Re: [ovs-discuss] filtering macs/ip

[Jesse Gross]

(moving back on list)

2010/4/30 George Shuklin n...@narod.ru

 27.04.10, 18:20, Jesse Gross je...@nicira.com:

 On Tue, Apr 27, 2010 at 7:37 AM, George Shuklin n...@narod.ru wrote:

 Good day.

 Is any way to filter with ovs VM's traffic (like mac spoofing or ip
 usurpation)?

 I was tried to find any, but found none.

 There isn't currently a specific MAC/IP anti-spoofing feature.  You can,
 however, add flow entries that allows traffic from a given port, MAC, and IP
 and drops everything else.  The ovs-ofctl man page describes how to add
 flows.

 Thank you very much. I starts to see an light at the end of the tunnel.

 But I do not really understand syntax of flows.

 F.e. I add:

 ovs-ofctl add-flow xenbr0 dl_src=11:11:11:11:11:11 
 nw_dst=192.168.1.0/24priority=10 actions=normal
 ovs-ofctl add-flow xenbr0 dl_src=11:11:11:11:11:11 
 nw_dst=192.168.2.0/24priority=20 actions=drop

 I expect it to pass traffic from MAC=11:11:11:11:11:11 on net
 192.168.1.0/24 (all other values is '*') as it must be and drop all trafic
 to 192.168.2.0/24...

 But really it drop ALL traffic from mac=11:11:11:11:11:11 to any
 destination. And I do not understand what happens...


The reason why this is happening is that you didn't specify IP as the
protocol.  The nw_dst field gets dropped because it is meaningless without a
L3 protocol.

If you do ovs-ofctl dump-flows xenbr0 you can see the current set of flows
after they have been parsed.


 Is anywhere is more full documentation about flow syntax or some samples
 with commentary?


I think the ovs-ofctl man page is currently our best documentation of the
flow syntax.
___
discuss mailing list
discuss@openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org

Re: [ovs-discuss] bridge renaming issue with Xen

[Lee, Jeongkeun]

Hi, 

I'm coming back to this problem.

To handle the renaming issue of Xen networking scripts, I tried 'ovs-vsctl set' 
commands as follows: renaming interface, port and then bridge, as the order 
seems matter.

Where bridge name is renamed,
 ip link set ${tdev} name ${bridge}
 # usually tdev=tmpbridge, bridge=eth0
 /usr/local/bin/ovs-vsctl set Interface ${tdev} name=${bridge}
 /usr/local/bin/ovs-vsctl set Port ${tdev} name=${bridge}
 /usr/local/bin/ovs-vsctl set Bridge ${tdev} name=${bridge}

Similarly, I put 
`ovs-vsctl set Interface'
`ovs-vsctl set Port'
in the places where interfaces are renamed in the xen scripts. 

Then, after rebooting, all the networking at dom0 works fine and IP-based 
communications from/to domU work fine too. For example, 'ping x.x.x.x' and 
'wget' x.x.x.x' from domU are okay.

However, any actions involves DNS (e.g., ping www.google.com) from domU cause 
the entire system (dom0) crash and reboot. 

Did you see any similar phenomena with OVS before? Or do you have any other 
suggestions to deal with the renaming issue?

With the previous version of OVS, which used a text-based configuration file, 
just using 'sed' on the ovs conf file for renaming worked fine. 

Thank you.
-- JK

 -Original Message-
 From: discuss-boun...@openvswitch.org [mailto:discuss-
 boun...@openvswitch.org] On Behalf Of Lee, Jeongkeun
 Sent: Wednesday, March 24, 2010 9:36 PM
 To: discuss@openvswitch.org
 Subject: [ovs-discuss] bridge renaming issue with Xen
 
 Hi Ben and Jesse,
 
 I'm trying to use ovs 0.99.2 with Xen on Lenny.
 As you know, Xen calls 'ip link set' commands to rename a bridge but ovs-
 brcompatd does not proxy 'ip link set name' command.
 
