Ok now I understand what you meant by out_port in openflow. Maybe we have to wait for conntrack support in OpenFlow. Because right now I don't see how I could drop traffic to all tcp ports except some specificed in the WHITE_TCP_PORTS (that part works) without blocking all the outbound tcp traffic from my VM or any tcp responses.
By the way I have found why the opennebula openflow rules are not working here, that's because of the dl_vlan indicated in the drop rule. I guess it's never matched because I'm ussing access port and therefor my ethernet frames are not taggued. I will check that to be sure. 2014-11-26 17:32 GMT+01:00 Madko <[email protected]>: > 2014-11-26 17:12 GMT+01:00 Jaime Melis <[email protected]>: > >> It would be great if we could figure out a way to provide this >> functionality for Open vSwitch. It is a top priority in OpenNebula's >> roadmap, so any ideas are very welcome! >> >> What do you mean by adapting OpenvSwitch.rb? What changes do you need in >> the short-term? >> > > Right now I'm trying to add white_ports support to block incomming traffic > on the VM except for a few ports. I will certainly face the same conclusion > as you. However it's just a good way for me to learn ruby (and OpenNebula). > > Thanks for your help > > >> On Wed, Nov 26, 2014 at 4:59 PM, Madko <[email protected]> wrote: >> >>> Thanks Jaime for this explaination. Right now openflow is not really a >>> top priority for us and OpenNebula 4.12 seems quite interesting. So we >>> could wait for this release. We will certainly switch from OpenStack to >>> OpenNebula because of all this mess they have done on the network stack >>> (ovs => bridge => iptables + network namespace etc). Your "Keep It Simple" >>> approach is very reconforting. But we really need openvswitch support, so I >>> will try to adapt OpenvSwitch.rb. >>> >>> 2014-11-26 16:04 GMT+01:00 Jaime Melis <[email protected]>: >>> >>>> Hi, >>>> >>>> Unfortunately WHITE_PORTS_* is not supported for the Open vSwitch >>>> drivers (see here: >>>> http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#network-filtering >>>> ) >>>> >>>> We'd like very much to be able to provide this feature, but as far as >>>> we know there's no way to do this satisfactorily. There is nothing similar >>>> to 'in_port' but that matches the outgoing switch port, i.e. there's no >>>> 'out_port'. >>>> >>>> We are currently re-evaluating this, because in OpenNebula 4.12 we're >>>> going to provide a new resource type: Security Groups, and you can define a >>>> lot of things: INBOUND, or OUTBOUND, protocol (TCP, UDP, ICMP, IPSEC) >>>> ICMP_TYPE, Port ranges, and best of all, specific networks, so for example >>>> you can block out all the traffic to port 22 except if they're on the same >>>> network. And we can't do this for Open vSwitch. AFAIK OpenStack does this >>>> by sending the traffic to an ad-hoc linux bridge, running iptables rules on >>>> it, and sending it back to Open vSwitch. Which is something we would like >>>> to avoid at all costs! >>>> >>>> With regard to your first message, it's very strange, the rules look >>>> perfectly fine, not sure why it's not working... >>>> >>>> On Wed, Nov 26, 2014 at 3:53 PM, Madko <[email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> I also have tested WHITE_PORTS_TCP but it seems worse since I don't >>>>> have any specific openflow rules: >>>>> >>>>> cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0, >>>>> idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop >>>>> cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134, >>>>> idle_age=798, priority=40000,in_port=3,dl_src=02:00:c0:a8:c7:05 >>>>> actions=NORMAL >>>>> cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168, >>>>> idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05 >>>>> actions=drop >>>>> cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323, >>>>> idle_age=803, priority=0 actions=NORMAL >>>>> cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168, >>>>> idle_age=803, >>>>> priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5 >>>>> actions=NORMAL >>>>> cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0, >>>>> idle_age=819, priority=39000,in_port=3 actions=drop >>>>> >>>>> Only the icmp drop rule is added. Is it normal? >>>>> >>>>> Is there anyone here using OpenNebula with OpenVswitch? >>>>> >>>>> 2014-11-21 9:33 GMT+01:00 Madko <[email protected]>: >>>>> >>>>>> Hi, >>>>>> >>>>>> I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some >>>>>> network filtering. >>>>>> I'm following the documentation found here: >>>>>> http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch >>>>>> >>>>>> Here is my VM network definition: >>>>>> NIC=[ >>>>>> AR_ID="0", >>>>>> BLACK_PORTS_TCP="80", >>>>>> BRIDGE="br0", >>>>>> ICMP="drop", >>>>>> IP="192.168.2.50", >>>>>> MAC="02:00:c0:a8:02:32", >>>>>> NETWORK="LAN", >>>>>> NETWORK_ID="0", >>>>>> NETWORK_UNAME="oneadmin", >>>>>> NIC_ID="0", >>>>>> VLAN="YES", >>>>>> VLAN_ID="2" ] >>>>>> >>>>>> But on my hypervisor where this VM is running, here are the openflows >>>>>> rules: >>>>>> [root@node02 ~]# ovs-ofctl dump-flows br0 >>>>>> NXST_FLOW reply (xid=0x4): >>>>>> cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0, >>>>>> idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop >>>>>> cookie=0x0, duration=1893.173s, table=0, n_packets=6360, >>>>>> n_bytes=649693, idle_age=4, >>>>>> priority=40000,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL >>>>>> cookie=0x0, duration=4295.078s, table=0, n_packets=1444549, >>>>>> n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL >>>>>> cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84, >>>>>> idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32 >>>>>> actions=drop >>>>>> cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462, >>>>>> idle_age=559, >>>>>> priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50 >>>>>> actions=NORMAL >>>>>> cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, >>>>>> idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 >>>>>> actions=drop >>>>>> cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0, >>>>>> idle_age=1893, priority=39000,in_port=3 actions=drop >>>>>> >>>>>> is it correct? I can see the relevant rule here: >>>>>> cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, >>>>>> idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 >>>>>> actions=drop >>>>>> but packets never pass thru this rule (n_packets=0), and port 80 is >>>>>> not blocked. >>>>>> >>>>>> ➜ ~ curl -s http://192.168.2.50 -o /dev/null && echo success >>>>>> success >>>>>> >>>>>> If anyone can help :) >>>>>> what am I missing? >>>>>> >>>>>> Best regards >>>>>> >>>>>> >>>>>> -- >>>>>> Edouard Bourguignon >>>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> Edouard Bourguignon >>>>> >>>>> _______________________________________________ >>>>> Users mailing list >>>>> [email protected] >>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>>>> >>>>> >>>> >>>> >>>> -- >>>> Jaime Melis >>>> Project Engineer >>>> OpenNebula - Flexible Enterprise Cloud Made Simple >>>> www.OpenNebula.org | [email protected] >>>> >>> >>> >>> >>> -- >>> Edouard Bourguignon >>> >>> _______________________________________________ >>> Users mailing list >>> [email protected] >>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >>> >>> >> >> >> -- >> Jaime Melis >> Project Engineer >> OpenNebula - Flexible Enterprise Cloud Made Simple >> www.OpenNebula.org | [email protected] >> > > > > -- > Edouard Bourguignon > -- Edouard Bourguignon
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
