[ovs-discuss] Only allow traffic between the bridge port and OVS (not other ports)

Matthias May matthias.may at neratec.com
Tue May 14 05:49:51 UTC 2019


On 14/05/2019 07:26, Kevin Olbrich wrote:
> Hi!
> 
> I've got an OVS that has a bridge "br0" and has about 100x L2TP tunnels.
> These tunnels run batman-adv, a mesh protocol for L2 routing over L3.
> 
> For efficient routing, only nodes that are in the same building are allowed
> to see each other.
> To filter out traffic between the ports, I used ebtables: ebtables -A
> FORWARD --logical-in br0 -j DROP
> 
> This allows traffic from the node to the server hosting the bridge and
> reverse but not between the ports.
> As OVS does not work with ebtables, all nodes now see each other over L2TP,
> resulting in all nodes meshing with each other (without any benefit).
> 
> How can I implement something like "ebtables -A FORWARD --logical-in br0 -j
> DROP" with OVS?
> I tried "ovs-ofctl mod-port ovsbr-de01-mesh "$INTERFACE" no-forward" but
> that also stopped traffic to the host port (by host port, I mean an IP
> directly on br0).
> 
> How can I do it correctly?
> The client ports of br0 never must communicate with each other, just the
> server hosting the bridge.
> 
> Thank you!
> 
> Kind regards
> Kevin
> 
> 
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> 

You could:
* Delete the default NORMAL action (del-flows br0)
* Create a rule with priority=1 action=<your_server_port
* Create a rule with priority=2 in_port=<your_server_port> action=NORMAL

This should allow frames from the server to be forwarded as usual, and
frames for all other ports only to the server.

BR
Matthias


More information about the discuss mailing list