[ovs-dev] [PATCH 2/2] FAQ: Mention packet filter incompatibility

Ben Pfaff blp at nicira.com
Tue May 6 23:46:54 UTC 2014 

On Wed, May 07, 2014 at 08:32:35AM +0900, YAMAMOTO Takashi wrote:
> > On Wed, May 07, 2014 at 08:09:08AM +0900, YAMAMOTO Takashi wrote:
> >> > On Tue, May 06, 2014 at 09:02:06AM +0900, YAMAMOTO Takashi wrote:
> >> >> > On Mon, May 05, 2014 at 09:13:53AM +0900, YAMAMOTO Takashi wrote:
> >> >> >> +Q: Open vSwitch does not seem to obey my packet filter rules.
> >> >> >> +
> >> >> >> +A: It's by design.  Open vSwitch interacts with packets at a lower layer
> >> >> >> +   than typical packet-filter implementations like iptables.
> >> >> >> +   For simple filtering rules, it might be possible to achieve similar
> >> >> >> +   by installing appropriate OpenFlow flows instead.
> >> >> >> +
> >> >> >> +   If the use of a particular packet filter software is essential,
> >> >> >> +   Open vSwitch might not be the best choice for you.  On Linux, you might
> >> >> >> +   want to consider to use Linux Bridge, which works with iptables.
> >> >> >> +   On NetBSD, you might want to consider to use bridge(4) with BRIDGE_IPF
> >> >> >> +   option.
> >> >> > 
> >> >> > Hmm.  Open vSwitch works OK with iptables on Linux.  You can use it, for
> >> >> > example, to firewall or filter particular L4 ports on your bridge
> >> >> > "internal" ports.  XenServer has used iptables with Open vSwitch this
> >> >> > way from the very beginning, and it's always worked fine.
> >> >> > 
> >> >> > Open vSwitch doesn't work with Linux bridge-specific filtering
> >> >> > mechanisms, like ebtables, but that makes perfect sense since Open
> >> >> > vSwitch replaces the bridge instead of supplementing it.
> >> >> 
> >> >> filtering on internal ports (and its associated IP stack) might work
> >> >> as it's ordinary interface in the POV of filters.
> >> >> 
> >> >> however, what people is often interested in is filtering on
> >> >> interfaces which are used for l2 forwarding of packets.  It's
> >> >> what i wanted to explain in this change.  iirc, OpenStack folks
> >> >> invented the infamous "hybrid interface" hack to workaround this
> >> >> incompatibility.  are you referring to this sort of things by
> >> >> "Linux bridge-specific filtering"?
> >> > 
> >> > I really was just talking about ebtables.
> >> > 
> >> > I agree that it is a good idea to cover this in the FAQ, as long as it's
> >> > clear.  Do you have a suggested wording, that doesn't say that Open
> >> > vSwitch doesn't work at all with iptables?  (I can't say to what extent
> >> > packet filtering works with Open vSwitch on NetBSD, since I have not
> >> > used it on NetBSD.)
> >> 
> >> how about this?
> >> 
> >> From 5472bec967ecc4a858db23bd1e4f572ddc8a5cb3 Mon Sep 17 00:00:00 2001
> >> From: YAMAMOTO Takashi <yamamoto at valinux.co.jp>
> >> Date: Mon, 5 May 2014 09:11:07 +0900
> >> Subject: [PATCH] FAQ: Mention packet filter incompatibility
> >> 
> >> Signed-off-by: YAMAMOTO Takashi <yamamoto at valinux.co.jp>
> >> ---
> >>  FAQ | 25 +++++++++++++++++++++++++
> >>  1 file changed, 25 insertions(+)
> >> 
> >> diff --git a/FAQ b/FAQ
> >> index fc21af4..f225061 100644
> >> --- a/FAQ
> >> +++ b/FAQ
> >> @@ -676,6 +676,31 @@ A: On Linux kernels before 3.11, the OVS GRE module and Linux GRE module
> >>     can then reload the OVS module following the directions in INSTALL,
> >>     which will ensure that dependencies are satisfied.
> >>  
> >> +Q: Open vSwitch does not seem to obey my packet filter rules.
> >> +
> >> +A: It depends on mechanisms and configurations you want to use.
> >> +
> >> +   Typical packet filters like iptables do not work on interfaces attached
> >> +   to Open vSwitch in the sense of "ovs-vsctl add-port" with type=system
> >> +   because Open vSwitch forwards packets at a lower layer than typical
> >> +   packet-filter implementations install their hooks.
> >> +
> >> +   ebtables is a Linux Bridge specific mechansim and does not work with
> >> +   Open vSwitch.
> >> +
> >> +   You can use packet filters on the host OS side of local ports as they
> >> +   are mostly ordinary interfaces in the point of view of packet filters.
> >> +   XenServer uses iptables with Open vSwitch this way.
> >> +
> >> +   For simple filtering rules, it might be possible to achieve similar
> >> +   by installing appropriate OpenFlow flows instead.
> >> +
> >> +   If the use of a particular packet filter setup is essential,
> >> +   Open vSwitch might not be the best choice for you.  On Linux, you might
> >> +   want to consider to use Linux Bridge, which works with iptables and
> >> +   ebtables.  On NetBSD, you might want to consider to use bridge(4)
> >> +   with BRIDGE_IPF option.
> >> +
> > 
> > How about this?
> 
> looks good to me.
> ("usefully use" sounds a little weird but i'm not an english speaker)

It is a little weird.  I like to use language that is as clear as
possible in the FAQ, because otherwise it tends to raise as many
questions as it answers.  The word "usefully" here, which is a little
grating on the ear and the eye right next to "use", tries to clarify
that you can add (use) as many iptables rules as you like to eth0,
they just won't do anything useful.

Will you push this, then?

More information about the dev mailing list