On an ESXi host, after configuring a layer-2 firewall rule with one MAC set as source and another MAC set as destination, the getrules command on the host shows the destination MAC set having an unknown address.

Problem

After configuring a layer-2 firewall rule with one MAC set as source and another MAC set as destination, the getrules command on the host shows the destination MAC set as 01:00:00:00:00:00/01:00:00:00:00:00. For example,

[root@host1:~] vsipioctl getrules -f nic-1000052822-eth1-vmware-sfw.2
ruleset mainrs {
  # generation number: 0
  # realization time : 2018-07-26T12:42:28
  rule 1039 at 1 inout protocol tcp from any to any port 1521 accept as oracle;
  # internal # rule 1039 at 2 inout protocol tcp from any to any port 1521 accept;
  rule 1039 at 3 inout protocol icmp from any to any accept;
  rule 2 at 4 inout protocol any from any to any accept with log;
}

ruleset mainrs_L2 {
  # generation number: 0
  # realization time : 2018-07-26T12:42:28
  rule 1040 at 1 inout ethertype any stateless from addrset d83a1523-0d07-4b18-8a5b-77a634540b57 to addrset 9ad9c6ef-c7dd-4682-833d-57097b415e41 accept;
  # internal # rule 1040 at 2 in ethertype any stateless from addrset d83a1523-0d07-4b18-8a5b-77a634540b57 to addrset 9ad9c6ef-c7dd-4682-833d-57097b415e41 accept;
  # internal # rule 1040 at 3 out ethertype any stateless from addrset d83a1523-0d07-4b18-8a5b-77a634540b57 to mac 01:00:00:00:00:00/01:00:00:00:00:00 accept;
  rule 1 at 4 inout ethertype any stateless from any to any accept;
}

The internal OUT rule with the address 01:00:00:00:00:00/01:00:00:00:00:00 is created by design to handle outbound broadcasting packets and does not indicate a problem.

Solution

None required. The firewall rule will work as configured.