[ovs-discuss] Only allow traffic between the bridge port and OVS (not other ports)
Kevin Olbrich
ko at sv01.de
Tue May 14 05:26:56 UTC 2019
Hi!
I've got an OVS that has a bridge "br0" and has about 100x L2TP tunnels.
These tunnels run batman-adv, a mesh protocol for L2 routing over L3.
For efficient routing, only nodes that are in the same building are allowed
to see each other.
To filter out traffic between the ports, I used ebtables: ebtables -A
FORWARD --logical-in br0 -j DROP
This allows traffic from the node to the server hosting the bridge and
reverse but not between the ports.
As OVS does not work with ebtables, all nodes now see each other over L2TP,
resulting in all nodes meshing with each other (without any benefit).
How can I implement something like "ebtables -A FORWARD --logical-in br0 -j
DROP" with OVS?
I tried "ovs-ofctl mod-port ovsbr-de01-mesh "$INTERFACE" no-forward" but
that also stopped traffic to the host port (by host port, I mean an IP
directly on br0).
How can I do it correctly?
The client ports of br0 never must communicate with each other, just the
server hosting the bridge.
Thank you!
Kind regards
Kevin
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20190514/d1df3910/attachment-0001.html>
More information about the discuss
mailing list