[ovs-discuss] OVS & iptables

Jesse Gross jesse at nicira.com
Mon Feb 6 21:33:45 UTC 2012

On Mon, Feb 6, 2012 at 7:21 AM, Mike Bursell <mike.bursell at citrix.com> wrote:
> Given that there are a number of hooks provided by netfilter, when using OVS, at which point do the OVS rules get applied with respect to the netfilter hooks for things like iptables, please?
> Also, does the use of OVS disable any of the netfilter hooks, or are they completely independent of each other?
> I guess the underlying question is: what interactions might be expected between OVS and netfilter hook-using components?  What's considered safe, and what isn't?  I could see some pretty confusing behaviours if they start interacting in unexpected ways.  Are there any differences in behaviour between ebtables, iptables and arptables in this context?
> Given that there's some overlap in the capabilities of iptables and OVS, is it expected that people would/should use both iptables and OVS at the same time, or would we expect OVS to be used to replace iptables in all cases?

It doesn't disable any hooks per-se but those that reside in the
bridge module won't get called because traffic doesn't flow through
the bridge.  Specifically, ebtables won't have any effect.  For
things like filtering or anti-spoofing where you might use ebtables or
arptables it makes sense to use the equivalent OVS mechanisms (and for
complex rule sets OVS will be faster).  If the packet passes through
the IP stack for routing or NAT then iptables will have an effect and
it makes sense to use it for those types of stateful or ALG-based
mechanisms since OVS isn't really setup to handle that.

In other words, it replaces the link-layer section of your diagram.

