[ovs-discuss] Behaving differently with same flow but in different methods.

ananthan ananthannair935 at gmail.com
Tue May 14 14:26:09 UTC 2013


Hi,
  Running OVS 1.0.99 on xenserver 6.0.2.

*Tried  ip stealing prevention,port filtering using two methods :*
Both worked when used First method but with second method tcp_port
filtering didnt work.Difference was *in_port *based drop policy and global
drop policy.

Method 1:
 #*Dropped all regardless of in_port:*
ovs-ofctl add-flow xenbr0 "priority=0 action=drop"

#*Excluded Host packets.*
ovs-ofctl add-flow xenbr0 "dl_src=84:2B:2B:0A:78:67 priority=1
action=normal"

ovs-ofctl add-flow xenbr0 "dl_dst=84:2B:2B:0A:78:67 priority=1
action=normal"

#*For Vm1: *
ovs-ofctl add-flow xenbr0 "priority=301 dl_type=0x0800 nw_src=115.x.x.121
dl_src=ea:7a:55:f2:66:ef idle_timeout=0 action=normal"

ovs-ofctl add-flow xenbr0 "priority=302 dl_type=0x0806 nw_src=115.x.x.121
 dl_src=ea:7a:55:f2:66:ef idle_timeout=0 action=normal"
*
*
*#Allowed tcp:80 only*
ovs-ofctl add-flow xenbr0 "priority=304 dl_type=0x0800 nw_dst=115.x.x.121
dl_dst=ea:7a:55:f2:66:ef  nw_proto=6 tp_dst=80 idle_timeout=0 action=normal"

ovs-ofctl add-flow xenbr0 "priority=303 dl_type=0x0806
dl_dst=ea:7a:55:f2:66:ef nw_dst=115.x.x.121 idle_timeout=0 action=normal"

Everything is working as expected,since there is a global drop rule thought
of using in_port.

*Method2:*
ovs-ofctl add-flow xenbr0 "in_port=3 priority=301 dl_type=0x0800
nw_src=115.x.x.121 dl_src=ea:7a:55:f2:66:ef idle_timeout=0 action=normal"

ovs-ofctl add-flow xenbr0 "in_port=3 priority=302 dl_type=0x0806
nw_src=115.x.x.121  dl_src=ea:7a:55:f2:66:ef idle_timeout=0 action=normal"
*
*
*#Allowed tcp:80 only*
ovs-ofctl add-flow xenbr0 "in_port=3 priority=304 dl_type=0x0800
nw_dst=115.x.x.121 nw_proto=6 tp_dst=80 idle_timeout=0 action=normal"

ovs-ofctl add-flow xenbr0 "in_port=3 priority=303 dl_type=0x0806
dl_dst=ea:7a:55:f2:66:ef nw_dst=115.x.x.121 idle_timeout=0 action=normal"
*#Drop for that port only*
ovs-ofctl add-flow xenbr0 "in_port=3 priority=299 idle_timeout=0
action=drop"


With this IP stealing Prevention is working but tcp_port filtering is not.

*Troubleshooting:*

   - Tried commenting priority 304 and 303 and still every packets reached
   vm,which was against my concept about OVS.


* From Method 1:*
I thought that since there is global drop rule, for packet to go out,i need
to allow IP and ARP which i did by using *nw_src*=vm-ip,*dl_src=*vm-mac.So
that packets can go out wIth out this nothing worked.And for incoming
traffic enabled *nw_dst*=vm-ip *dl_dst*=vm-mac.tcpdump showed that my
concept is right.

But in case of* Method2:*
My understanding became completely wrong,even though ip stealing prevention
worked no other things worked.And to make situation worse traffic to vm
worked with out  rules priority 304 and 303.how can an additional  *in_port
*make this much difference.Can some one please explain the problem.

Also When i added "priority=299,in_port=3 actions=drop" i was able to see
ping echo request on tcpdump output.Is it normal as tcpdump capture that
before this flow.

Regards,
Ananthan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20130514/7ad85f9e/attachment-0001.html>


More information about the discuss mailing list