Автоматичен филтър на vlans вдигнати върху bridge интерфейс

[SubmitBG]

По-нагоре попитах, искаш клиентите на VLAN11 и VLAN12 да не се виждат помежду си ли?

Редактирано 29 Март, 2015 от SubmitBG

[mysticall]

Да, но това може ли да стане без да добавям ИП на вскеки ВЛАН?

Ако трябва да добавям ИП на всеки ВЛАН колко ще товари?

Редактирано 29 Март, 2015 от mysticall

[Mile]

root@svlan-bzhr:~# brctl show
bridge name     bridge id               STP enabled     interfaces
br0             8000.00907fc01214       no              eth1
                                                        eth1.0101
                                                        eth1.0102
                                                        eth1.0103
                                                        eth1.0104
                                                        eth1.0201
                                                        eth1.0202
                                                        eth1.0203
                                                        eth1.0204
                                                        eth1.0301
                                                        eth1.0302
                                                        eth1.0303
                                                        eth1.0304
                                                        eth1.0401
                                                        eth1.0402
                                                        eth1.0403
                                                        eth1.0404

изглежда да кажем така после:

root@svlan-bzhr:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN group default
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:90:7f:c0:12:13 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1213/64 scope link
       valid_lft forever preferred_lft forever
3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast master br0state UP group default qlen 1000
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
4: imq0: <NOARP,UP,LOWER_UP> mtu 16000 qdisc pfifo_fast state UNKNOWN group default qlen 11000
    link/void
5: imq1: <NOARP,UP,LOWER_UP> mtu 16000 qdisc pfifo_fast state UNKNOWN group default qlen 11000
    link/void
6: eth0.1297@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 00:90:7f:c0:12:13 brd ff:ff:ff:ff:ff:ff
    inet xx.xx.152.171/29 scope global eth0.1297
    inet6 fe80::290:7fff:fec0:1213/64 scope link
       valid_lft forever preferred_lft forever
7: eth0.3949@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default
    link/ether 00:90:7f:c0:12:13 brd ff:ff:ff:ff:ff:ff
    inet xx.xx.152.179/29 scope global eth0.3949
    inet6 fe80::290:7fff:fec0:1213/64 scope link
       valid_lft forever preferred_lft forever
8: eth1.0101@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
9: eth1.0102@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
10: eth1.0103@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
11: eth1.0104@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
12: eth1.0201@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
13: eth1.0202@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
14: eth1.0203@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
15: eth1.0204@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
16: eth1.0301@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
17: eth1.0302@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
18: eth1.0303@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
19: eth1.0304@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
20: eth1.0401@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
21: eth1.0402@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
22: eth1.0403@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
23: eth1.0404@eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br0 state UP group default
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet6 fe80::290:7fff:fec0:1214/64 scope link
       valid_lft forever preferred_lft forever
24: br0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP groupdefault
    link/ether 00:90:7f:c0:12:14 brd ff:ff:ff:ff:ff:ff
    inet 10.11.12.1/24 scope global br0
    inet xx.xx.152.185/29 scope global br0
    inet 10.20.20.1/24 scope global br0
    inet xxx.xxx.91.1/24 scope global br0
    inet6 fe80::2c52:8eff:fe9c:ce31/64 scope link
       valid_lft forever preferred_lft forever

[mysticall]

Супер, това имах в предвид.

Изхода от горните команди е от ipacct, има рестрикции между интерфейсите, които са в bridge:

- клиент от един vlan вижда другия само през гутера

- рутера добавя рестрикции за всеки клиент по - vlan (не зависимо, че е в bridge) и mac

- и други филтри, които не знам

- всичко това не се прави с iptables или ebtables, а е заложено в бриджа

 

Някой да знае за patch, който може да прави подобни неща?

[SubmitBG]

Само не разбирам едно, защо чак сега направи толкова важно уточнение?

 

Има огромна разлика между това клиентите на различни VLAN-и в Bridge да не се виждат по между си, и това да се виждат, но през IP адреса на бриджа.

Първото се прави с едно iptables правило, за второто мисля, че този Bridge разполага с тези възможности - http://openvswitch.org/

[mysticall]

Само не разбирам едно, защо чак сега направи толкова важно уточнение?

 

Има огромна разлика между това клиентите на различни VLAN-и в Bridge да не се виждат по между си, и това да се виждат, но през IP адреса на бриджа.

Първото се прави с едно iptables правило, за второто мисля, че този Bridge разполага с тези възможности - http://openvswitch.org/

 

iptables определено не ми допада като идея, понеже ще трябва да се пишат много правила докато се постигне желаното.

OpenvSwitch не разполата със собствени филтриращи механизми, използва стандартните.

[SubmitBG]

Ако става въпрос за филтрации на портове, може да се направи с едно iptables правило, което да бъде приложено на всички vlan-и..

Ако трябва да има някакъв междинен хоп (поради неясни причини?) трябва да се редактира netfilter_bridge, може да бъде направено, срещу съответното заплащане....