From: Ross Vandegrift <ross@kallisti.us>
To: Daniel Robbins <drobbins@funtoo.org>
Cc: Stephen Hemminger <shemminger@vyatta.com>,
bridge@lists.linux-foundation.org,
Joakim Tjernlund <joakim.tjernlund@transmode.se>
Subject: Re: [Bridge] RFC: Simple Private VLAN impl.
Date: Thu, 11 Jun 2009 23:56:26 -0400 [thread overview]
Message-ID: <20090612035626.GA4402@kallisti.us> (raw)
In-Reply-To: <de7adc5e0906111715s56f13ad0o760840dfadba797@mail.gmail.com>
On Thu, Jun 11, 2009 at 06:15:46PM -0600, Daniel Robbins wrote:
> In my particular configuration, there are no communities - each VE is an
> island, and will only be able to communicate with the network gateway (which
> is non-local, ie. not on the linux bridge itself.) That should lock down
> layer 2. With OpenVZ, each VE's MAC will have a common SWSoft 00:18:51
> prefix.
>
> After I get that working, I need to lock down layer 3 with iptables, so the
> PVLAN functionality can't be bypassed.
>
> If you have any configuration examples for ebtables, especially simple ones,
> I would welcome them :)
Couldn't be simpler in that case. Say you've bridged veth1.0 through
venet10.0 and venet1.0 is the interface of the gateway. Then, all you
need is:
ebtables -A FORWARD -i veth1.0 -j ACCEPT
ebtables -A FORWARD -o veth1.0 -j ACCEPT
If you spin up VEID 11, give it a virtual ethernet NIC, and add the
associated veth device on the hardware node to the bridge - you're
good to go.
Of course veth1.0 could just as easily be a physical interface
connected to another device.
--
Ross Vandegrift
ross@kallisti.us
"If the fight gets hot, the songs get hotter. If the going gets tough,
the songs get tougher."
--Woody Guthrie
next prev parent reply other threads:[~2009-06-12 3:56 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-10 13:32 [Bridge] RFC: Simple Private VLAN impl Joakim Tjernlund
2009-06-10 14:45 ` Stephen Hemminger
2009-06-10 15:32 ` Joakim Tjernlund
2009-06-10 16:27 ` Ross Vandegrift
2009-06-10 17:09 ` Joakim Tjernlund
[not found] ` <OF4422F49E.33BDAF5C-ONC12575D1.005C802A-C12575D1.005E38A3@LocalDomain>
2009-06-11 12:50 ` Joakim Tjernlund
2009-06-11 14:22 ` Ross Vandegrift
2009-06-11 14:48 ` Joakim Tjernlund
2009-06-11 16:12 ` Ross Vandegrift
2009-06-11 19:43 ` Joakim Tjernlund
2009-06-11 21:04 ` Benny Amorsen
2009-06-11 23:10 ` Joakim Tjernlund
2009-06-11 23:44 ` Ross Vandegrift
2009-06-11 19:51 ` Daniel Robbins
2009-06-11 23:58 ` Ross Vandegrift
2009-06-12 0:15 ` Daniel Robbins
2009-06-12 3:56 ` Ross Vandegrift [this message]
2009-06-12 9:17 ` Benny Amorsen
2009-06-12 9:41 ` Joakim Tjernlund
2009-06-12 9:48 ` Benny Amorsen
2009-06-12 11:03 ` Marek Kierdelewicz
2009-06-12 11:45 ` Joakim Tjernlund
2009-06-12 12:52 ` Ross Vandegrift
2009-06-12 13:09 ` Joakim Tjernlund
2009-06-12 13:19 ` richardvoigt
2009-06-12 13:47 ` Joakim Tjernlund
2009-06-12 19:31 ` richardvoigt
2009-06-12 21:32 ` Joakim Tjernlund
2009-06-12 23:54 ` Benny Amorsen
2009-06-13 14:58 ` Joakim Tjernlund
2009-06-13 4:29 ` richardvoigt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090612035626.GA4402@kallisti.us \
--to=ross@kallisti.us \
--cc=bridge@lists.linux-foundation.org \
--cc=drobbins@funtoo.org \
--cc=joakim.tjernlund@transmode.se \
--cc=shemminger@vyatta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.