On May 21, 2012, at 5:11 AM, faicker mo wrote: > > On 2012-5-20, at 上午12:27, Sergio Kviato wrote: > >> >> >> Sent from my iPhone >> >> On May 19, 2012, at 19:02, faicker mo <faicker...@gmail.com> wrote: >> >>> >>> On 2012-5-19, at 下午11:11, Ben Pfaff wrote: >>> >>>> On Sat, May 19, 2012 at 09:30:40PM +0800, faicker mo wrote: >>>>> I have viewed the ovs-ofctl man page, I found that the arp match has >>>>> only arp_sha and arp_dha. It can't match the source ip in arp(SPA) and >>>>> destination ip(DPA) in arp. Without this, the arp spoofing can't be >>>>> prevented. >>>> >>>> Use nw_src or nw_dst. This is documented in ovs-ofctl(8). >>> >>> Sorry for my overlook. >>> >>>> >>>>> OVS replaces the bridge default in kernel. Ebtables can't >>>>> work. But now OVS doesn't have enough function to replace >>>>> eatables. For example, arp_reply module in eatables. >>>> >>>> No, OVS doesn't replace anything, it provides a supplement. >>> >>> But when I use OVS, I can't use eatables.(need bridge module) >> >> Why you need ebtables. You can construct rules to block ARP and IP spoofing >> using ovs-ofctl for example. >> >>>> >>>>> I have successfully realized the broute which is in eatables by OVS. >>>> >>>> I don't understand that sentence. >>> >>> For this, OVS replaces ebtables > > I need the arp_reply module like in eatables. > ARP and IP spoofing are realized already by ovs-ofctl.
>From ovs-ofctl man page: nw_proto=proto [....] when arp or dl_type=0x0806 is specified, matches the lowe8 bits of the ARP opcode. maybe is that what you need? _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
