The original file of ebtables.filter is binary file.

[wangshengjun]

The ebtables.filter should be loaded in the running system, and check it by issuing the cmd of 'ebtables -L'

[lguohan]

@prsunny , can you take a look?

[prsunny]

for persistance, the filter file was added as binary. Will discuss with Ying to identify an approach - Original PR - #2805

[peter-yu]

There are silimiar issue about IPv6 neighbour-solicitation/neighbour-advertisement.

The following rule will filter duplicate untagged IPv6 NS/NA packets:

sudo /sbin/ebtables -t filter -A FORWARD -p IPV6 --ip6-protocol ipv6-icmp --ip6-icmp-type 135:136/0 -j DROP

As for vlan tagged IPv6 NS/NA packet, do you know how to filter only NS/NA, except using

sudo /sbin/ebtables -A FORWARD -p 802_1Q --vlan-encap IPv6 -j DROP

to drop all IPv6 packet?
Thanks.

[lguohan]

I am ok with the binary format as it is consistent with the original commit. @prsunny , are you ok with adding the new rule here?

[prsunny]

@lguohan , lgtm