How do I block all access to machine except port 3389 using Open vSwitch

I can allow access to the machine and block everything else using:

ovs-ofctl add-flow xenbr0 "dl_src={mac-address} priority=39000 dl_type=0x0800 nw_dst={ip-address} idle_timeout=65000 action=normal"
ovs-ofctl add-flow xenbr0 "dl_src={mac-address} priority=38000 dl_type=0x0800 nw_src=ANY idle_timeout=65000 action=drop"

but I would like to allow any IP address to connect on port 3389 only. How can I do this?

I've tried adding tp_dst=3389 to the first rule and setting nw_dst=* but that doesn't seem to work.

I'm struggling to understand the manual for this so apologies if I've missed it: http://openvswitch.org/cgi-bin/ovsman.cgi?page=utilities%2Fovs-ofctl.8

Edit: I'm still having no luck with this. I've tried different variations of params but can't allow RDP port 3389 but disable access to anything else.

Solution 1:

it has to be something like this

ovs-ofctl add-flow xenbr0 "dl_src={mac-address} priority=39000 dl_type=0x0800 nw_dst={ip-address} idle_timeout=65000 action=normal"
ovs-ofctl add-flow xenbr0 "dl_src={mac-address} priority=38000 dl_type=0x0800 nw_src=ANY idle_timeout=65000 tp_dst=3389 action=normal"
ovs-ofctl add-flow xenbr0 "dl_src={mac-address} priority=38000 dl_type=0x0800 nw_src=ANY idle_timeout=65000 action=drop"