[ovs-discuss] How to forward packets in a single bridge?

Jason Koh bk7749 at gmail.com
Wed Nov 21 06:01:49 UTC 2018


I am new to OVS and trying to emulate an L3 switch with multiple machines.
Basically I want to emulate a man-in-the-loop attack. I posted this
question to StackOverflow (
but found this email list after then.

I copy-paste the question here:

I am trying to emulate an L3-switch where multiple machines are connected
(in no VLANs or a single VLAN.) Then I would like to configure the switch
to forward packets as I want, which I had no luck.

### My system configuration:
- Host machine OS: Ubuntu 18.04.
- Open vSwitch 2.9.0
- Client machines: UBuntu 18.04 clients in VirtualBox 5.2.20

### What I want to do:
(basically emulating a man-in-the-middle attack.)

1. VM1, VM2 and VM3 are connected to a virtual switch or bridge (BR0).
2. VM1 sends a packet (e.g., HTTP GET request) to VM3.
3. BR0 intercepts it and forward it to VM2.
4. VM2 sends the response to VM1.
5. BR0 forwards it to VM1 like VM3 responding.

### What I did:
1. ``ovs-vsctl add-br br0``: Create a bridge (BR0)
2. Create VM1,2,3 that use br0 as a network bridge.
3. Run different webservers inside VM2 and VM3 (e.g., VM2 returns "hello"
at the root wheras VM3 returns "HELLO".)
4. Configure IP addresses inside each machine to, say,
    - VM1:
    - VM2:
    - VM3:
5. ``ovs-ofctl --strict add-flow br0
priority=1,tcp,nw_dst=,actions=mod_nw_dst=``: Add a
flow modifying the destintion IP. Catching packges going to VM3 and
forwarding them to VM2 (I hope.)
6. ``ovs-ofctl --strict add-flow br0
priority=1,tcp,nw_src=,actions=mod_nw_src=``: Add a
flow modifying the source IP. To make the response come from VM3.

### What I saw:
However, obviously, it was not successful.

- I can ``ping`` from one to another.
- I can ``cURL`` from one to another.
- However, the ``mod_nw_dst`` command was not effective. From VM1, I only
can see the original response from VM3, which I wanted to forward to VM2.

I googled this a lot and found many articles about forwarding across VLANs,
but not like this in a single bridge. Is my implementation incorrect?
Otherwise, is it not an intended feature? In that case, what would be the
best approach to emulate such things?

I'd much appreciate any hints/suggestions. Thank you!

With regards,
Jason Koh
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20181120/7a5e73ae/attachment-0001.html>

More information about the discuss mailing list