From: Ross Vandegrift <ross@kallisti.us>
To: Daniel Robbins <drobbins@funtoo.org>
Cc: Stephen Hemminger <shemminger@vyatta.com>,
bridge@lists.linux-foundation.org,
Joakim Tjernlund <joakim.tjernlund@transmode.se>
Subject: Re: [Bridge] RFC: Simple Private VLAN impl.
Date: Thu, 11 Jun 2009 23:56:26 -0400 [thread overview]
Message-ID: <20090612035626.GA4402@kallisti.us> (raw)
In-Reply-To: <de7adc5e0906111715s56f13ad0o760840dfadba797@mail.gmail.com>
On Thu, Jun 11, 2009 at 06:15:46PM -0600, Daniel Robbins wrote:
> In my particular configuration, there are no communities - each VE is an
> island, and will only be able to communicate with the network gateway (which
> is non-local, ie. not on the linux bridge itself.) That should lock down
> layer 2. With OpenVZ, each VE's MAC will have a common SWSoft 00:18:51
> prefix.
>
> After I get that working, I need to lock down layer 3 with iptables, so the
> PVLAN functionality can't be bypassed.
>
> If you have any configuration examples for ebtables, especially simple ones,
> I would welcome them :)
Couldn't be simpler in that case. Say you've bridged veth1.0 through
venet10.0 and venet1.0 is the interface of the gateway. Then, all you
need is:
ebtables -A FORWARD -i veth1.0 -j ACCEPT
ebtables -A FORWARD -o veth1.0 -j ACCEPT
If you spin up VEID 11, give it a virtual ethernet NIC, and add the
associated veth device on the hardware node to the bridge - you're
good to go.
Of course veth1.0 could just as easily be a physical interface
connected to another device.
--
Ross Vandegrift
ross@kallisti.us
"If the fight gets hot, the songs get hotter. If the going gets tough,
the songs get tougher."
--Woody Guthrie
next prev parent reply other threads:[~2009-06-12 3:56 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-10 13:32 [Bridge] RFC: Simple Private VLAN impl Joakim Tjernlund
2009-06-10 14:45 ` Stephen Hemminger
2009-06-10 15:32 ` Joakim Tjernlund
2009-06-10 16:27 ` Ross Vandegrift
2009-06-10 17:09 ` Joakim Tjernlund
[not found] ` <OF4422F49E.33BDAF5C-ONC12575D1.005C802A-C12575D1.005E38A3@LocalDomain>
2009-06-11 12:50 ` Joakim Tjernlund
2009-06-11 14:22 ` Ross Vandegrift
2009-06-11 14:48 ` Joakim Tjernlund
2009-06-11 16:12 ` Ross Vandegrift
2009-06-11 19:43 ` Joakim Tjernlund
2009-06-11 21:04 ` Benny Amorsen
2009-06-11 23:10 ` Joakim Tjernlund
2009-06-11 23:44 ` Ross Vandegrift
2009-06-11 19:51 ` Daniel Robbins
2009-06-11 23:58 ` Ross Vandegrift
2009-06-12 0:15 ` Daniel Robbins
2009-06-12 3:56 ` Ross Vandegrift [this message]
2009-06-12 9:17 ` Benny Amorsen
2009-06-12 9:41 ` Joakim Tjernlund
2009-06-12 9:48 ` Benny Amorsen
2009-06-12 11:03 ` Marek Kierdelewicz
2009-06-12 11:45 ` Joakim Tjernlund
2009-06-12 12:52 ` Ross Vandegrift
2009-06-12 13:09 ` Joakim Tjernlund
2009-06-12 13:19 ` richardvoigt
2009-06-12 13:47 ` Joakim Tjernlund
2009-06-12 19:31 ` richardvoigt
2009-06-12 21:32 ` Joakim Tjernlund
2009-06-12 23:54 ` Benny Amorsen
2009-06-13 14:58 ` Joakim Tjernlund
2009-06-13 4:29 ` richardvoigt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090612035626.GA4402@kallisti.us \
--to=ross@kallisti.us \
--cc=bridge@lists.linux-foundation.org \
--cc=drobbins@funtoo.org \
--cc=joakim.tjernlund@transmode.se \
--cc=shemminger@vyatta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox