[ovs-discuss] ovs + iptables + xcp
Jesse Gross
jesse at nicira.com
Thu Jul 26 20:36:19 UTC 2012
On Thu, Jul 26, 2012 at 12:40 PM, Luiz Ozaki <luiz.ozaki at locaweb.com.br> wrote:
> On 7/25/12 8:07 PM, pf shineyear wrote:
>
>
> i just want to use ovs + iptables to limit all the input access, like drop
> all request to ip 10.1.0.3 , but only accept all request send from vm, like
> wget www.google.com.
>
> i already use ovs-ofctl to drop all input access from outside, like
> dl_type=0x800,nw_dst=10.1.0.3,action=drop
>
> but iptables can not work for the request send from inside.
>
> could u please tell me the alternate way to write the rule?
>
>
> dl_type=0x800,nw_src=10.1.0.3,action=normal
>
> So, if the source is the 10.1.0.3(which I think it's the VM IP), you do the
> normal action.
>
>
> Hmmm actually I don't know if it's gonna create the flow to accept the
> response, the packet might go out but get dropped by the
> nw_dst=10.1.0.3,action=drop.
It won't create flows in response. OVS (and the NORMAL action in
particular) is primarily a switch, not a stateful firewall.
More information about the discuss
mailing list