[ovs-discuss] priority of iptables and flows

Jesse Gross jesse at nicira.com
Mon May 3 21:07:34 UTC 2010

On Mon, May 3, 2010 at 12:13 AM, <mandar284 at aim.com> wrote:

>  Hi,
> I have a rule in iptables (with source ip address) to allow https traffic
> for Xen server as well as on the bridge there is a flow to deny all IP
> protocol traffic coming on the Xen bridge.
> Now, when I try to open the Xen Center from the IP matching iptables rule,
> it does not succeed in connecting the Xen server, but then, if I update the
> flows with the https allow rule with my IP, the Xen center is successfully
> connected.
> why is the traffic to access Xen server is blocked even when the iptables
> had the allow rule?
> Does iptables hold the same control of traffic, meant for the Xen sever
> host (excluding internal VMs) )in presence of open vswitch flows ?
> Can anyone explain the behavior of flows with iptables ?

Traffic to dom0 flows first through OVS and then the IP stack (and by
extension iptables).  If either has a rule to deny traffic the packet will
be dropped.  There is no shared configuration between the two so adding a
rule to iptables does not update the OVS flow table.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20100503/8b75760d/attachment-0001.html>

More information about the discuss mailing list