Hi Ben, thanks for the quick response, I think I was too much affiliated with the iptables-chains, which improves readability. But, yes, each one table for all interfaces should do it.
Does one have any experiences with workload for ca. 150 VMs, what das ovs-vswitchd say to this, with at least one rule for every VM? Thnx again, Oliver. Am 04.05.2012 um 19:11 schrieb Ben Pfaff: > On Fri, May 04, 2012 at 06:32:11PM +0200, Oliver Francke wrote: >> First try was then: >> >> ovs-ofctl add-flow vmbr0 'in_port=504 ip idle_timeout=0 >> dl_src=00:00:AA:BB:CC:DD nw_src=192.168.1.35 priority=40000 >> action=resubmit(504,1)' >> ovs-ofctl add-flow vmbr0 'in_port=504 ip idle_timeout=0 >> priority=30000 action=drop' >> >> # individual rules: >> ovs-ofctl del-flows vmbr0 'in_port=504' >> ovs-ofctl add-flow vmbr0 'in_port=504 table=1 tcp >> nw_src=192.168.1.35 tp_src=80 priority=1000 action=normal' >> . >> . >> >> Well, it works this way. >> But we only have 255 table-entries, and up to 150 VM's per node with >> perhaps more than one network-card ( private-backnet, >> backup-network, etc...) will brake this setup. >> Any other ideas? What did I miss at this point? How "expensive" will >> it be, if every VM has at least some rules to prevent >> MAC-/IP-fake-ing? > > You don't need a table per VM. Use table 0 to check your ingress > rules and resubmit to table 1 if they pass. Use table 1 to check > egress rules and forward to the destination if they pass. > _______________________________________________ > discuss mailing list > discuss@openvswitch.org > http://openvswitch.org/mailman/listinfo/discuss _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
