[ovs-discuss] Allow returning traffic in a filtered VM

Oriol Marti omarti at cesca.cat
Thu Mar 14 20:42:46 UTC 2013 

Hello, I'm searching for a solution to allow the returning traffic for a VM when
all the ports, or most of them are filtered.
I'm filtering with ovs-ofctl with masks, for example for a given VM if I want to
allow only port 80 and 22 incoming i execute:

ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x1/0xffff,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x2/0xfffe,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x4/0xfffc,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x8/0xfff8,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x10/0xfffc,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x14/0xfffe,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x17/0xffff,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x18/0xfff8,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x20/0xffe0,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x40/0xfff0,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x51/0xffff,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x52/0xfffe,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x54/0xfffc,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x58/0xfff8,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x60/0xffe0,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x80/0xff80,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x100/0xff00,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x200/0xfe00,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x400/0xfc00,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x800/0xf800,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x1000/0xf000,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x2000/0xe000,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x4000/0xc000,actions=drop
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x8000/0x8000,actions=drop

But with all the incoming ports filtered I've seen that the returning traffic
when I'm doing for example a wget from the VM is filtered too, this is caused
because the connection is made in a random port in the VM starting the
connection and when it returns is filtered. I don't know if there is something
like the ESTABLISHED in iptables to detect the established traffic.
Maybe there is a flag in the returning packets that I can check with the rules
in ovs-ofctl?
Does anybody know a solution for this scenario?

Cheers,

More information about the discuss mailing list