[ovs-discuss] arp spoofing

faicker mo faicker.mo at gmail.com
Sat May 19 16:02:18 UTC 2012


On 2012-5-19, at 下午11:11, Ben Pfaff wrote:

> On Sat, May 19, 2012 at 09:30:40PM +0800, faicker mo wrote:
>> I have viewed the ovs-ofctl man page, I found that the arp match has
>> only arp_sha and arp_dha. It can't match the source ip in arp(SPA) and
>> destination ip(DPA) in arp. Without this, the arp spoofing can't be
>> prevented.
> 
> Use nw_src or nw_dst.  This is documented in ovs-ofctl(8).

Sorry for my overlook. 

> 
>> 	OVS replaces the bridge default in kernel. Ebtables can't
>> 	work. But now OVS doesn't have enough function to replace
>> 	eatables. For example, arp_reply module in eatables.
> 
> No, OVS doesn't replace anything, it provides a supplement.

But when I use OVS,  I can't use eatables.(need bridge module)
> 
>> 	I have successfully realized the broute which is in eatables by OVS.
> 
> I don't understand that sentence.

For this, OVS replaces ebtables somehow like broute function.




More information about the discuss mailing list