[ovs-discuss] Only allow traffic between the bridge port and OVS (not other ports)

Matthias May matthias.may at neratec.com
Tue May 14 05:49:51 UTC 2019

On 14/05/2019 07:26, Kevin Olbrich wrote:
> Hi!
> I've got an OVS that has a bridge "br0" and has about 100x L2TP tunnels.
> These tunnels run batman-adv, a mesh protocol for L2 routing over L3.
> For efficient routing, only nodes that are in the same building are allowed
> to see each other.
> To filter out traffic between the ports, I used ebtables: ebtables -A
> FORWARD --logical-in br0 -j DROP
> This allows traffic from the node to the server hosting the bridge and
> reverse but not between the ports.
> As OVS does not work with ebtables, all nodes now see each other over L2TP,
> resulting in all nodes meshing with each other (without any benefit).
> How can I implement something like "ebtables -A FORWARD --logical-in br0 -j
> DROP" with OVS?
> I tried "ovs-ofctl mod-port ovsbr-de01-mesh "$INTERFACE" no-forward" but
> that also stopped traffic to the host port (by host port, I mean an IP
> directly on br0).
> How can I do it correctly?
> The client ports of br0 never must communicate with each other, just the
> server hosting the bridge.
> Thank you!
> Kind regards
> Kevin
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

You could:
* Delete the default NORMAL action (del-flows br0)
* Create a rule with priority=1 action=<your_server_port
* Create a rule with priority=2 in_port=<your_server_port> action=NORMAL

This should allow frames from the server to be forwarded as usual, and
frames for all other ports only to the server.


More information about the discuss mailing list