ye~, it's true , i already tried, it's not work at all~~, but thanks for your help.
i just found something in openvswitch document http://openvswitch.org/openstack/documentation/ at the last section , they said OVS is not compatible with iptables + ebtables rules that are applied directly on VIF ports. Thus, the existing implementations of Nova security groups and spoof-prevention aren’t compatible. We are targeting work for this in Folsom. On Fri, Jul 27, 2012 at 6:36 AM, Jesse Gross <je...@nicira.com> wrote: > On Thu, Jul 26, 2012 at 12:40 PM, Luiz Ozaki <luiz.oz...@locaweb.com.br> > wrote: > > On 7/25/12 8:07 PM, pf shineyear wrote: > > > > > > i just want to use ovs + iptables to limit all the input access, like > drop > > all request to ip 10.1.0.3 , but only accept all request send from vm, > like > > wget www.google.com. > > > > i already use ovs-ofctl to drop all input access from outside, like > > dl_type=0x800,nw_dst=10.1.0.3,action=drop > > > > but iptables can not work for the request send from inside. > > > > could u please tell me the alternate way to write the rule? > > > > > > dl_type=0x800,nw_src=10.1.0.3,action=normal > > > > So, if the source is the 10.1.0.3(which I think it's the VM IP), you do > the > > normal action. > > > > > > Hmmm actually I don't know if it's gonna create the flow to accept the > > response, the packet might go out but get dropped by the > > nw_dst=10.1.0.3,action=drop. > > It won't create flows in response. OVS (and the NORMAL action in > particular) is primarily a switch, not a stateful firewall. >
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
