[ovs-dev] [PATCH 2/2] FAQ: Mention packet filter incompatibility

YAMAMOTO Takashi yamamoto at valinux.co.jp
Tue May 6 00:02:06 UTC 2014


> On Mon, May 05, 2014 at 09:13:53AM +0900, YAMAMOTO Takashi wrote:
>> +Q: Open vSwitch does not seem to obey my packet filter rules.
>> +
>> +A: It's by design.  Open vSwitch interacts with packets at a lower layer
>> +   than typical packet-filter implementations like iptables.
>> +   For simple filtering rules, it might be possible to achieve similar
>> +   by installing appropriate OpenFlow flows instead.
>> +
>> +   If the use of a particular packet filter software is essential,
>> +   Open vSwitch might not be the best choice for you.  On Linux, you might
>> +   want to consider to use Linux Bridge, which works with iptables.
>> +   On NetBSD, you might want to consider to use bridge(4) with BRIDGE_IPF
>> +   option.
> 
> Hmm.  Open vSwitch works OK with iptables on Linux.  You can use it, for
> example, to firewall or filter particular L4 ports on your bridge
> "internal" ports.  XenServer has used iptables with Open vSwitch this
> way from the very beginning, and it's always worked fine.
> 
> Open vSwitch doesn't work with Linux bridge-specific filtering
> mechanisms, like ebtables, but that makes perfect sense since Open
> vSwitch replaces the bridge instead of supplementing it.

filtering on internal ports (and its associated IP stack) might work
as it's ordinary interface in the POV of filters.

however, what people is often interested in is filtering on
interfaces which are used for l2 forwarding of packets.  It's
what i wanted to explain in this change.  iirc, OpenStack folks
invented the infamous "hybrid interface" hack to workaround this
incompatibility.  are you referring to this sort of things by
"Linux bridge-specific filtering"?

YAMAMOTO Takashi



More information about the dev mailing list