From: Benny Amorsen <benny+usenet@amorsen.dk>
To: Joakim Tjernlund <joakim.tjernlund@transmode.se>
Cc: Stephen Hemminger <shemminger@vyatta.com>,
bridge@lists.linux-foundation.org
Subject: Re: [Bridge] RFC: Simple Private VLAN impl.
Date: Thu, 11 Jun 2009 23:04:48 +0200 [thread overview]
Message-ID: <m3fxe6trbj.fsf@ursa.amorsen.dk> (raw)
In-Reply-To: <OF3035BFFB.A9837EFB-ONC12575D2.00451300-C12575D2.00468AB7@transmode.se> (Joakim Tjernlund's message of "Thu\, 11 Jun 2009 14\:50\:30 +0200")
Joakim Tjernlund <joakim.tjernlund@transmode.se> writes:
> ---------------------------------------------------------------
> | | isolat-| promis-| commu-| commu-| interswitch |
> | | ted | cuous | nity1 | nity2 | link port |
> ---------------------------------------------------------------
> | isolated | deny | permit | deny | deny | permit |
> ---------------------------------------------------------------
> | promiscuous | permit | permit | permit| permit| permit |
> ---------------------------------------------------------------
> | community1 | deny | permit | permit| deny | permit |
> ---------------------------------------------------------------
> | community2 | deny | permit | deny | permit| permit |
> ---------------------------------------------------------------
> | interswitch | | | | | |
> | link port | deny(*)| permit | permit| permit| permit |
> ---------------------------------------------------------------
Ok, I thought this would be really easy, but I must admit I don't get
how an interswitch link port works. Apparently the different VLAN's are
allowed to go to the same ports, but you can't send a packet back out
the physical interface it came in on.
I ignored the community rules, exercise for the reader...
Anyway, this is buggy, but it should give you an idea:
ebtables -A FORWARD -i eth0.4042 -j frominterswitchporteth0
ebtables -A FORWARD -i eth0.4043 -j frominterswitchporteth0
ebtables -A FORWARD -i eth0.4044 -j frominterswitchporteth0
ebtables -A FORWARD -i eth1.1 -j frompromiscuous
ebtables -A FORWARD -i eth1.2 -j fromisolated
ebtables -A FORWARD -i eth0.4042 -j frominterswitch
ebtables -A FORWARD -i eth0.4043 -j frominterswitch
ebtables -A FORWARD -i eth0.4044 -j frominterswitch
ebtables -A FORWARD -j DROP
ebtables -A frominterswitchporteth0 -o eth0.4042 -j DROP
ebtables -A frominterswitchporteth0 -o eth0.4043 -j DROP
ebtables -A frominterswitchporteth0 -o eth0.4044 -j DROP
ebtables -A frominterswitchporteth0 -j RETURN
#ebtables -A fromisolated -j denyisolated
ebtables -A fromisolated -j permitpromiscuous
ebtables -A fromisolated -j permitinterswitch
ebtables -A fromisolated -j DROP
ebtables -A frompromiscuous -j permitisolated
ebtables -A frompromiscuous -j permitpromiscuous
ebtables -A frompromiscuous -j permitinterswitch
ebtables -A frompromiscuous -j DROP
#ebtables -A frominterswitch -j denyisolated
ebtables -A frominterswitch -j permitpromiscuous
ebtables -A frominterswitch -j permitinterswitch
ebtables -A frominterswitch -j DROP
ebtables -A permitisolated -o eth1.2 -j ACCEPT
ebtables -A permitisolated -j RETURN
ebtables -A permitpromiscuous -o eth1.1 -j ACCEPT
ebtables -A permitpromiscuous -j RETURN
ebtables -A permitinterswitch -o eth0.4042 -j ACCEPT
ebtables -A permitinterswitch -o eth0.4043 -j ACCEPT
ebtables -A permitinterswitch -o eth0.4044 -j ACCEPT
ebtables -A permitpromiscuous -j RETURN
Now, to implement an extra interface, just add it to FORWARD with -j
from<type> and add it to permit<type>. Just two rules. If it's an
interswitch interface, you need to make a new rule set and add the
appropriate VLAN's in there as well, so 4 rules per VLAN for those.
It would be handy if ebtables supported interface sets, like netfilter
supports ipsets.
/Benny
next prev parent reply other threads:[~2009-06-11 21:04 UTC|newest]
Thread overview: 31+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-06-10 13:32 [Bridge] RFC: Simple Private VLAN impl Joakim Tjernlund
2009-06-10 14:45 ` Stephen Hemminger
2009-06-10 15:32 ` Joakim Tjernlund
2009-06-10 16:27 ` Ross Vandegrift
2009-06-10 17:09 ` Joakim Tjernlund
[not found] ` <OF4422F49E.33BDAF5C-ONC12575D1.005C802A-C12575D1.005E38A3@LocalDomain>
2009-06-11 12:50 ` Joakim Tjernlund
2009-06-11 14:22 ` Ross Vandegrift
2009-06-11 14:48 ` Joakim Tjernlund
2009-06-11 16:12 ` Ross Vandegrift
2009-06-11 19:43 ` Joakim Tjernlund
2009-06-11 21:04 ` Benny Amorsen [this message]
2009-06-11 23:10 ` Joakim Tjernlund
2009-06-11 23:44 ` Ross Vandegrift
2009-06-11 19:51 ` Daniel Robbins
2009-06-11 23:58 ` Ross Vandegrift
2009-06-12 0:15 ` Daniel Robbins
2009-06-12 3:56 ` Ross Vandegrift
2009-06-12 9:17 ` Benny Amorsen
2009-06-12 9:41 ` Joakim Tjernlund
2009-06-12 9:48 ` Benny Amorsen
2009-06-12 11:03 ` Marek Kierdelewicz
2009-06-12 11:45 ` Joakim Tjernlund
2009-06-12 12:52 ` Ross Vandegrift
2009-06-12 13:09 ` Joakim Tjernlund
2009-06-12 13:19 ` richardvoigt
2009-06-12 13:47 ` Joakim Tjernlund
2009-06-12 19:31 ` richardvoigt
2009-06-12 21:32 ` Joakim Tjernlund
2009-06-12 23:54 ` Benny Amorsen
2009-06-13 14:58 ` Joakim Tjernlund
2009-06-13 4:29 ` richardvoigt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=m3fxe6trbj.fsf@ursa.amorsen.dk \
--to=benny+usenet@amorsen.dk \
--cc=bridge@lists.linux-foundation.org \
--cc=joakim.tjernlund@transmode.se \
--cc=shemminger@vyatta.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox