[ovs-discuss] Anti-spoof rules with vlans on XCP (XENSERVER)...

Kristoffer Egefelt dr.fersken at gmail.com
Mon May 2 11:43:36 UTC 2011


Hi list,

I'm trying to add rules to ovs to prevent virtual machines stealing ip
addresses from each other.
Using XCP, based on XENSERVER 5.6fp1 with ovs version 1.0.2.

xapi5 is the switch.
port 5 (xapi13) is vlan8
port 8 (vif53.0) is the virtual machine I'm trying to lock down, with
ip: 10.10.8.73 and mac: a6:1e:29:3d:69:51

Trying:
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=5 priority=39000 dl_type=0x0800
nw_src=10.10.8.73 dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=5 priority=38500 dl_type=0x0806
dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=normal"
/usr/bin/ovs-ofctl add-flow xapi5 "in_port=5 priority=38000 idle_timeout=0
action=drop"

I would think traffic to ipaddresses other than 10.10.8.73 would stop, but
it keeps on pinging if I add fx 10.10.8.74 to the VM.

Using the dl_vlan=8 does not help.

Output from ovs-ofctl dump xapi5:

cookie=0x0, duration_sec=1141s, duration_nsec=816000000ns, table_id=1,
priority=39000, n_packets=0, n_bytes=0,
ip,in_port=5,dl_vlan=8,dl_src=a6:1e:29:3d:69:51,nw_src=10.10.8.73,actions=NORMAL
cookie=0x0, duration_sec=1165s, duration_nsec=593000000ns, table_id=1,
priority=38500, n_packets=0, n_bytes=0,
arp,in_port=5,dl_vlan=8,dl_src=a6:1e:29:3d:69:51,actions=NORMAL
cookie=0x0, duration_sec=1132s, duration_nsec=273000000ns, table_id=1,
priority=38000, n_packets=0, n_bytes=0, in_port=5,dl_vlan=8,actions=drop

Others have used these rules without vlans with success - but I can't figure
out why they don't work on my setup.

[root at node0106 ~]# ovs-ofctl show xapi5
May 02 13:37:07|00001|ofctl|INFO|connecting to
unix:/var/run/openvswitch/xapi5.mgmt
features_reply (xid=0x6980b): ver:0x1, dpid:00005a976383e68c
n_tables:2, n_buffers:256
features: capabilities:0x87, actions:0xfff
 1(bond0): addr:00:23:20:b7:47:73, config: 0, state:0
 2(eth1): addr:00:26:b9:f9:cd:e2, config: 0, state:0
     current:    1GB-FD FIBER AUTO_NEG
     advertised: 1GB-FD AUTO_NEG
     supported:  10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER FIBER
AUTO_NEG
 3(eth0): addr:00:26:b9:f9:cd:e0, config: 0, state:0
     current:    1GB-FD FIBER AUTO_NEG
     advertised: 1GB-FD AUTO_NEG
     supported:  10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER FIBER
AUTO_NEG
 4(xapi6): addr:00:26:b9:f9:cd:e0, config: 0, state:0
 5(xapi13): addr:00:26:b9:f9:cd:e0, config: 0, state:0
 6(xapi8): addr:00:26:b9:f9:cd:e0, config: 0, state:0
 7(xapi2): addr:00:26:b9:f9:cd:e0, config: 0, state:0
 8(vif53.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
 9(vif17.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
 10(vif43.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
 11(vif54.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
 LOCAL(xapi5): addr:00:26:b9:f9:cd:e0, config: 0, state:0

Any ideas are greatly appreciated.

Thanks

Regards
Kristoffer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20110502/48de6736/attachment.html>


More information about the discuss mailing list