[ovs-discuss] A Drop rule with less priority is served before a normal rule with higher priority

Ben Pfaff blp at ovn.org
Tue Mar 10 22:36:31 UTC 2020


On Tue, Mar 10, 2020 at 09:49:02PM +0100, Oliver Dzombic wrote:
> Hi folks,
> 
> why does this drop rule, with lower priority, is served before the
> normal rule ?
> 
> 
>  cookie=0x0, duration=1309.733s, table=0, n_packets=792, n_bytes=34414,
> priority=1000,dl_src=16:ec:3d:6e:f4:b9 actions=drop
> 
> 
>  cookie=0x0, duration=1309.950s, table=0, n_packets=0, n_bytes=0,
> priority=2000,ip,dl_dst=16:ec:3d:6e:f4:b9,nw_dst=196.168.1.2 actions=NORMAL
> 
> 
> Is it as simple as, that a rule that is less specific will be served
> before a rule with more specific, even it has a higher priority ?
> 
> The goal is that a specific mac address shall only be allowed to
> communicate over a specific IP address. If the traffic to or from this
> mac is for/from another IP, it shall be dropped.

You don't show any rules for allowing ARP traffic.  Probably, that means
that the machine in question isn't able to map from IP to Ethernet
addresses, so it can't communicate.  I see that the average size of
dropped packets is 43 bytes, about the size of an ARP packet.


More information about the discuss mailing list