[ovs-discuss] filtering macs/ip
jesse at nicira.com
Thu May 13 20:06:28 UTC 2010
On Thu, May 13, 2010 at 12:36 PM, Matthew Law <matt at webcontracts.co.uk>wrote:
> The post below is a question regarding xen cloud platform asked on the
> xen-users list. As this is also of interest to me, I thought I would ask
> questions here and post any feedback to xen-users also. I hope you don't
> Is there any way currently (or planned for later) to persist flows
If you set idle_timeout to 0 the flows will not timeout.
> And the point about "They are not associated with vm migration process":
> is it not the case that the port being virtual could go with the vm to
> another physical host in the vswitch?
Each OVS instance knows only about the physical machine that it is running
on. If you want to propagate flows during migration you will need a
> Sorry if my questions are dumb!
> On Tue, May 11, 2010 9:47 am, George Shuklin wrote:
> > I look deeper in openswitch... I found no way to have nice spoofing
> > protection without openflow controller. And yes, spoofing is possible, I
> > check it.
> > Following lines to ovs-ofctl enables mac security (drop any traffic from
> > VM with incorrect combination of MAC address and IP, settings work only
> > for certain MAC/IP):
> > ovs-ofctl add-flow xenbr0 "dl_src=36:75:e2:35:d7:ea priority=39000
> > dl_type=0x0800 nw_src=188.8.131.52 idle_timeout=65000 action=normal"
> > ovs-ofctl add-flow xenbr0 "dl_src=36:75:e2:35:d7:ea priority=38000
> > dl_type=0x0800 nw_src=ANY idle_timeout=65000 action=drop"
> > And we can bind mac to interface (port security):
> > ovs-ofctl add-flow xenbr0 "in_port=2 priority=39000 dl_type=0x0800
> > nw_src=184.108.40.206 idle_timeout=65000 action=normal"
> > ovs-ofctl add-flow xenbr0 "in_port=2 priority=38500 dl_type=0x0806
> > idle_timeout=65000 action=normal" #пока пускаем ARP без контроля.
> > ovs-ofctl add-flow xenbr0 "in_port=2 priority=38000 idle_timeout=65000
> > action=drop"
> > The main problems I see here is:
> > 1) Those line washed away after idle_timeout.
> > 2) They are not associated with vm migration process
> > 3) Port number hard to obtain (about 3 greps from xe/ovs output).
> > I still did not tried to install/use openflow controller (may be this
> > be gold solution?), but direct control of openflow for OVS is very tricky
> > and may cause some unpleasant results in product environment.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the discuss