[Bridge] RFC: Simple Private VLAN impl.

Joakim Tjernlund joakim.tjernlund at transmode.se
Thu Jun 11 12:43:04 PDT 2009


Ross Vandegrift <ross at kallisti.us> wrote on 11/06/2009 18:12:27:
>
> On Thu, Jun 11, 2009 at 04:48:25PM +0200, Joakim Tjernlund wrote:
> > > This is where the opportunity for some development and abstraction
> > > comes in.  If I were you, I'd write a "port manager" script that let
> > > me define port rules and roles in a much simpler language.  That
> > > script would then output the required ebtables ruleset to acheive
> > > that.
> >
> > Yes, but still. I feel that there is a better way specify this. I was
> > thinking of adding some new chains, one for Promisc ports one for Isolated ports
> > and so on and use them to cut down the number of rules to easy management
> > and increase performance, but I haven't figured out how yet.
>
> This might be a good idea.  I used to do something similar with
> ipchains, way back when.  My ruleset was large and complicated, so I
> broke it up into many chains based on what was being accomplished.
>
> In your case, it would somewhat depend on the installation profile.
> If most of your ports are promiscuous, you probably want to change the
> policy to ACCEPT and then write rules that drop frames where you need
> isolation.  If most ports are isolated, then you want to keep the
> policy as DROP and write rules to permit frames.
>
> I might write a script like this (totally untested):

Thanks, I have added some crude additions, What do you think?
(I stink a shell programming, will play some more tomorrow)

>
> ebtables -P FORWARD DROP
>
> # This will take care of all communications to/from a promiscuous
> # interface, regardless of the role of the "other" interface
> for interface in $PROMISC_IFS; do
   ebtables -A FORWARD -o eth0.4043 -i $interface -j DROP
   ebtables -A FORWARD -o eth0.4044 -i $interface -j DROP
>    ebtables -A FORWARD -i $interface -j ACCEPT
>    ebtables -A FORWARD -o $interface -j ACCEPT
> done

ebtables -A FORWARD -i eth0.4042 -j ACCEPT

>
> # Interfaces in a community need a full mesh of connectivity in
> # addition to the above.

COMM_IFS += eth0.4044

> for comm in $COMM_IFS; do
>    for othercomm in $COMM_IFS; do
>       if [[ "$comm" != "$othercomm" ]]; then
>          ebtables -A COMMUNITY -i $comm -o $othercomm -j ACCEPT
>       fi
>    done
> done

hmm, may be split into a IN_COMMUNITY and a OUT_COMMUNITY?
for comm in $COMM_IFS; do
   ebtables -A IN_COMMUNITY  -i $comm -j ACCEPT
   ebtables -A OUT_COMMUNITY -o $comm -j ACCEPT
done
for comm in $COMM_IFS; do
 ebtables -A FORWARD -i $interface -j OUT_COMMUNITY
 ebtables -A FORWARD -o $interface -j IN_COMMUNITY

>
> for interface in $COMM_IFS; do
>    ebtables -A FORWARD -i $interface -j COMMUNITY
>    ebtables -A FORWARD -o $interface -j COMMUNITY
>
>

for iso in $ISOLATED_IFS; do
    ebtables -A FORWARD -i $iso -o eth0.4043 -j ACCEPT
 done
>
> You're only going to learn the best way to do it by playing with it -
> I don't actually have any installation like you want, so I can't offer
> any long-term advice.
>
> --
> Ross Vandegrift
> ross at kallisti.us
>
> "If the fight gets hot, the songs get hotter.  If the going gets tough,
> the songs get tougher."
>    --Woody Guthrie
>
>



More information about the Bridge mailing list