[ovs-discuss] filtering macs/ip

Jesse Gross jesse at nicira.com
Thu May 13 20:06:28 UTC 2010


On Thu, May 13, 2010 at 12:36 PM, Matthew Law <matt at webcontracts.co.uk>wrote:

> The post below is a question regarding xen cloud platform asked on the
> xen-users list.  As this is also of interest to me, I thought I would ask
> questions here and post any feedback to xen-users also.  I hope you don't
> mind.
>
> Is there any way currently (or planned for later) to persist flows
> indefinitely?
>

If you set idle_timeout to 0 the flows will not timeout.


>
> And the point about "They are not associated with vm migration process":
> is it not the case that the port being virtual could go with the vm to
> another physical host in the vswitch?
>

Each OVS instance knows only about the physical machine that it is running
on.  If you want to propagate flows during migration you will need a
controller.


>
> Sorry if my questions are dumb!
>
> Thanks,
>
> Matt.
>
> On Tue, May 11, 2010 9:47 am, George Shuklin wrote:
> > I look deeper in openswitch... I found no way to have nice spoofing
> > protection without openflow controller. And yes, spoofing is possible, I
> > check it.
> >
> > Following lines to ovs-ofctl enables mac security (drop any traffic from
> > VM with incorrect combination of MAC address and IP, settings work only
> > for certain MAC/IP):
> >
> > ovs-ofctl add-flow xenbr0 "dl_src=36:75:e2:35:d7:ea priority=39000
> > dl_type=0x0800 nw_src=18.93.16.25 idle_timeout=65000 action=normal"
> > ovs-ofctl add-flow xenbr0 "dl_src=36:75:e2:35:d7:ea priority=38000
> > dl_type=0x0800 nw_src=ANY idle_timeout=65000 action=drop"
> >
> >
> > And we can bind mac to interface (port security):
> >
> > ovs-ofctl add-flow xenbr0 "in_port=2 priority=39000 dl_type=0x0800
> > nw_src=188.93.16.253 idle_timeout=65000 action=normal"
> > ovs-ofctl add-flow xenbr0 "in_port=2 priority=38500 dl_type=0x0806
> > idle_timeout=65000 action=normal" #пока пускаем ARP без контроля.
> > ovs-ofctl add-flow xenbr0 "in_port=2 priority=38000 idle_timeout=65000
> > action=drop"
> >
> > The main problems I see here is:
> > 1) Those line washed away after idle_timeout.
> > 2) They are not associated with vm migration process
> > 3) Port number hard to obtain (about 3 greps from xe/ovs output).
> >
> >
> > I still did not tried to install/use openflow controller (may be this
> will
> > be gold solution?), but direct control of openflow for OVS is very tricky
> > and may cause some unpleasant results in product environment.
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20100513/15fd74fd/attachment-0001.html>


More information about the discuss mailing list