Hi, Running OVS 1.0.99 on xenserver 6.0.2. *Tried ip stealing prevention,port filtering using two methods :* Both worked when used First method but with second method tcp_port filtering didnt work.Difference was *in_port *based drop policy and global drop policy.
Method 1: #*Dropped all regardless of in_port:* ovs-ofctl add-flow xenbr0 "priority=0 action=drop" #*Excluded Host packets.* ovs-ofctl add-flow xenbr0 "dl_src=84:2B:2B:0A:78:67 priority=1 action=normal" ovs-ofctl add-flow xenbr0 "dl_dst=84:2B:2B:0A:78:67 priority=1 action=normal" #*For Vm1: * ovs-ofctl add-flow xenbr0 "priority=301 dl_type=0x0800 nw_src=115.x.x.121 dl_src=ea:7a:55:f2:66:ef idle_timeout=0 action=normal" ovs-ofctl add-flow xenbr0 "priority=302 dl_type=0x0806 nw_src=115.x.x.121 dl_src=ea:7a:55:f2:66:ef idle_timeout=0 action=normal" * * *#Allowed tcp:80 only* ovs-ofctl add-flow xenbr0 "priority=304 dl_type=0x0800 nw_dst=115.x.x.121 dl_dst=ea:7a:55:f2:66:ef nw_proto=6 tp_dst=80 idle_timeout=0 action=normal" ovs-ofctl add-flow xenbr0 "priority=303 dl_type=0x0806 dl_dst=ea:7a:55:f2:66:ef nw_dst=115.x.x.121 idle_timeout=0 action=normal" Everything is working as expected,since there is a global drop rule thought of using in_port. *Method2:* ovs-ofctl add-flow xenbr0 "in_port=3 priority=301 dl_type=0x0800 nw_src=115.x.x.121 dl_src=ea:7a:55:f2:66:ef idle_timeout=0 action=normal" ovs-ofctl add-flow xenbr0 "in_port=3 priority=302 dl_type=0x0806 nw_src=115.x.x.121 dl_src=ea:7a:55:f2:66:ef idle_timeout=0 action=normal" * * *#Allowed tcp:80 only* ovs-ofctl add-flow xenbr0 "in_port=3 priority=304 dl_type=0x0800 nw_dst=115.x.x.121 nw_proto=6 tp_dst=80 idle_timeout=0 action=normal" ovs-ofctl add-flow xenbr0 "in_port=3 priority=303 dl_type=0x0806 dl_dst=ea:7a:55:f2:66:ef nw_dst=115.x.x.121 idle_timeout=0 action=normal" *#Drop for that port only* ovs-ofctl add-flow xenbr0 "in_port=3 priority=299 idle_timeout=0 action=drop" With this IP stealing Prevention is working but tcp_port filtering is not. *Troubleshooting:* - Tried commenting priority 304 and 303 and still every packets reached vm,which was against my concept about OVS. * From Method 1:* I thought that since there is global drop rule, for packet to go out,i need to allow IP and ARP which i did by using *nw_src*=vm-ip,*dl_src=*vm-mac.So that packets can go out wIth out this nothing worked.And for incoming traffic enabled *nw_dst*=vm-ip *dl_dst*=vm-mac.tcpdump showed that my concept is right. But in case of* Method2:* My understanding became completely wrong,even though ip stealing prevention worked no other things worked.And to make situation worse traffic to vm worked with out rules priority 304 and 303.how can an additional *in_port *make this much difference.Can some one please explain the problem. Also When i added "priority=299,in_port=3 actions=drop" i was able to see ping echo request on tcpdump output.Is it normal as tcpdump capture that before this flow. Regards, Ananthan
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
