[Bridge] RFC: Simple Private VLAN impl.
Joakim Tjernlund
joakim.tjernlund at transmode.se
Thu Jun 11 12:43:04 PDT 2009
Ross Vandegrift <ross at kallisti.us> wrote on 11/06/2009 18:12:27:
>
> On Thu, Jun 11, 2009 at 04:48:25PM +0200, Joakim Tjernlund wrote:
> > > This is where the opportunity for some development and abstraction
> > > comes in. If I were you, I'd write a "port manager" script that let
> > > me define port rules and roles in a much simpler language. That
> > > script would then output the required ebtables ruleset to acheive
> > > that.
> >
> > Yes, but still. I feel that there is a better way specify this. I was
> > thinking of adding some new chains, one for Promisc ports one for Isolated ports
> > and so on and use them to cut down the number of rules to easy management
> > and increase performance, but I haven't figured out how yet.
>
> This might be a good idea. I used to do something similar with
> ipchains, way back when. My ruleset was large and complicated, so I
> broke it up into many chains based on what was being accomplished.
>
> In your case, it would somewhat depend on the installation profile.
> If most of your ports are promiscuous, you probably want to change the
> policy to ACCEPT and then write rules that drop frames where you need
> isolation. If most ports are isolated, then you want to keep the
> policy as DROP and write rules to permit frames.
>
> I might write a script like this (totally untested):
Thanks, I have added some crude additions, What do you think?
(I stink a shell programming, will play some more tomorrow)
>
> ebtables -P FORWARD DROP
>
> # This will take care of all communications to/from a promiscuous
> # interface, regardless of the role of the "other" interface
> for interface in $PROMISC_IFS; do
ebtables -A FORWARD -o eth0.4043 -i $interface -j DROP
ebtables -A FORWARD -o eth0.4044 -i $interface -j DROP
> ebtables -A FORWARD -i $interface -j ACCEPT
> ebtables -A FORWARD -o $interface -j ACCEPT
> done
ebtables -A FORWARD -i eth0.4042 -j ACCEPT
>
> # Interfaces in a community need a full mesh of connectivity in
> # addition to the above.
COMM_IFS += eth0.4044
> for comm in $COMM_IFS; do
> for othercomm in $COMM_IFS; do
> if [[ "$comm" != "$othercomm" ]]; then
> ebtables -A COMMUNITY -i $comm -o $othercomm -j ACCEPT
> fi
> done
> done
hmm, may be split into a IN_COMMUNITY and a OUT_COMMUNITY?
for comm in $COMM_IFS; do
ebtables -A IN_COMMUNITY -i $comm -j ACCEPT
ebtables -A OUT_COMMUNITY -o $comm -j ACCEPT
done
for comm in $COMM_IFS; do
ebtables -A FORWARD -i $interface -j OUT_COMMUNITY
ebtables -A FORWARD -o $interface -j IN_COMMUNITY
>
> for interface in $COMM_IFS; do
> ebtables -A FORWARD -i $interface -j COMMUNITY
> ebtables -A FORWARD -o $interface -j COMMUNITY
>
>
for iso in $ISOLATED_IFS; do
ebtables -A FORWARD -i $iso -o eth0.4043 -j ACCEPT
done
>
> You're only going to learn the best way to do it by playing with it -
> I don't actually have any installation like you want, so I can't offer
> any long-term advice.
>
> --
> Ross Vandegrift
> ross at kallisti.us
>
> "If the fight gets hot, the songs get hotter. If the going gets tough,
> the songs get tougher."
> --Woody Guthrie
>
>
More information about the Bridge
mailing list