[ovs-discuss] Allow returning traffic in a filtered VM

Oriol Martí omarti at cesca.cat
Mon Mar 18 13:51:50 UTC 2013 

Does anybody know?

On 03/14/2013 09:42 PM, Oriol Marti wrote:
> Hello, I'm searching for a solution to allow the returning traffic for a VM when
> all the ports, or most of them are filtered.
> I'm filtering with ovs-ofctl with masks, for example for a given VM if I want to
> allow only port 80 and 22 incoming i execute:
>
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x1/0xffff,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x2/0xfffe,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x4/0xfffc,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x8/0xfff8,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x10/0xfffc,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x14/0xfffe,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x17/0xffff,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x18/0xfff8,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x20/0xffe0,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x40/0xfff0,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x51/0xffff,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x52/0xfffe,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x54/0xfffc,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x58/0xfff8,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x60/0xffe0,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x80/0xff80,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x100/0xff00,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x200/0xfe00,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x400/0xfc00,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x800/0xf800,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x1000/0xf000,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x2000/0xe000,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x4000/0xc000,actions=drop
> ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x8000/0x8000,actions=drop
>
> But with all the incoming ports filtered I've seen that the returning traffic
> when I'm doing for example a wget from the VM is filtered too, this is caused
> because the connection is made in a random port in the VM starting the
> connection and when it returns is filtered. I don't know if there is something
> like the ESTABLISHED in iptables to detect the established traffic.
> Maybe there is a flag in the returning packets that I can check with the rules
> in ovs-ofctl?
> Does anybody know a solution for this scenario?
>
> Cheers,
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> http://openvswitch.org/mailman/listinfo/discuss

More information about the discuss mailing list