[ovs-discuss] Anti-spoof rules with vlans on XCP (XENSERVER)...
Tomohiro Kasugait
tokoro2k2 at gmail.com
Tue May 3 04:18:32 UTC 2011
Hi Kristoffer,
Are you receive
I checked my environment for your issue.
I think your ovs-ofctl flow doesn't receive response from itself.
On your situation
1. ARP function
Arp request; from a6:1e:29:3d:69:51 to FF:FF:FF:FF:FF:FF <= "Permit"
Arp reply; from MAC of target to a6:1e:29:3d:69:51 <= "Deny"
2. PING function
ICMP echo request; from a6:1e:29:3d:69:51 to ******* <= "Permit"
ICMP echo reply; from ******* to a6:1e:29:3d:69:51 <= "Deny"
And, I think your filter doesn't need ip addres for PING filter,
because a MAC address only has one IP address, so then there are
related one VIF.
Would you like to use set filter on your "vif[dom-id].[eth id]".
#My test filter
#deny filter from 172.16.1.1
-------------------
ovs-ofctl del-flows xapi7
ovs-ofctl add-flow xapi7 "priority=30002 dl_type=0x0806
dl_dst=92:e0:5b:93:5f:50 idle_timeout=0 action=normal"
ovs-ofctl add-flow xapi7 "priority=30000 dl_type=0x0806
dl_src=92:e0:5b:93:5f:50 idle_timeout=0 action=normal"
ovs-ofctl add-flow xapi7 "priority=20001 ip dl_dst=92:e0:5b:93:5f:50
idle_timeout=0 action=normal"
ovs-ofctl add-flow xapi7 "priority=20000 ip dl_src=92:e0:5b:93:5f:50
idle_timeout=0 action=normal"
ovs-ofctl add-flow xapi7 "priority=10000 ip nw_src=192.168.0.0/16
nw_dst=192.168.0.0/16 idle_timeout=0 action=normal"
ovs-ofctl add-flow xapi7 "priority=0 idle_timeout=0 actions=drop"
ovs-ofctl dump-flows xapi7
-------------------
Vif level flow filter
-------------------
ovs-ofctl del-flows xapi7
ovs-ofctl add-flow xapi7 "priority=20002 in_port=7 ip
nw_src=172.16.1.0/24 nw_dst=172.16.1.0/24 idle_timeout=0 action=drop"
ovs-ofctl add-flow xapi7 "priority=0 idle_timeout=0 actions=NORMAL"
ovs-ofctl dump-flows xapi7
-------------------
##################################################################
quotation from Knowledge Base of Citrix
-------------------
Note: VIF names are dynamically created on VM start. Vif names are
constructed with the following structure vifx.y, where x is the domain
id of the VM and y is the device number. The dynamic part of the name
is the domain ID because it may change on VM start.
xe vm-list name-label=<name of vm> params=dom-id
Example: xe vm-list name-label=cps_att params=dom-id
dom-id ( RO) : 16
Identify the VIF device number.
xe vif-list vm-name-label=<name of vm>
Example: xe vif-list vm-name-label=cps_att params=device
device ( RO) : 0
-------------------
Knowledge Base of Citrix
http://support.citrix.com/article/CTX120869
Knowledge Base of Citrix (in Japanese)
http://support.citrix.com/article/CTX122455
vif"xx"."yy"
=> xx: dom id, yy: eth id
(e.g. vif14.0 <= dom id: 4, eth id: 0)
e.g. How to find the vif interface name for eth0 of 64-EN-Cent5-Pool5-1
check dom id
-------------------
[root at vmatsuno1 ~]# xe vm-list name-label=64-EN-Cent5-Pool5-1 params=dom-id
dom-id ( RO) : 14
-------------------
check vif list of VM
-------------------
[root at vmatsuno1 ~]# xe vif-list vm-name-label=64-EN-Cent5-Pool5-1 params=device
device ( RO) : 1
device ( RO) : 0
-------------------
check status of vif14.0 with ifconfig command
-------------------
[root at vmatsuno1 ~]# ifconfig vif14.0
vif14.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF
UP BROADCAST RUNNING NOARP MTU:1500 Metric:1
RX packets:238667 errors:0 dropped:0 overruns:0 frame:0
TX packets:85413 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:32
RX bytes:19558756 (18.6 MiB) TX bytes:7912064 (7.5 MiB)
-------------------
##################################################################
Kind regards,
Kasugai
2011/5/3 Ben Pfaff <blp at nicira.com>:
> On Mon, May 02, 2011 at 01:43:36PM +0200, Kristoffer Egefelt wrote:
>> I'm trying to add rules to ovs to prevent virtual machines stealing ip
>> addresses from each other.
>> Using XCP, based on XENSERVER 5.6fp1 with ovs version 1.0.2.
>
> Your setup looks OK to me. I see that none of your rules have any
> hits. That's odd--it seems likely that the switch has fallen into
> "fail open" mode. Do you have a controller configured?
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> http://openvswitch.org/mailman/listinfo/discuss
>
More information about the discuss
mailing list