[ovs-discuss] 'DROP' functionality of ebtables using OpenVSwitch

Kaushal Shubhank kshubhank at gmail.com
Sun Apr 8 11:15:53 UTC 2012 

Thanks Justin for the reply. I should have been more clear about the
DROP action that I want to use.

The action DROP in ebtables in the 'broute' table actually sends the
packet to be routed while ACCEPT sends it to be bridged. The DROP in
ovs-ofctl actually drops the packet.

By sending the port 80 packets to routing process (by DROPping them
via ebtables), I want to set the 'fwmark' which iptables later will
read and decide the path of the packet.

I figured action=NORMAL would send the packets to the routing process,
but it seems I am missing something very basic here. Please advise.

-Kaushal

On 4/6/12, Justin Pettit <jpettit at nicira.com> wrote:
> You can drop packets by using the "drop" action.  It's equivalent to not
> listing any actions.  Keep in mind the rules you've specified overlap, so
> you'll need priorities to disambiguate them.  (This was just discussed in
> the "icmp paket matching ip packet rule" thread.)
>
> --Justin
>
>
> On Apr 6, 2012, at 2:57 AM, Kaushal Shubhank wrote:
>
>> Hello,
>>
>> I was reading about OpenVSwitch and really appreciated the concept. I am a
>> newbie and do not have a good understanding of OVS yet. I installed OVS
>> and and I was able to create a bridge reading the instructions.
>>
>> I read that ebtables is useless in case of OVS and ovs-ofctl can do things
>> similar to ebtables.
>>
>> I want to filter packets for port 80 http traffic only. For this when I
>> was using ebtables operating on a Linux bridge. But with ovs I was able to
>> add flow but I am not sure on how to get the ebtables -j DROP type
>> functionality using OVS.
>>
>> The commands which I used with ovs-ofctl ware as follow:
>>
>> ovs-ofctl add-flow br0 "in_port=ANY out_port=ANY action=NORMAL" # for my
>> bridge traffic
>> ovs-ofctl add-flow br0 "in_port=1 tcp, tp_src=80 action=NORMAL"
>> ovs-ofctl add-flow br0 "in_port=2 tcp, tp_dst=80 action=NORMAL"
>>
>> I also tried using action=LOCAL but then I was not able to use port 80
>> traffic below the bridge.
>>
>> Any help on this will be appreciated. If there is some documentation out
>> there with examples for a similar case kindly redirect me to it.
>>
>> PS: I have no VMs in my system and I was wondering whether I can use the
>> capabilities of OVS bridge which is transparent to VLAN trunk where I can
>> filter port 80 traffic from different VLAN.
>>
>> {Router, Gateway}
>>          | |
>>          | |
>>          | |{VLAN TRUNK}
>>          {OVS- BRIDGE}
>>          | |
>>          | |
>>          | |{Local Network}
>> _______________________________________________
>> discuss mailing list
>> discuss at openvswitch.org
>> http://openvswitch.org/mailman/listinfo/discuss
>
>

More information about the discuss mailing list