On Mon, May 05, 2014 at 09:13:53AM +0900, YAMAMOTO Takashi wrote: > +Q: Open vSwitch does not seem to obey my packet filter rules. > + > +A: It's by design. Open vSwitch interacts with packets at a lower layer > + than typical packet-filter implementations like iptables. > + For simple filtering rules, it might be possible to achieve similar > + by installing appropriate OpenFlow flows instead. > + > + If the use of a particular packet filter software is essential, > + Open vSwitch might not be the best choice for you. On Linux, you might > + want to consider to use Linux Bridge, which works with iptables. > + On NetBSD, you might want to consider to use bridge(4) with BRIDGE_IPF > + option.
Hmm. Open vSwitch works OK with iptables on Linux. You can use it, for example, to firewall or filter particular L4 ports on your bridge "internal" ports. XenServer has used iptables with Open vSwitch this way from the very beginning, and it's always worked fine. Open vSwitch doesn't work with Linux bridge-specific filtering mechanisms, like ebtables, but that makes perfect sense since Open vSwitch replaces the bridge instead of supplementing it. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
