[ovs-discuss] Anti-spoof rules with vlans on XCP (XENSERVER)...

Tomohiro Kasugait tokoro2k2 at gmail.com
Tue May 3 04:18:32 UTC 2011


Hi Kristoffer,

Are you receive

I checked my environment for your issue.
I think your ovs-ofctl flow doesn't receive response from itself.

On your situation
1. ARP function
 Arp request; from a6:1e:29:3d:69:51 to FF:FF:FF:FF:FF:FF <= "Permit"
 Arp reply; from MAC of target to a6:1e:29:3d:69:51 <= "Deny"
 2. PING function
 ICMP echo request; from a6:1e:29:3d:69:51 to ******* <= "Permit"
 ICMP echo reply; from ******* to a6:1e:29:3d:69:51 <= "Deny"

And, I think your filter doesn't need ip addres for PING filter,
because a MAC address only has one IP address, so then there are
related one VIF.
Would you like to use set filter on your "vif[dom-id].[eth id]".

#My test filter
#deny filter from 172.16.1.1
-------------------
ovs-ofctl del-flows xapi7
ovs-ofctl add-flow xapi7 "priority=30002 dl_type=0x0806
dl_dst=92:e0:5b:93:5f:50 idle_timeout=0 action=normal"
ovs-ofctl add-flow xapi7 "priority=30000 dl_type=0x0806
dl_src=92:e0:5b:93:5f:50 idle_timeout=0 action=normal"
ovs-ofctl add-flow xapi7 "priority=20001 ip dl_dst=92:e0:5b:93:5f:50
idle_timeout=0 action=normal"
ovs-ofctl add-flow xapi7 "priority=20000 ip dl_src=92:e0:5b:93:5f:50
idle_timeout=0 action=normal"
ovs-ofctl add-flow xapi7 "priority=10000 ip nw_src=192.168.0.0/16
nw_dst=192.168.0.0/16 idle_timeout=0 action=normal"
ovs-ofctl add-flow xapi7 "priority=0 idle_timeout=0 actions=drop"

ovs-ofctl dump-flows xapi7
-------------------

Vif level flow filter
-------------------
ovs-ofctl del-flows xapi7
ovs-ofctl add-flow xapi7 "priority=20002 in_port=7 ip
nw_src=172.16.1.0/24 nw_dst=172.16.1.0/24 idle_timeout=0 action=drop"
ovs-ofctl add-flow xapi7 "priority=0 idle_timeout=0 actions=NORMAL"

ovs-ofctl dump-flows xapi7
-------------------

##################################################################
quotation from Knowledge Base of Citrix
-------------------
Note: VIF names are dynamically created on VM start. Vif names are
constructed with the following structure vifx.y, where x is the domain
id of the VM and y is the device number. The dynamic part of the name
is the domain ID because it may change on VM start.

xe vm-list name-label=<name of vm> params=dom-id
Example: xe vm-list name-label=cps_att params=dom-id
dom-id ( RO)    : 16

Identify the VIF device number.

xe vif-list vm-name-label=<name of vm>
Example: xe vif-list vm-name-label=cps_att params=device
device ( RO)    : 0
-------------------

Knowledge Base of Citrix
http://support.citrix.com/article/CTX120869
Knowledge Base of Citrix (in Japanese)
http://support.citrix.com/article/CTX122455


vif"xx"."yy"
=> xx: dom id, yy: eth id
(e.g. vif14.0 <= dom id: 4, eth id: 0)

e.g. How to find the vif interface name for eth0 of 64-EN-Cent5-Pool5-1

check dom id
-------------------
[root at vmatsuno1 ~]# xe vm-list name-label=64-EN-Cent5-Pool5-1 params=dom-id
dom-id ( RO)    : 14
-------------------

check vif list of VM
-------------------
[root at vmatsuno1 ~]# xe vif-list vm-name-label=64-EN-Cent5-Pool5-1 params=device
device ( RO)    : 1


device ( RO)    : 0
-------------------

check status of vif14.0 with ifconfig command
-------------------
[root at vmatsuno1 ~]# ifconfig vif14.0
vif14.0   Link encap:Ethernet  HWaddr FE:FF:FF:FF:FF:FF
          UP BROADCAST RUNNING NOARP  MTU:1500  Metric:1
          RX packets:238667 errors:0 dropped:0 overruns:0 frame:0
          TX packets:85413 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:32
          RX bytes:19558756 (18.6 MiB)  TX bytes:7912064 (7.5 MiB)
-------------------
##################################################################

Kind regards,
Kasugai

2011/5/3 Ben Pfaff <blp at nicira.com>:
> On Mon, May 02, 2011 at 01:43:36PM +0200, Kristoffer Egefelt wrote:
>> I'm trying to add rules to ovs to prevent virtual machines stealing ip
>> addresses from each other.
>> Using XCP, based on XENSERVER 5.6fp1 with ovs version 1.0.2.
>
> Your setup looks OK to me.  I see that none of your rules have any
> hits.  That's odd--it seems likely that the switch has fallen into
> "fail open" mode.  Do you have a controller configured?
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> http://openvswitch.org/mailman/listinfo/discuss
>



More information about the discuss mailing list