On Tue, May 06, 2014 at 09:02:06AM +0900, YAMAMOTO Takashi wrote: > > On Mon, May 05, 2014 at 09:13:53AM +0900, YAMAMOTO Takashi wrote: > >> +Q: Open vSwitch does not seem to obey my packet filter rules. > >> + > >> +A: It's by design. Open vSwitch interacts with packets at a lower layer > >> + than typical packet-filter implementations like iptables. > >> + For simple filtering rules, it might be possible to achieve similar > >> + by installing appropriate OpenFlow flows instead. > >> + > >> + If the use of a particular packet filter software is essential, > >> + Open vSwitch might not be the best choice for you. On Linux, you might > >> + want to consider to use Linux Bridge, which works with iptables. > >> + On NetBSD, you might want to consider to use bridge(4) with BRIDGE_IPF > >> + option. > > > > Hmm. Open vSwitch works OK with iptables on Linux. You can use it, for > > example, to firewall or filter particular L4 ports on your bridge > > "internal" ports. XenServer has used iptables with Open vSwitch this > > way from the very beginning, and it's always worked fine. > > > > Open vSwitch doesn't work with Linux bridge-specific filtering > > mechanisms, like ebtables, but that makes perfect sense since Open > > vSwitch replaces the bridge instead of supplementing it. > > filtering on internal ports (and its associated IP stack) might work > as it's ordinary interface in the POV of filters. > > however, what people is often interested in is filtering on > interfaces which are used for l2 forwarding of packets. It's > what i wanted to explain in this change. iirc, OpenStack folks > invented the infamous "hybrid interface" hack to workaround this > incompatibility. are you referring to this sort of things by > "Linux bridge-specific filtering"?
I really was just talking about ebtables. I agree that it is a good idea to cover this in the FAQ, as long as it's clear. Do you have a suggested wording, that doesn't say that Open vSwitch doesn't work at all with iptables? (I can't say to what extent packet filtering works with Open vSwitch on NetBSD, since I have not used it on NetBSD.) _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
