Hi All,
I almost have open vSwitch working the way I want it to, but I am
running across some unexpected problems. I've setup 2 switches, an
internal and an external, with the initial configuration of:
bridge.internalbr.port=internalbr
bridge.externalbr.port=externalbr
bridge.internalbr.mac=00:11:22:aa:cc:ee
bridge.externalbr.mac=00:11:22:bb:aa:dd
bridge.externalbr.port=eth0
I have a script that starts a VM with two nics, and connects one nic
to the internal switch and one to the external switch by automatically
appending to the ovs-switchd.conf and then sending a HUP signal to the
ovs-switchd process (as was suggested in a previous thread).
As the guest boots the following lines are added (before sending the
HUP)
bridge.internalbr.port=tap0
bridge.externalbr.port=tap1
I then remove the default flow from the externalbr flow table with:
ovs-ofctl del-flows externalbr priority=0
And add a series of flows from a file (with the ovs-ofctl add-flows
command)
dl_src=52:54:00:aa:bb:cc,tp_dst=80,idle_timeout=0,actions=normal
dl_dst=52:54:00:aa:bb:cc,tp_src=80,idle_timeout=0,actions=normal
dl_src=52:54:00:aa:bb:cc,tp_dst=53,idle_timeout=0,actions=normal
dl_dst=52:54:00:aa:bb:cc,tp_src=53,idle_timeout=0,actions=normal
dl_src=52:54:00:aa:bb:cc,tp_dst=67,idle_timeout=0,actions=normal
dl_dst=52:54:00:aa:bb:cc,tp_dst=68,idle_timeout=0,actions=normal
My intention is to default deny all and only allow what is absolutely
necessary for this particular VM to get an IP (dhcp outgoing to server
port 67 and dhcp incoming to port 68), and connect to web servers
(over port 80) and do dns lookups (port 53)
There are a couple things that I can't figure out yet, one is how to
get a dump-flows that includes the port numbers (tp_dst and dp_src).
Is there a command that will show them?
The VM can connect on port 22 and can be contacted over port 22, both
of which should be disallowed.
The relevant output of:
ovs-ofctl dump-flows externalbr (which doesn't show the tp_dst or
tp_src ports)
Feb 11 20:33:03|00001|ofctl|INFO|connecting to
unix:/usr/local/var/run/externalbr.mgmt
stats_reply (xid=0x80bb7ffe): flags=none type=1(flow)
duration=1955s, table_id=1, priority=32768, n_packets=46,
n_bytes=8753, dl_src=52:54:00:aa:bb:cc,actions=NORMAL
duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0,
dl_dst=52:54:00:aa:bb:cc,actions=NORMAL
duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0,
dl_src=52:54:00:aa:bb:cc,actions=NORMAL
duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0,
dl_dst=52:54:00:aa:bb:cc,actions=NORMAL
duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0,
dl_src=52:54:00:aa:bb:cc,actions=NORMAL
duration=1955s, table_id=1, priority=0, n_packets=16, n_bytes=3092,
actions=NORMAL
The output of other commands, such as ovs-dpctl show, seem to make
sense, but I can post other things if that helps, just let me know.
Other things that don't make sense to me are that the base system
can't connect to the guest via SSH (even though it can be connected to
from external hosts), and the guest NIC connected to the internalbr
gets an external IP address over DHCP on the eth0 (external) network,
and finally that the network for the host doesn't work correctly
(without it being restarted), which probably has something to do with
how the switch does its learning.
Any thoughts, suggestions, or things to try would be greatly
appreciated.
Thanks,
Todd
--
Todd Deshane
http://todddeshane.net
http://runningxen.com
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
