On Thu, Jun 11, 2009 at 04:48:25PM +0200, Joakim Tjernlund wrote: > > This is where the opportunity for some development and abstraction > > comes in. If I were you, I'd write a "port manager" script that let > > me define port rules and roles in a much simpler language. That > > script would then output the required ebtables ruleset to acheive > > that. > > Yes, but still. I feel that there is a better way specify this. I was > thinking of adding some new chains, one for Promisc ports one for Isolated ports > and so on and use them to cut down the number of rules to easy management > and increase performance, but I haven't figured out how yet. This might be a good idea. I used to do something similar with ipchains, way back when. My ruleset was large and complicated, so I broke it up into many chains based on what was being accomplished. In your case, it would somewhat depend on the installation profile. If most of your ports are promiscuous, you probably want to change the policy to ACCEPT and then write rules that drop frames where you need isolation. If most ports are isolated, then you want to keep the policy as DROP and write rules to permit frames. I might write a script like this (totally untested): ebtables -P FORWARD DROP # This will take care of all communications to/from a promiscuous # interface, regardless of the role of the "other" interface for interface in $PROMISC_IFS; do ebtables -A FORWARD -i $interface -j ACCEPT ebtables -A FORWARD -o $interface -j ACCEPT done # Interfaces in a community need a full mesh of connectivity in # addition to the above. for comm in $COMM_IFS; do for othercomm in $COMM_IFS; do if [[ "$comm" != "$othercomm" ]]; then ebtables -A COMMUNITY -i $comm -o $othercomm -j ACCEPT fi done done for interface in $COMM_IFS; do ebtables -A FORWARD -i $interface -j COMMUNITY ebtables -A FORWARD -o $interface -j COMMUNITY You're only going to learn the best way to do it by playing with it - I don't actually have any installation like you want, so I can't offer any long-term advice. -- Ross Vandegrift ross@xxxxxxxxxxx "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie _______________________________________________ Bridge mailing list Bridge@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/bridge
