[ovs-dev] [PATCH 2/2] FAQ: Mention packet filter incompatibility
blp at nicira.com
Tue May 6 16:35:11 UTC 2014
On Tue, May 06, 2014 at 09:02:06AM +0900, YAMAMOTO Takashi wrote:
> > On Mon, May 05, 2014 at 09:13:53AM +0900, YAMAMOTO Takashi wrote:
> >> +Q: Open vSwitch does not seem to obey my packet filter rules.
> >> +
> >> +A: It's by design. Open vSwitch interacts with packets at a lower layer
> >> + than typical packet-filter implementations like iptables.
> >> + For simple filtering rules, it might be possible to achieve similar
> >> + by installing appropriate OpenFlow flows instead.
> >> +
> >> + If the use of a particular packet filter software is essential,
> >> + Open vSwitch might not be the best choice for you. On Linux, you might
> >> + want to consider to use Linux Bridge, which works with iptables.
> >> + On NetBSD, you might want to consider to use bridge(4) with BRIDGE_IPF
> >> + option.
> > Hmm. Open vSwitch works OK with iptables on Linux. You can use it, for
> > example, to firewall or filter particular L4 ports on your bridge
> > "internal" ports. XenServer has used iptables with Open vSwitch this
> > way from the very beginning, and it's always worked fine.
> > Open vSwitch doesn't work with Linux bridge-specific filtering
> > mechanisms, like ebtables, but that makes perfect sense since Open
> > vSwitch replaces the bridge instead of supplementing it.
> filtering on internal ports (and its associated IP stack) might work
> as it's ordinary interface in the POV of filters.
> however, what people is often interested in is filtering on
> interfaces which are used for l2 forwarding of packets. It's
> what i wanted to explain in this change. iirc, OpenStack folks
> invented the infamous "hybrid interface" hack to workaround this
> incompatibility. are you referring to this sort of things by
> "Linux bridge-specific filtering"?
I really was just talking about ebtables.
I agree that it is a good idea to cover this in the FAQ, as long as it's
clear. Do you have a suggested wording, that doesn't say that Open
vSwitch doesn't work at all with iptables? (I can't say to what extent
packet filtering works with Open vSwitch on NetBSD, since I have not
used it on NetBSD.)
More information about the dev