  From: Jesse Gross je...@nicira.com
 
  Earlier versions of Xen networking (which apparently the Lenny port is
  based
  on) used some interesting tricks with renaming. In this case eth0 is
  renamed to peth0 and a bridge named tmpbridge is created then renamed
  to eth0.
 
 With the previous version of ovs that doesn't use OVSDB, I simply changed
 the bridge name directly on the ovs/brcompatd config file by modifying
 Xen networking scripts as follows:
 
 ...
 ip link set ${tdev} name ${bridge}
 # ovs-brcompatd does not proxy 'ip link set name' command
 # need to manually change the bridge name in the ovs config file
 # usually tdev=tmpbridge, bridge=eth0
 sed -i s/${tdev}/${bridge}/g /etc/ovs-vswitchd-xen.conf  - added
 line
 ...
 
 So, the same renaming should be done on the config DB with ovs 0.99.2 and
 I tried the following 'ovs-vsctl set' commands:
 
 ip link set ${tdev} name ${bridge}
 # sed -i s/${tdev}/${bridge}/g ${cfg}
 # usually tdev=tmpbridge, bridge=eth0
 /usr/local/bin/ovs-vsctl set Bridge ${tdev} name=${bridge}
 /usr/local/bin/ovs-vsctl set Port ${tdev} name=${bridge}
 /usr/local/bin/ovs-vsctl set Interface ${tdev} name=${bridge}
 
 Then, after finishing booting, 'brctl show' and 'ovs-dpctl show' look
 fine in dom0 but generating any packets from domU crashes the system and
 dom0 automatically reboots. Syslog caught warning and error messages
 shown below. It seems like 'ovs-vsctl set' does more than just renaming
 DB entries. Can you help me to find the right use of this command? maybe
 the order between Bridge, Port, and Interface renaming matters..?
 
 
 
 ~~~ SYSLOG dump ~
 Mar 24 20:14:52 majuan ovs-vsctl: 1|vsctl|INFO|Called as
 /usr/local/bin/ovs-vsctl set Bridge tmpbridge name=eth0
 Mar 24 20:14:52 majuan ovsdb-server:
 9|reconnect|INFO|unix:/tmp/stream-unix.4694.0: connecting...
 Mar 24 20:14:52 majuan ovsdb-server:
 00010|reconnect|INFO|unix:/tmp/stream-unix.4694.0: connected
 Mar 24 20:14:52 majuan ovs-brcompatd: 3|brcompatd|INFO|kernel
 reported network device eth0 removed but a device by that name exists (XS
 Tools 5.0.0?)
 Mar 24 20:14:52 majuan ovs-vswitchd: 00010|dpif|WARN|sys...@dp0:
 flow_flush failed (No such device)
 Mar 24 20:14:52 majuan ovs-vswitchd: 00011|ofproto|INFO|using datapath ID
 00232099dc82
 Mar 24 20:14:52 majuan ovs-vswitchd: 00012|bridge|INFO|created bridge
 eth0 on sys...@dp0
 Mar 24 20:14:52 majuan ovs-vswitchd: 00013|bridge|INFO|created port
 tmpbridge on bridge eth0
 Mar 24 20:14:52 majuan ovs-vswitchd: 00014|netdev|WARN|failed to get
 flags for network device tmpbridge: No such device
 Mar 24 20:14:52 majuan ovs-vswitchd: 00015|bridge|WARN|could not create
 iface tmpbridge: No such device
 Mar 24 20:14:52 majuan ovs-vswitchd: 00016|dpif|WARN|sys...@dp0: failed
 to add tmpbridge as port: No such device
 Mar 24 20:14:52 majuan ovs-vswitchd: 00017|bridge|ERR|failed to add
 tmpbridge interface to sys...@dp0: No such device
 Mar 24 20:14:52 majuan ovs-vswitchd: 00018|netdev|WARN|failed to get
 flags for network device tmpbridge: No such device
 Mar 24 20:14:52 majuan ovs-vswitchd: 00019|bridge|WARN|could not open
 netdev on tmpbridge, dropping: No