Re: RFC: Simple Private VLAN impl.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

On Thu, Jun 11, 2009 at 04:48:25PM +0200, Joakim Tjernlund wrote:
> > This is where the opportunity for some development and abstraction
> > comes in.  If I were you, I'd write a "port manager" script that let
> > me define port rules and roles in a much simpler language.  That
> > script would then output the required ebtables ruleset to acheive
> > that.
> Yes, but still. I feel that there is a better way specify this. I was
> thinking of adding some new chains, one for Promisc ports one for Isolated ports
> and so on and use them to cut down the number of rules to easy management
> and increase performance, but I haven't figured out how yet.

This might be a good idea.  I used to do something similar with
ipchains, way back when.  My ruleset was large and complicated, so I
broke it up into many chains based on what was being accomplished.

In your case, it would somewhat depend on the installation profile.
If most of your ports are promiscuous, you probably want to change the
policy to ACCEPT and then write rules that drop frames where you need
isolation.  If most ports are isolated, then you want to keep the
policy as DROP and write rules to permit frames.

I might write a script like this (totally untested):

ebtables -P FORWARD DROP

# This will take care of all communications to/from a promiscuous
# interface, regardless of the role of the "other" interface
for interface in $PROMISC_IFS; do
	ebtables -A FORWARD -i $interface -j ACCEPT
	ebtables -A FORWARD -o $interface -j ACCEPT

# Interfaces in a community need a full mesh of connectivity in
# addition to the above.
for comm in $COMM_IFS; do
	for othercomm in $COMM_IFS; do
		if [[ "$comm" != "$othercomm" ]]; then
			ebtables -A COMMUNITY -i $comm -o $othercomm -j ACCEPT

for interface in $COMM_IFS; do
	ebtables -A FORWARD -i $interface -j COMMUNITY
	ebtables -A FORWARD -o $interface -j COMMUNITY

You're only going to learn the best way to do it by playing with it -
I don't actually have any installation like you want, so I can't offer
any long-term advice.

Ross Vandegrift

"If the fight gets hot, the songs get hotter.  If the going gets tough,
the songs get tougher."
	--Woody Guthrie
Bridge mailing list

[Netdev]     [AoE Tools]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Bugtraq]     [Photo]     [Yosemite]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux Admin]     [Samba]     [Video 4 Linux]     [Linux Resources]

Add to Google Powered by Linux