On Fri, Sep 13, 2024 at 10:28:48AM GMT, Pavel Vokhmyanin via discuss wrote:
> Hello!
>
> I'm trying to filter incoming traffic on OVS ports, but struggle to find a
> proper configuration that would allow me to. I was hoping someone could point
> me to the right direction or share personal experience with a similar task.
>
> I'm using OVS with QEMU virtual machines, which are configured to use OVS
> virtual port. Example of my configuration:
> =============================================
> # ovs-vsctl show
> 0bd2487c-0bf0-4c39-a620-4caf5fd8e8ca
> Bridge br-int
> Port vmnet3
> Interface vmnet3
> Port vmnet4
> Interface vmnet4
> Port br-int
> Interface br-int
> type: internal
> Port patch-br-int
> Interface patch-br-int
> type: patch
> options: {peer=patch-br-ext}
> Bridge br-ext
> Port ens3
> Interface ens3
> Port br-ext
> Interface br-ext
> type: internal
> Port patch-br-ext
> Interface patch-br-ext
> type: patch
> options: {peer=patch-br-int}
> ovs_version: "3.1.0"
> =============================================
> <interface type='bridge'>
> <mac address='52:54:00:bb:54:3f'/>
> <source bridge='br-int'/>
> <virtualport type='openvswitch'>
> <parameters interfaceid='5bbf7316-8e6d-4003-89e3-d281b3935649'/>
> </virtualport>
> <target dev='vmnet4'/>
> <model type='virtio'/>
> <alias name='net0'/>
> <address type='pci' domain='0x0000' bus='0x00' slot='0x03'
> function='0x0'/>
> </interface>
> =============================================
>
> ens3 is a physical interface in bridge br-ext, br-ext interface holds ip
> address configuration. All VMs ports are in br-int bridge. br-ext and br-int
> are connected through a patch.
>
> I would like to filter unrelated arp requests on each VM, so I'm not only
> interested in filtering outside traffic, but also traffic of other VMs in the
> same bridge. I.e. "for port vmnet4 drop arp requests where arp_tpa is not IP
> address of vmnet4". This configuration could be easily attained with ebtables
> on native linux bridges in nat's postrouting chain, however I couldn't solve
> this with OpenFlow. There is "in_port" filtering option, but no "out_port"
> and I couldn't find anything that would act in a similar way. As far as I am
> aware netfilter does not work with OVS traffic, thus I couldn't apply my
> ebtables experience either.
In general, you need to encode your forwarding logic using OpenFlow. If
you don't, you rely on the default "actions=NORMAL" flow. Typically,
controlers don't rely on this action which is a convenient default but
unfit for anything but super-simple cases. Instead, controllers
typically build the pipeline stage by stage using different OpenFlow
tables and the result does not look like a traditional switch (which
NORMAL action tries to mimic).
For example, OVN implements an ARP responder in OpenFlow to avoid
broadcasting ARP packets altogether.
If you _really_ want to use the NORMAL action on br-int, then you
could add an intermediate bridge, e.g "br-patch" that acts as patch
between br-int and your vm ifaces. There, a very simple set of OpenFlow
flows can be configured to forward traffic from patchX <-> vmX and you
could easily implement your egress rules there.
Hope it helps.
Adrián
>
> I've seen some RedHat paper suggesting to configure veth pair to connect VM
> and ovs bridge. While it may work, it would require huge effort to change
> current configuration, thus I would prefer to avoid it if possible. Can this
> task be solved in the current configuration? If not, what would you change?
>
> Thanks in advance!
>
> Best regards,
> Pavel
> _______________________________________________
> discuss mailing list
> disc...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
