[ovs-dev] [PATCH] FAQ: Mention packet filter incompatibility

Pritesh Kothari (pritkoth) pritkoth at cisco.com
Wed May 7 16:58:44 UTC 2014 

Acked-by: Pritesh Kothari <pritesh.kothari at cisco.com>

On May 6, 2014, at 5:02 PM, YAMAMOTO Takashi <yamamoto at valinux.co.jp> wrote:

> Co-authored-by: Ben Pfaff <blp at nicira.com>
> Signed-off-by: YAMAMOTO Takashi <yamamoto at valinux.co.jp>
> ---
> FAQ | 30 ++++++++++++++++++++++++++++++
> 1 file changed, 30 insertions(+)
> 
> diff --git a/FAQ b/FAQ
> index fc21af4..d3632f9 100644
> --- a/FAQ
> +++ b/FAQ
> @@ -676,6 +676,36 @@ A: On Linux kernels before 3.11, the OVS GRE module and Linux GRE module
>    can then reload the OVS module following the directions in INSTALL,
>    which will ensure that dependencies are satisfied.
> 
> +Q: Open vSwitch does not seem to obey my packet filter rules.
> +
> +A: It depends on mechanisms and configurations you want to use.
> +
> +   You cannot usefully use typical packet filters, like iptables, on
> +   physical Ethernet ports that you add to an Open vSwitch bridge.
> +   This is because Open vSwitch captures packets from the interface at
> +   a layer lower below where typical packet-filter implementations
> +   install their hooks.  (This actually applies to any interface of
> +   type "system" that you might add to an Open vSwitch bridge.)
> +
> +   You can usefully use typical packet filters on Open vSwitch
> +   internal ports as they are mostly ordinary interfaces from the point
> +   of view of packet filters.
> +
> +   For example, suppose you create a bridge br0 and add Ethernet port
> +   eth0 to it.  Then you can usefully add iptables rules to affect the
> +   internal interface br0, but not the physical interface eth0.  (br0
> +   is also where you would add an IP address, as discussed elsewhere
> +   in the FAQ.)
> +
> +   For simple filtering rules, it might be possible to achieve similar
> +   results by installing appropriate OpenFlow flows instead.
> +
> +   If the use of a particular packet filter setup is essential, Open
> +   vSwitch might not be the best choice for you.  On Linux, you might
> +   want to consider using the Linux Bridge.  (This is the only choice if
> +   you want to use ebtables rules.)  On NetBSD, you might want to
> +   consider using the bridge(4) with BRIDGE_IPF option.
> +
> 
> Quality of Service (QoS)
> ------------------------
> -- 
> 1.8.3.1
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> http://openvswitch.org/mailman/listinfo/dev

More information about the dev mailing list