[ovs-discuss] Using OVS as a stateful firewall
Noah Everett
asknoah at gmail.com
Sat Jan 4 20:40:32 UTC 2020
Hello!
I'm trying to use OVS as a stateful firewall for all the VMs connected to a
OVS bridge. I'm trying to use the conntrack feature to achieve this based
off examples I've put together, but have yet to make it work fully.
My end goal is to be able to block or allow a port for a VM for egress or
ingress.
In the below example I'm trying to block all ports to a VM except for 80
while also allowing all outbound connections from the VM.
Setup: (00:16:3e:5a:ff:c2 is the mac address of the VMs eth0)
1) ovs-ofctl del-flows br0 && sudo ovs-ofctl add-flow br0 action=normal
2) ovs-ofctl add-flow br0 "table=10 action=normal"
3) ovs-ofctl add-flow br0 "table=0, tcp, dl_dst=00:16:3e:5a:ff:c2
priority=38000 actions=ct(table=1)"
4) ovs-ofctl add-flow br0 "table=1, ip, dl_dst=00:16:3e:5a:ff:c2
priority=202,ct_state=+est+rpl+trk actions=normal"
5) ovs-ofctl add-flow br0 "table=1, tcp,
priority=200,dl_dst=00:16:3e:5a:ff:c2 actions=resubmit(,2)"
6) ovs-ofctl add-flow br0 "table=2, tcp,
priority=1000,ct_state=+new+trk,dl_dst=00:16:3e:5a:ff:c2,tcp_dst=80
actions=ct(commit,table=10)"
7) ovs-ofctl add-flow br0 "table=2, tcp,
priority=100,dl_dst=00:16:3e:5a:ff:c2 actions=drop"
Here's the dump from ovs-ofctl:
cookie=0x0, duration=27.099s, table=0, n_packets=316, n_bytes=103582,
priority=38000,tcp,dl_dst=00:16:3e:5a:ff:c2 actions=ct(table=1)
cookie=0x0, duration=27.486s, table=0, n_packets=581, n_bytes=127617,
actions=NORMAL
cookie=0x0, duration=27.090s, table=1, n_packets=0, n_bytes=0,
priority=202,ct_state=+est+rpl+trk,ip,dl_dst=00:16:3e:5a:ff:c2
actions=NORMAL
cookie=0x0, duration=27.081s, table=1, n_packets=316, n_bytes=103582,
priority=200,tcp,dl_dst=00:16:3e:5a:ff:c2 actions=resubmit(,2)
cookie=0x0, duration=27.072s, table=2, n_packets=205, n_bytes=65022,
priority=1000,ct_state=+new+trk,tcp,dl_dst=00:16:3e:5a:ff:c2,tp_dst=80
actions=ct(commit,table=10)
cookie=0x0, duration=26.830s, table=2, n_packets=111, n_bytes=38560,
priority=100,tcp,dl_dst=00:16:3e:5a:ff:c2 actions=drop
cookie=0x0, duration=27.107s, table=10, n_packets=205, n_bytes=65022,
actions=NORMAL
Odd thing is #4 rule looks to never get hit (based off ovs-ofctl dump-flows
br0). If I change the rule to +inv+trk, it gets hits. Does that mean
invalid packets are coming through? I checked and the host OS has
nf_conntrack_ipv4 loaded.
It kind of works if I change command #6 to ovs-ofctl add-flow br0 "table=1,
ip, dl_dst=00:16:3e:5a:ff:c2 priority=202,ct_state=+est+rpl+trk
actions=normal"
However all outbound traffic is still blocked and entry #4 never gets hit
still either.
I'm fairly new to OVS and have been google'ing / stackoverflow'ing for the
last few days with no luck.
I apologize for my newbie'ness and thank you in advance for any help or
direction!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20200104/608a1410/attachment.html>
More information about the discuss
mailing list