[ovs-discuss] arp spoofing
faicker mo
faicker.mo at gmail.com
Mon May 21 02:11:56 UTC 2012
On 2012-5-20, at 上午12:27, Sergio Kviato wrote:
>
>
> Sent from my iPhone
>
> On May 19, 2012, at 19:02, faicker mo <faicker.mo at gmail.com> wrote:
>
>>
>> On 2012-5-19, at 下午11:11, Ben Pfaff wrote:
>>
>>> On Sat, May 19, 2012 at 09:30:40PM +0800, faicker mo wrote:
>>>> I have viewed the ovs-ofctl man page, I found that the arp match has
>>>> only arp_sha and arp_dha. It can't match the source ip in arp(SPA) and
>>>> destination ip(DPA) in arp. Without this, the arp spoofing can't be
>>>> prevented.
>>>
>>> Use nw_src or nw_dst. This is documented in ovs-ofctl(8).
>>
>> Sorry for my overlook.
>>
>>>
>>>> OVS replaces the bridge default in kernel. Ebtables can't
>>>> work. But now OVS doesn't have enough function to replace
>>>> eatables. For example, arp_reply module in eatables.
>>>
>>> No, OVS doesn't replace anything, it provides a supplement.
>>
>> But when I use OVS, I can't use eatables.(need bridge module)
>
> Why you need ebtables. You can construct rules to block ARP and IP spoofing using ovs-ofctl for example.
>
>>>
>>>> I have successfully realized the broute which is in eatables by OVS.
>>>
>>> I don't understand that sentence.
>>
>> For this, OVS replaces ebtables
I need the arp_reply module like in eatables.
ARP and IP spoofing are realized already by ovs-ofctl.
More information about the discuss
mailing list