<div dir="ltr"><div dir="ltr">Hi Matthias,</div><div dir="ltr"><br></div><div>do I need to create an "int" port for this?</div><div>Currently I bind an IP directly to br0.</div><div><br></div><div>Thank you!</div><div><br></div><div>Kind regards</div><div>Kevin</div><div><br></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Am Di., 14. Mai 2019 um 08:00 Uhr schrieb Matthias May via discuss <<a href="mailto:ovs-discuss@openvswitch.org">ovs-discuss@openvswitch.org</a>>:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">On 14/05/2019 07:26, Kevin Olbrich wrote:<br>
> Hi!<br>
> <br>
> I've got an OVS that has a bridge "br0" and has about 100x L2TP tunnels.<br>
> These tunnels run batman-adv, a mesh protocol for L2 routing over L3.<br>
> <br>
> For efficient routing, only nodes that are in the same building are allowed<br>
> to see each other.<br>
> To filter out traffic between the ports, I used ebtables: ebtables -A<br>
> FORWARD --logical-in br0 -j DROP<br>
> <br>
> This allows traffic from the node to the server hosting the bridge and<br>
> reverse but not between the ports.<br>
> As OVS does not work with ebtables, all nodes now see each other over L2TP,<br>
> resulting in all nodes meshing with each other (without any benefit).<br>
> <br>
> How can I implement something like "ebtables -A FORWARD --logical-in br0 -j<br>
> DROP" with OVS?<br>
> I tried "ovs-ofctl mod-port ovsbr-de01-mesh "$INTERFACE" no-forward" but<br>
> that also stopped traffic to the host port (by host port, I mean an IP<br>
> directly on br0).<br>
> <br>
> How can I do it correctly?<br>
> The client ports of br0 never must communicate with each other, just the<br>
> server hosting the bridge.<br>
> <br>
> Thank you!<br>
> <br>
> Kind regards<br>
> Kevin<br>
> <br>
> <br>
> _______________________________________________<br>
> discuss mailing list<br>
> <a href="mailto:discuss@openvswitch.org" target="_blank">discuss@openvswitch.org</a><br>
> <a href="https://mail.openvswitch.org/mailman/listinfo/ovs-discuss" rel="noreferrer" target="_blank">https://mail.openvswitch.org/mailman/listinfo/ovs-discuss</a><br>
> <br>
<br>
You could:<br>
* Delete the default NORMAL action (del-flows br0)<br>
* Create a rule with priority=1 action=<your_server_port<br>
* Create a rule with priority=2 in_port=<your_server_port> action=NORMAL<br>
<br>
This should allow frames from the server to be forwarded as usual, and<br>
frames for all other ports only to the server.<br>
<br>
BR<br>
Matthias<br>
_______________________________________________<br>
discuss mailing list<br>
<a href="mailto:discuss@openvswitch.org" target="_blank">discuss@openvswitch.org</a><br>
<a href="https://mail.openvswitch.org/mailman/listinfo/ovs-discuss" rel="noreferrer" target="_blank">https://mail.openvswitch.org/mailman/listinfo/ovs-discuss</a><br>
</blockquote></div></div>