[ovs-discuss] Only allow traffic between the bridge port and OVS (not other ports)
Kevin Olbrich
ko at sv01.de
Tue May 14 05:43:06 UTC 2019
Am Di., 14. Mai 2019 um 07:26 Uhr schrieb Kevin Olbrich <ko at sv01.de>:
> Hi!
>
> I've got an OVS that has a bridge "br0" and has about 100x L2TP tunnels.
> These tunnels run batman-adv, a mesh protocol for L2 routing over L3.
>
> For efficient routing, only nodes that are in the same building are
> allowed to see each other.
> To filter out traffic between the ports, I used ebtables: ebtables -A
> FORWARD --logical-in br0 -j DROP
>
> This allows traffic from the node to the server hosting the bridge and
> reverse but not between the ports.
> As OVS does not work with ebtables, all nodes now see each other over
> L2TP, resulting in all nodes meshing with each other (without any benefit).
>
> How can I implement something like "ebtables -A FORWARD --logical-in br0
> -j DROP" with OVS?
> I tried "ovs-ofctl mod-port ovsbr-de01-mesh "$INTERFACE" no-forward" but
> that also stopped traffic to the host port (by host port, I mean an IP
> directly on br0).
>
Sorry, C&P error here: ovsbr-de01-mesh is br0.
> How can I do it correctly?
> The client ports of br0 never must communicate with each other, just the
> server hosting the bridge.
>
> Thank you!
>
> Kind regards
> Kevin
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20190514/ea85e7fe/attachment.html>
More information about the discuss
mailing list