From: Benny Amorsen <benny+usenet@amorsen.dk>
To: Joakim Tjernlund <joakim.tjernlund@transmode.se>
Cc: Stephen Hemminger <shemminger@vyatta.com>,
bridge@lists.linux-foundation.org
Subject: Re: [Bridge] RFC: Simple Private VLAN impl.
Date: Thu, 11 Jun 2009 23:04:48 +0200 [thread overview]
Message-ID: <m3fxe6trbj.fsf@ursa.amorsen.dk> (raw)
In-Reply-To: <OF3035BFFB.A9837EFB-ONC12575D2.00451300-C12575D2.00468AB7@transmode.se> (Joakim Tjernlund's message of "Thu\, 11 Jun 2009 14\:50\:30 +0200")
Joakim Tjernlund <joakim.tjernlund@transmode.se> writes:
> ---------------------------------------------------------------
> | | isolat-| promis-| commu-| commu-| interswitch |
> | | ted | cuous | nity1 | nity2 | link port |
> ---------------------------------------------------------------
> | isolated | deny | permit | deny | deny | permit |
> ---------------------------------------------------------------
> | promiscuous | permit | permit | permit| permit| permit |
> ---------------------------------------------------------------
> | community1 | deny | permit | permit| deny | permit |
> ---------------------------------------------------------------
> | community2 | deny | permit | deny | permit| permit |
> ---------------------------------------------------------------
> | interswitch | | | | | |
> | link port | deny(*)| permit | permit| permit| permit |
> ---------------------------------------------------------------
Ok, I thought this would be really easy, but I must admit I don't get
how an interswitch link port works. Apparently the different VLAN's are
allowed to go to the same ports, but you can't send a packet back out
the physical interface it came in on.
I ignored the community rules, exercise for the reader...
Anyway, this is buggy, but it should give you an idea:
ebtables -A FORWARD -i eth0.4042 -j frominterswitchporteth0
ebtables -A FORWARD -i eth0.4043 -j frominterswitchporteth0
ebtables -A FORWARD -i eth0.4044 -j frominterswitchporteth0
ebtables -A FORWARD -i eth1.1 -j frompromiscuous
ebtables -A FORWARD -i eth1.2 -j fromisolated
ebtables -A FORWARD -i eth0.4042 -j frominterswitch
ebtables -A FORWARD -i eth0.4043 -j frominterswitch
ebtables -A FORWARD -i eth0.4044 -j frominterswitch
ebtables -A FORWARD -j DROP
ebtables -A frominterswitchporteth0 -o eth0.4042 -j DROP
ebtables -A frominterswitchporteth0 -o eth0.4043 -j DROP
ebtables -A frominterswitchporteth0 -o eth0.4044 -j DROP
ebtables -A frominterswitchporteth0 -j RETURN
#ebtables -A fromisolated -j denyisolated
ebtables -A fromisolated -j permitpromiscuous
ebtables -A fromisolated -j permitinterswitch
ebtables -A fromisolated -j DROP
ebtables -A frompromiscuous -j permitisolated
ebtables -A frompromiscuous -j permitpromiscuous
ebtables -A frompromiscuous -j permitinterswitch
ebtables -A frompromiscuous -j DROP
#ebtables -A frominterswitch -j denyisolated
ebtables -A frominterswitch -j permitpromiscuous
ebtables -A frominterswitch -j permitinterswitch
ebtables -A frominterswitch -j DROP
ebtables -A permitisolated -o eth1.2 -j ACCEPT
ebtables -A permitisolated -j RETURN
ebtables -A permitpromiscuous -o eth1.1 -j ACCEPT
ebtables -A permitpromiscuous -j RETURN
ebtables -A permitinterswitch -o eth0.4042 -j ACCEPT
ebtables -A permitinterswitch -o eth0.4043 -j ACCEPT
ebtables -A permitinterswitch -o eth0.4044 -j ACCEPT
ebtables -A permitpromiscuous -j RETURN
Now, to implement an extra interface, just add it to FORWARD with -j
from<type> and add it to permit<type>. Just two rules. If it's an
interswitch interface, you need to make a new rule set and add the
appropriate VLAN's in there as well, so 4 rules per VLAN for those.
It would be handy if ebtables supported interface sets, like netfilter
supports ipsets.
/Benny
next prev parent reply other threads:[~2009-06-11 21:04 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-10 13:32 [Bridge] RFC: Simple Private VLAN impl Joakim Tjernlund
2009-06-10 14:45 ` Stephen Hemminger
2009-06-10 15:32 ` Joakim Tjernlund
2009-06-10 16:27 ` Ross Vandegrift
2009-06-10 17:09 ` Joakim Tjernlund
[not found] ` <OF4422F49E.33BDAF5C-ONC12575D1.005C802A-C12575D1.005E38A3@LocalDomain>
2009-06-11 12:50 ` Joakim Tjernlund
2009-06-11 14:22 ` Ross Vandegrift
2009-06-11 14:48 ` Joakim Tjernlund
2009-06-11 16:12 ` Ross Vandegrift
2009-06-11 19:43 ` Joakim Tjernlund
2009-06-11 21:04 ` Benny Amorsen [this message]
2009-06-11 23:10 ` Joakim Tjernlund
2009-06-11 23:44 ` Ross Vandegrift
2009-06-11 19:51 ` Daniel Robbins
2009-06-11 23:58 ` Ross Vandegrift
2009-06-12 0:15 ` Daniel Robbins
2009-06-12 3:56 ` Ross Vandegrift
2009-06-12 9:17 ` Benny Amorsen
2009-06-12 9:41 ` Joakim Tjernlund
2009-06-12 9:48 ` Benny Amorsen
2009-06-12 11:03 ` Marek Kierdelewicz
2009-06-12 11:45 ` Joakim Tjernlund
2009-06-12 12:52 ` Ross Vandegrift
2009-06-12 13:09 ` Joakim Tjernlund
2009-06-12 13:19 ` richardvoigt
2009-06-12 13:47 ` Joakim Tjernlund
2009-06-12 19:31 ` richardvoigt
2009-06-12 21:32 ` Joakim Tjernlund
2009-06-12 23:54 ` Benny Amorsen
2009-06-13 14:58 ` Joakim Tjernlund
2009-06-13 4:29 ` richardvoigt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m3fxe6trbj.fsf@ursa.amorsen.dk \
--to=benny+usenet@amorsen.dk \
--cc=bridge@lists.linux-foundation.org \
--cc=joakim.tjernlund@transmode.se \
--cc=shemminger@vyatta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.