[ovs-discuss] arp spoofing
Ben Pfaff
blp at nicira.com
Sat May 19 15:11:34 UTC 2012
On Sat, May 19, 2012 at 09:30:40PM +0800, faicker mo wrote:
> I have viewed the ovs-ofctl man page, I found that the arp match has
> only arp_sha and arp_dha. It can't match the source ip in arp(SPA) and
> destination ip(DPA) in arp. Without this, the arp spoofing can't be
> prevented.
Use nw_src or nw_dst. This is documented in ovs-ofctl(8).
> OVS replaces the bridge default in kernel. Ebtables can't
> work. But now OVS doesn't have enough function to replace
> eatables. For example, arp_reply module in eatables.
No, OVS doesn't replace anything, it provides a supplement.
> I have successfully realized the broute which is in eatables by OVS.
I don't understand that sentence.
More information about the discuss
mailing list