On 2/24/23 01:21, Ilya Maximets wrote:
> On 2/24/23 00:36, Dr. Omran via discuss wrote:
>> is it programmble? i mean: ex. nw_dst!=10.147.20.0/24 ?
>
> No, inequality check is not supported in OpenFlow.
>
>>
>> i misunderstand your example, i think you mean the enable the allowed
>> network, which is the other ip.
>> I want to clarify.
>> Here in this bridge, I have two traffic only
>> 1- from 10.147.20.0/24 other ports on the bridge.
>> 2- outside the bridge to the local ethernet port 192.168.188.0/24
>>
>> I want to disable traffic outside the bridge from interface enp1s0f0, which
>> is connected to the NAS driver, so that it is not open to the internet.
>>
>> i think the rule should be as follows, to accept traffic to 10.147.20.0/24
>> and other than that reject?
>>
>> priority=200,in_port=enp1s0f0,ip,nw_dst=10.147.20.0/24,actions=accept
>> priority=199,in_port=enp1s0f0,ip,actions=drop
>
> Sorry, I messed up IPs in my example. Your version is what I wanted to say.
>
>
> Alternative is to do this (you probably shouldn't use that):
>
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.1.0/0.0.1.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.2.0/0.0.2.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.0.0/0.0.4.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.8.0/0.0.8.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.0.0/0.0.16.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.32.0/0.0.32.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.64.0/0.0.64.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.128.0/0.0.128.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.0.0/0.1.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.0.0/0.2.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.4.0.0/0.4.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.8.0.0/0.8.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.0.0/0.16.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.32.0.0/0.32.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.64.0.0/0.64.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.0.0/0.128.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=1.0.0.0/1.0.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.0.0/2.0.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=4.0.0.0/4.0.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=0.0.0.0/8.0.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=16.0.0.0/16.0.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=32.0.0.0/32.0.0.0,actions=drop
> priority=200,in_port=enp1s0f0,ip,nw_dst=64.0.0.0/64.0.0.0,actions=drop
One more:
priority=200,in_port=enp1s0f0,ip,nw_dst=128.0.0.0/128.0.0.0,actions=drop
>
> It's very non-intuitive way of doing things, but it should work.
> What we do is matching on opposite of every bit in 10.147.20.0/24.
> 24 bits total - 24 rules. Can potentially be optimized.
>
> I generated above rules with the following python script:
>
> import ipaddress
> addr = int(ipaddress.ip_address('10.147.20.0'))
> for i in range(8, 31):
Should be range(8, 32), of course.
> print('priority=200,in_port=enp1s0f0,ip,nw_dst=%s/%s,actions=drop' % (
> ipaddress.ip_address((addr & (1 << i)) ^ (1 << i)),
> ipaddress.ip_address(1 << i)))
>
>>
>>
>>
>> thank you
>>
>> kind regards
>> Sherif Omran
>>
>>
>>
>> On Thu, Feb 23, 2023 at 3:25 PM Ilya Maximets <i.maxim...@ovn.org
>> <mailto:i.maxim...@ovn.org>> wrote:
>>
>> On 2/23/23 14:26, Dr. Omran via discuss wrote:
>> > Hello guys,
>> >
>> > i want to do this rule but instead of giving the destination as ip, i
>> want to say a destination that is not equal to 10.147.20.0/24
>> >
>> > ovs-ofctl add-flow br0
>> "priority=200,ip,nw_dst=192.168.188.0/24,in_port=enp1s0f0,actions=drop"
>> >
>> > how do you do it?
>>
>> You either carefully craft multiple rules that cover all the subnets
>> outside of 192.168.188.0/24 , or you create a high priority rule that
>> matches on 192.168.188.0/24 and does something else (jumps to another
>> tbale, for example) and have a lower priority rule that doesn't have
>> a match on nw_dst and drops all the traffic, e.g.:
>>
>>
>> priority=200,in_port=enp1s0f0,ip,nw_dst=192.168.188.0/24,actions=do_something_else
>> priority=199,in_port=enp1s0f0,ip,actions=drop
>>
>> Best regards, Ilya Maximets.
>>
>>
>> _______________________________________________
>> discuss mailing list
>> disc...@openvswitch.org
>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
>
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
