[ovs-discuss] Allow returning traffic in a filtered VM

Ben Pfaff blp at nicira.com
Mon Mar 18 14:58:45 UTC 2013


You could enable the same set of ports in the other direction, but as
source ports.

On Mon, Mar 18, 2013 at 02:51:50PM +0100, Oriol Mart? wrote:
> Does anybody know?
> 
> On 03/14/2013 09:42 PM, Oriol Marti wrote:
> >Hello, I'm searching for a solution to allow the returning traffic for a VM when
> >all the ports, or most of them are filtered.
> >I'm filtering with ovs-ofctl with masks, for example for a given VM if I want to
> >allow only port 80 and 22 incoming i execute:
> >
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x1/0xffff,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x2/0xfffe,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x4/0xfffc,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x8/0xfff8,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x10/0xfffc,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x14/0xfffe,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x17/0xffff,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x18/0xfff8,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x20/0xffe0,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x40/0xfff0,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x51/0xffff,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x52/0xfffe,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x54/0xfffc,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x58/0xfff8,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x60/0xffe0,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x80/0xff80,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x100/0xff00,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x200/0xfe00,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x400/0xfc00,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x800/0xf800,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x1000/0xf000,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x2000/0xe000,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x4000/0xc000,actions=drop
> >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x8000/0x8000,actions=drop
> >
> >But with all the incoming ports filtered I've seen that the returning traffic
> >when I'm doing for example a wget from the VM is filtered too, this is caused
> >because the connection is made in a random port in the VM starting the
> >connection and when it returns is filtered. I don't know if there is something
> >like the ESTABLISHED in iptables to detect the established traffic.
> >Maybe there is a flag in the returning packets that I can check with the rules
> >in ovs-ofctl?
> >Does anybody know a solution for this scenario?
> >
> >Cheers,
> >_______________________________________________
> >discuss mailing list
> >discuss at openvswitch.org
> >http://openvswitch.org/mailman/listinfo/discuss
> 
> 
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> http://openvswitch.org/mailman/listinfo/discuss



More information about the discuss mailing list