(moving back on list) 2010/4/30 George Shuklin <n...@narod.ru>
> 27.04.10, 18:20, "Jesse Gross" <je...@nicira.com>: > > On Tue, Apr 27, 2010 at 7:37 AM, George Shuklin <n...@narod.ru> wrote: > >> Good day. >> >> Is any way to filter with ovs VM's traffic (like mac spoofing or ip >> usurpation)? >> >> I was tried to find any, but found none. > > There isn't currently a specific MAC/IP anti-spoofing feature. You can, > however, add flow entries that allows traffic from a given port, MAC, and IP > and drops everything else. The ovs-ofctl man page describes how to add > flows. > > Thank you very much. I starts to see an light at the end of the tunnel. > > But I do not really understand syntax of flows. > > F.e. I add: > > ovs-ofctl add-flow xenbr0 "dl_src=11:11:11:11:11:11 > nw_dst=192.168.1.0/24priority=10 actions=normal" > ovs-ofctl add-flow xenbr0 "dl_src=11:11:11:11:11:11 > nw_dst=192.168.2.0/24priority=20 actions=drop" > > I expect it to pass traffic from MAC=11:11:11:11:11:11 on net > 192.168.1.0/24 (all other values is '*') as it must be and drop all trafic > to 192.168.2.0/24... > > But really it drop ALL traffic from mac=11:11:11:11:11:11 to any > destination. And I do not understand what happens... > The reason why this is happening is that you didn't specify IP as the protocol. The nw_dst field gets dropped because it is meaningless without a L3 protocol. If you do "ovs-ofctl dump-flows xenbr0" you can see the current set of flows after they have been parsed. > Is anywhere is more full documentation about flow syntax or some samples > with commentary? I think the ovs-ofctl man page is currently our best documentation of the flow syntax.
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
