[ovs-dev] [PATCH 2/2] FAQ: Mention packet filter incompatibility

Ben Pfaff blp at nicira.com
Tue May 6 16:35:11 UTC 2014

On Tue, May 06, 2014 at 09:02:06AM +0900, YAMAMOTO Takashi wrote:
> > On Mon, May 05, 2014 at 09:13:53AM +0900, YAMAMOTO Takashi wrote:
> >> +Q: Open vSwitch does not seem to obey my packet filter rules.
> >> +
> >> +A: It's by design.  Open vSwitch interacts with packets at a lower layer
> >> +   than typical packet-filter implementations like iptables.
> >> +   For simple filtering rules, it might be possible to achieve similar
> >> +   by installing appropriate OpenFlow flows instead.
> >> +
> >> +   If the use of a particular packet filter software is essential,
> >> +   Open vSwitch might not be the best choice for you.  On Linux, you might
> >> +   want to consider to use Linux Bridge, which works with iptables.
> >> +   On NetBSD, you might want to consider to use bridge(4) with BRIDGE_IPF
> >> +   option.
> > 
> > Hmm.  Open vSwitch works OK with iptables on Linux.  You can use it, for
> > example, to firewall or filter particular L4 ports on your bridge
> > "internal" ports.  XenServer has used iptables with Open vSwitch this
> > way from the very beginning, and it's always worked fine.
> > 
> > Open vSwitch doesn't work with Linux bridge-specific filtering
> > mechanisms, like ebtables, but that makes perfect sense since Open
> > vSwitch replaces the bridge instead of supplementing it.
> filtering on internal ports (and its associated IP stack) might work
> as it's ordinary interface in the POV of filters.
> however, what people is often interested in is filtering on
> interfaces which are used for l2 forwarding of packets.  It's
> what i wanted to explain in this change.  iirc, OpenStack folks
> invented the infamous "hybrid interface" hack to workaround this
> incompatibility.  are you referring to this sort of things by
> "Linux bridge-specific filtering"?

I really was just talking about ebtables.

I agree that it is a good idea to cover this in the FAQ, as long as it's
clear.  Do you have a suggested wording, that doesn't say that Open
vSwitch doesn't work at all with iptables?  (I can't say to what extent
packet filtering works with Open vSwitch on NetBSD, since I have not
used it on NetBSD.)

More information about the dev mailing list