Hi list,
I'm trying to add rules to ovs to prevent virtual machines stealing ip
addresses from each other.
Using XCP, based on XENSERVER 5.6fp1 with ovs version 1.0.2.
xapi5 is the switch.
port 5 (xapi13) is vlan8
port 8 (vif53.0) is the virtual machine I'm trying to lock down, with
ip: 10.10.8.73 and mac: a6:1e:29:3d:69:51
Trying:
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=5 priority=39000 dl_type=0x0800
nw_src=10.10.8.73 dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=5 priority=38500 dl_type=0x0806
dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=5 priority=38000 idle_timeout=0
action=drop"
I would think traffic to ipaddresses other than 10.10.8.73 would stop, but
it keeps on pinging if I add fx 10.10.8.74 to the VM.
Using the dl_vlan=8 does not help.
Output from ovs-ofctl dump xapi5:
cookie=0x0, duration_sec=1141s, duration_nsec=816000000ns, table_id=1,
priority=39000, n_packets=0, n_bytes=0,
ip,in_port=5,dl_vlan=8,dl_src=a6:1e:29:3d:69:51,nw_src=10.10.8.73,actions=NORMAL
cookie=0x0, duration_sec=1165s, duration_nsec=593000000ns, table_id=1,
priority=38500, n_packets=0, n_bytes=0,
arp,in_port=5,dl_vlan=8,dl_src=a6:1e:29:3d:69:51,actions=NORMAL
cookie=0x0, duration_sec=1132s, duration_nsec=273000000ns, table_id=1,
priority=38000, n_packets=0, n_bytes=0, in_port=5,dl_vlan=8,actions=drop
Others have used these rules without vlans with success - but I can't figure
out why they don't work on my setup.
[root@node0106 ~]# ovs-ofctl show xapi5
May 02 13:37:07|00001|ofctl|INFO|connecting to
unix:/var/run/openvswitch/xapi5.mgmt
features_reply (xid=0x6980b): ver:0x1, dpid:00005a976383e68c
n_tables:2, n_buffers:256
features: capabilities:0x87, actions:0xfff
1(bond0): addr:00:23:20:b7:47:73, config: 0, state:0
2(eth1): addr:00:26:b9:f9:cd:e2, config: 0, state:0
current: 1GB-FD FIBER AUTO_NEG
advertised: 1GB-FD AUTO_NEG
supported: 10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER FIBER
AUTO_NEG
3(eth0): addr:00:26:b9:f9:cd:e0, config: 0, state:0
current: 1GB-FD FIBER AUTO_NEG
advertised: 1GB-FD AUTO_NEG
supported: 10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER FIBER
AUTO_NEG
4(xapi6): addr:00:26:b9:f9:cd:e0, config: 0, state:0
5(xapi13): addr:00:26:b9:f9:cd:e0, config: 0, state:0
6(xapi8): addr:00:26:b9:f9:cd:e0, config: 0, state:0
7(xapi2): addr:00:26:b9:f9:cd:e0, config: 0, state:0
8(vif53.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
9(vif17.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
10(vif43.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
11(vif54.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
LOCAL(xapi5): addr:00:26:b9:f9:cd:e0, config: 0, state:0
Any ideas are greatly appreciated.
Thanks
Regards
Kristoffer
_______________________________________________
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
