From 563e8ccb4d2ff73efb468fc8c9a7602947ef78e0 Mon Sep 17 00:00:00 2001 From: Andrii Ostapenko Date: Sun, 27 Jun 2021 18:55:45 -0600 Subject: [PATCH] Separate dhcp domains for worker nodes With this commit vm related dhcp traffic are contained within the same host. Signed-off-by: Andrii Ostapenko Change-Id: I916b1e07e9acd4c66942cb5cb434d0ab0d36adbb --- manifests/function/workers-vm-infra/iptables-setup.yaml | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/manifests/function/workers-vm-infra/iptables-setup.yaml b/manifests/function/workers-vm-infra/iptables-setup.yaml index 2f312e62c..508a54c26 100644 --- a/manifests/function/workers-vm-infra/iptables-setup.yaml +++ b/manifests/function/workers-vm-infra/iptables-setup.yaml @@ -34,4 +34,10 @@ # activate ip_forwarding echo 1 | sudo tee /proc/sys/net/ipv4/ip_forward iptables -t nat -A POSTROUTING -s REPLACEMENT_VM_SUBNET_CIDR -o REPLACEMENT_MGMT_INTF -j MASQUERADE + ebtables -A FORWARD -i REPLACEMENT_VM_INFRA_INTF -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 --log-level info --log-ip --log-prefix EBFWbc -j DROP + ebtables -A FORWARD -o REPLACEMENT_VM_INFRA_INTF -d ff:ff:ff:ff:ff:ff/ff:ff:ff:ff:ff:ff -p IPv4 --ip-prot udp --ip-dport 67:68 --log-level info --log-ip --log-prefix EBFWbc -j DROP + ebtables -A FORWARD -i REPLACEMENT_VM_INFRA_INTF -p ipv4 --ip-proto tcp --ip-destination-port 67:68 --log-level info --log-ip --log-prefix EBFWtcp -j DROP + ebtables -A FORWARD -o REPLACEMENT_VM_INFRA_INTF -p ipv4 --ip-proto tcp --ip-destination-port 67:68 --log-level info --log-ip --log-prefix EBFWtcp -j DROP + ebtables -A FORWARD -i REPLACEMENT_VM_INFRA_INTF -p ipv4 --ip-proto udp --ip-destination-port 67:68 --log-level info --log-ip --log-prefix EBFWudp -j DROP + ebtables -A FORWARD -o REPLACEMENT_VM_INFRA_INTF -p ipv4 --ip-proto udp --ip-destination-port 67:68 --log-level info --log-ip --log-prefix EBFWudp -j DROP exit 0