On 14/05/2019 07:26, Kevin Olbrich wrote: > Hi! > > I've got an OVS that has a bridge "br0" and has about 100x L2TP tunnels. > These tunnels run batman-adv, a mesh protocol for L2 routing over L3. > > For efficient routing, only nodes that are in the same building are allowed > to see each other. > To filter out traffic between the ports, I used ebtables: ebtables -A > FORWARD --logical-in br0 -j DROP > > This allows traffic from the node to the server hosting the bridge and > reverse but not between the ports. > As OVS does not work with ebtables, all nodes now see each other over L2TP, > resulting in all nodes meshing with each other (without any benefit). > > How can I implement something like "ebtables -A FORWARD --logical-in br0 -j > DROP" with OVS? > I tried "ovs-ofctl mod-port ovsbr-de01-mesh "$INTERFACE" no-forward" but > that also stopped traffic to the host port (by host port, I mean an IP > directly on br0). > > How can I do it correctly? > The client ports of br0 never must communicate with each other, just the > server hosting the bridge. > > Thank you! > > Kind regards > Kevin > > > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss >
You could: * Delete the default NORMAL action (del-flows br0) * Create a rule with priority=1 action=<your_server_port * Create a rule with priority=2 in_port=<your_server_port> action=NORMAL This should allow frames from the server to be forwarded as usual, and frames for all other ports only to the server. BR Matthias _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
