On Thu, Jun 11, 2009 at 06:15:46PM -0600, Daniel Robbins wrote: > In my particular configuration, there are no communities - each VE is an > island, and will only be able to communicate with the network gateway (which > is non-local, ie. not on the linux bridge itself.) That should lock down > layer 2. With OpenVZ, each VE's MAC will have a common SWSoft 00:18:51 > prefix. > > After I get that working, I need to lock down layer 3 with iptables, so the > PVLAN functionality can't be bypassed. > > If you have any configuration examples for ebtables, especially simple ones, > I would welcome them :) Couldn't be simpler in that case. Say you've bridged veth1.0 through venet10.0 and venet1.0 is the interface of the gateway. Then, all you need is: ebtables -A FORWARD -i veth1.0 -j ACCEPT ebtables -A FORWARD -o veth1.0 -j ACCEPT If you spin up VEID 11, give it a virtual ethernet NIC, and add the associated veth device on the hardware node to the bridge - you're good to go. Of course veth1.0 could just as easily be a physical interface connected to another device. -- Ross Vandegrift ross@xxxxxxxxxxx "If the fight gets hot, the songs get hotter. If the going gets tough, the songs get tougher." --Woody Guthrie _______________________________________________ Bridge mailing list Bridge@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linux-foundation.org/mailman/listinfo/bridge
