I have a Debian 11 server and I am running a Qemu/KVM virtual machine on it created via Qemu commands, there is a bridge device on the server named br0
and the VM has a TAP device named vm0
.
I want to avoid MAC/IP spoofing by creating an nft
ruleset.
I've tried the following but it doesn't work meaning when I change the MAC address via the macchanger
tool the packets don't drop:
nft add table bridge filter
nft add chain bridge filter forward \{ type filter hook forward priority filter \; policy accept \;}
nft add rule bridge filter forward iifname vm0 ether type ip ether saddr != <MAC_ADDR_ALLOWED> ether type ip ip saddr != <IP_ADDR_ALLOWED> drop
The output of the nft list ruleset
looks like below:
table bridge filter {
chain forward {
type filter hook forward priority filter; policy accept;
iifname "vm0" ether type ip ether saddr != <MAC_ADDR_ALLOWED> ip <IP_ADDR_ALLOWED> drop
}
}
I reckon I'm doing something wrong, any help is appreciated,
Question: How to create a valid rule?
Thanks in advance.