[ovs-discuss] 'DROP' functionality of ebtables using OpenVSwitch

Kaushal Shubhank kshubhank at gmail.com
Mon Apr 16 18:32:57 UTC 2012 

Hello,

I was able to solve the problem mentioned in my last update. I modified the
actions for the port 80 traffic by changing the MAC address of the packets
to that of the bridge, and the packets started hitting the kernel and
subsequently the Squid proxy. Also I explicitly gave in_ports in the same
rules depending on where the packets were coming from.

sudo ovs-ofctl add-flow br0 "priority=1,in_port=1,action=output:2"
sudo ovs-ofctl add-flow br0 "priority=1,in_port=2,action=output:1"
sudo ovs-ofctl add-flow br0
"priority=2,in_port=2,tcp,tp_src=80,action=mod_dl_dst:<BRIDGE_MAC>,LOCAL"
sudo ovs-ofctl add-flow br0
"priority=2,in_port=1,tcp,tp_dst=80,action=mod_dl_dst:<BRIDGE_MAC>,LOCAL"

Port 1 is towards the internal network and port 2 towards the Internet.

Will come back if I have more doubts in using OpenVSwitch.

Regards,
Kaushal

On Fri, Apr 13, 2012 at 1:30 AM, Kaushal Shubhank <kshubhank at gmail.com>wrote:

> Thanks Ben for the suggestion. This is what I did.
>
> sudo ovs-ofctl add-flow br0 "priority=1,in_port=1,action=output:2"
> sudo ovs-ofctl add-flow br0 "priority=1,in_port=2,action=output:1"
> sudo ovs-ofctl add-flow br0 "priority=2,tcp,tp_src=80,action=LOCAL"
> sudo ovs-ofctl add-flow br0 "priority=2,tcp,tp_dst=80,action=LOCAL"
>
> br0 has the ports 1 (eth5) and 2 (eth6).
>
> I could see port 80 packets sent to br0 (via tcpdump), but they are not
> being picked up by iptables. I use iptables to send the packets to squid
> via TPROXY (iptables commands given below). What am I missing?
>
>     iptables -t mangle -N DIVERT
>     iptables -t mangle -A DIVERT -j MARK --set-mark 1
>     iptables -t mangle -A DIVERT -j ACCEPT
>     iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
>     iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port
> 3140 --tproxy-mark 1
>
> -Kaushal
>
>
>
> On Sun, Apr 8, 2012 at 8:56 PM, Ben Pfaff <blp at nicira.com> wrote:
>
>> If you want to route a packet through the Linux routing stack, then you
>> should deliver the packet to an "internal" network device with an output
>> action.
>>
>> On Sun, Apr 08, 2012 at 04:45:53PM +0530, Kaushal Shubhank wrote:
>> > Thanks Justin for the reply. I should have been more clear about the
>> > DROP action that I want to use.
>> >
>> > The action DROP in ebtables in the 'broute' table actually sends the
>> > packet to be routed while ACCEPT sends it to be bridged. The DROP in
>> > ovs-ofctl actually drops the packet.
>> >
>> > By sending the port 80 packets to routing process (by DROPping them
>> > via ebtables), I want to set the 'fwmark' which iptables later will
>> > read and decide the path of the packet.
>> >
>> > I figured action=NORMAL would send the packets to the routing process,
>> > but it seems I am missing something very basic here. Please advise.
>> >
>> > -Kaushal
>> >
>> > On 4/6/12, Justin Pettit <jpettit at nicira.com> wrote:
>> > > You can drop packets by using the "drop" action.  It's equivalent to
>> not
>> > > listing any actions.  Keep in mind the rules you've specified
>> overlap, so
>> > > you'll need priorities to disambiguate them.  (This was just
>> discussed in
>> > > the "icmp paket matching ip packet rule" thread.)
>> > >
>> > > --Justin
>> > >
>> > >
>> > > On Apr 6, 2012, at 2:57 AM, Kaushal Shubhank wrote:
>> > >
>> > >> Hello,
>> > >>
>> > >> I was reading about OpenVSwitch and really appreciated the concept.
>> I am a
>> > >> newbie and do not have a good understanding of OVS yet. I installed
>> OVS
>> > >> and and I was able to create a bridge reading the instructions.
>> > >>
>> > >> I read that ebtables is useless in case of OVS and ovs-ofctl can do
>> things
>> > >> similar to ebtables.
>> > >>
>> > >> I want to filter packets for port 80 http traffic only. For this
>> when I
>> > >> was using ebtables operating on a Linux bridge. But with ovs I was
>> able to
>> > >> add flow but I am not sure on how to get the ebtables -j DROP type
>> > >> functionality using OVS.
>> > >>
>> > >> The commands which I used with ovs-ofctl ware as follow:
>> > >>
>> > >> ovs-ofctl add-flow br0 "in_port=ANY out_port=ANY action=NORMAL" #
>> for my
>> > >> bridge traffic
>> > >> ovs-ofctl add-flow br0 "in_port=1 tcp, tp_src=80 action=NORMAL"
>> > >> ovs-ofctl add-flow br0 "in_port=2 tcp, tp_dst=80 action=NORMAL"
>> > >>
>> > >> I also tried using action=LOCAL but then I was not able to use port
>> 80
>> > >> traffic below the bridge.
>> > >>
>> > >> Any help on this will be appreciated. If there is some documentation
>> out
>> > >> there with examples for a similar case kindly redirect me to it.
>> > >>
>> > >> PS: I have no VMs in my system and I was wondering whether I can use
>> the
>> > >> capabilities of OVS bridge which is transparent to VLAN trunk where
>> I can
>> > >> filter port 80 traffic from different VLAN.
>> > >>
>> > >> {Router, Gateway}
>> > >>          | |
>> > >>          | |
>> > >>          | |{VLAN TRUNK}
>> > >>          {OVS- BRIDGE}
>> > >>          | |
>> > >>          | |
>> > >>          | |{Local Network}
>> > >> _______________________________________________
>> > >> discuss mailing list
>> > >> discuss at openvswitch.org
>> > >> http://openvswitch.org/mailman/listinfo/discuss
>> > >
>> > >
>> > _______________________________________________
>> > discuss mailing list
>> > discuss at openvswitch.org
>> > http://openvswitch.org/mailman/listinfo/discuss
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20120417/147677e2/attachment.html>

More information about the discuss mailing list