[ovs-discuss] OVS not filtering host traffic hitting the bridge

hatt droid hatt.droid at gmail.com
Wed Mar 23 13:19:04 UTC 2016


Hello,

I'm having a problem using StrongSwan IPSec implementation with OVS
recently.
Here's my setup:

IPSec client
|
V
OVS bridge with normal flow only, priority 1.
|
V
Host networking stack with StongSwan

IPSec is setup with 10.2.0.0/24 inner IPs and the encrypted packets are
transferred through 192.168.2.0/24

I can setup and do the key exchange process of IPSec without a problem.
If I tcpdump on the ovs bridge, I see both traffic: the encapsulated and
decapsulated one.
Here's the output:

13:03:42.357602 00:16:3e:12:1a:11 > e6:22:29:91:2d:4e, ethertype IPv4
(0x0800), length 154: 192.168.2.18 > 192.168.2.254:
ESP(spi=0xc1361f48,seq=0x4), length 120
13:03:42.357605 00:16:3e:12:1a:11 > e6:22:29:91:2d:4e, ethertype IPv4
(0x0800), length 154: 192.168.2.18 > 192.168.2.254:
ESP(spi=0xc1361f48,seq=0x5), length 120
13:03:42.357602 00:16:3e:12:1a:11 > e6:22:29:91:2d:4e, ethertype IPv4
(0x0800), length 83: 10.2.0.1.49624 > 15.203.240.10.53: 57379+ A?
dns1.org.com. (41)
13:03:42.357605 00:16:3e:12:1a:11 > e6:22:29:91:2d:4e, ethertype IPv4
(0x0800), length 83: 10.2.0.1.49624 > 15.203.240.10.53: 34411+ AAAA?
dns1.org.com. (41)

So I see the encapsulated packet first (encrypted with ESP), then I see the
decapsulated one with 10.2.0.1.

Then, I apply on the bridge the following rule:
priority=25,ip,nw_src=10.2.0.0/24 actions=drop

Which seems to be matching that 10.2.0.0 output that I see hitting the
bridge on tcpdump. Unfortunately, the rule is never matched as the counters
(n_packets, n_bytes) never go up.

Please correct me if I'm wrong, but I was thinking that if it is hitting
the bridge (as can be seen on tcpdump output), I should be able to filter
the traffic on the bridge?

(For info, I have DHCP, ARP traffic hitting the bridge from the host and I
can catch them without a problem.)

Thanks in advance for your help.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20160323/262c2a4b/attachment-0002.html>


More information about the discuss mailing list