[ovs-discuss] Only allow traffic between the bridge port and OVS (not other ports)

Kevin Olbrich ko at sv01.de
Tue May 14 06:53:16 UTC 2019


Ok, there already is "br0" as int interface, didn't read correctly.
Your command is missing some pieces, can you check again?

Kind regards
Kevin


Am Di., 14. Mai 2019 um 08:32 Uhr schrieb Kevin Olbrich <ko at sv01.de>:

> Hi Matthias,
>
> do I need to create an "int" port for this?
> Currently I bind an IP directly to br0.
>
> Thank you!
>
> Kind regards
> Kevin
>
>
> Am Di., 14. Mai 2019 um 08:00 Uhr schrieb Matthias May via discuss <
> ovs-discuss at openvswitch.org>:
>
>> On 14/05/2019 07:26, Kevin Olbrich wrote:
>> > Hi!
>> >
>> > I've got an OVS that has a bridge "br0" and has about 100x L2TP tunnels.
>> > These tunnels run batman-adv, a mesh protocol for L2 routing over L3.
>> >
>> > For efficient routing, only nodes that are in the same building are
>> allowed
>> > to see each other.
>> > To filter out traffic between the ports, I used ebtables: ebtables -A
>> > FORWARD --logical-in br0 -j DROP
>> >
>> > This allows traffic from the node to the server hosting the bridge and
>> > reverse but not between the ports.
>> > As OVS does not work with ebtables, all nodes now see each other over
>> L2TP,
>> > resulting in all nodes meshing with each other (without any benefit).
>> >
>> > How can I implement something like "ebtables -A FORWARD --logical-in
>> br0 -j
>> > DROP" with OVS?
>> > I tried "ovs-ofctl mod-port ovsbr-de01-mesh "$INTERFACE" no-forward" but
>> > that also stopped traffic to the host port (by host port, I mean an IP
>> > directly on br0).
>> >
>> > How can I do it correctly?
>> > The client ports of br0 never must communicate with each other, just the
>> > server hosting the bridge.
>> >
>> > Thank you!
>> >
>> > Kind regards
>> > Kevin
>> >
>> >
>> > _______________________________________________
>> > discuss mailing list
>> > discuss at openvswitch.org
>> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>> >
>>
>> You could:
>> * Delete the default NORMAL action (del-flows br0)
>> * Create a rule with priority=1 action=<your_server_port
>> * Create a rule with priority=2 in_port=<your_server_port> action=NORMAL
>>
>> This should allow frames from the server to be forwarded as usual, and
>> frames for all other ports only to the server.
>>
>> BR
>> Matthias
>> _______________________________________________
>> discuss mailing list
>> discuss at openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20190514/1b311f15/attachment-0001.html>


More information about the discuss mailing list