Hi All, I almost have open vSwitch working the way I want it to, but I am running across some unexpected problems. I've setup 2 switches, an internal and an external, with the initial configuration of:
bridge.internalbr.port=internalbr bridge.externalbr.port=externalbr bridge.internalbr.mac=00:11:22:aa:cc:ee bridge.externalbr.mac=00:11:22:bb:aa:dd bridge.externalbr.port=eth0 I have a script that starts a VM with two nics, and connects one nic to the internal switch and one to the external switch by automatically appending to the ovs-switchd.conf and then sending a HUP signal to the ovs-switchd process (as was suggested in a previous thread). As the guest boots the following lines are added (before sending the HUP) bridge.internalbr.port=tap0 bridge.externalbr.port=tap1 I then remove the default flow from the externalbr flow table with: ovs-ofctl del-flows externalbr priority=0 And add a series of flows from a file (with the ovs-ofctl add-flows command) dl_src=52:54:00:aa:bb:cc,tp_dst=80,idle_timeout=0,actions=normal dl_dst=52:54:00:aa:bb:cc,tp_src=80,idle_timeout=0,actions=normal dl_src=52:54:00:aa:bb:cc,tp_dst=53,idle_timeout=0,actions=normal dl_dst=52:54:00:aa:bb:cc,tp_src=53,idle_timeout=0,actions=normal dl_src=52:54:00:aa:bb:cc,tp_dst=67,idle_timeout=0,actions=normal dl_dst=52:54:00:aa:bb:cc,tp_dst=68,idle_timeout=0,actions=normal My intention is to default deny all and only allow what is absolutely necessary for this particular VM to get an IP (dhcp outgoing to server port 67 and dhcp incoming to port 68), and connect to web servers (over port 80) and do dns lookups (port 53) There are a couple things that I can't figure out yet, one is how to get a dump-flows that includes the port numbers (tp_dst and dp_src). Is there a command that will show them? The VM can connect on port 22 and can be contacted over port 22, both of which should be disallowed. The relevant output of: ovs-ofctl dump-flows externalbr (which doesn't show the tp_dst or tp_src ports) Feb 11 20:33:03|00001|ofctl|INFO|connecting to unix:/usr/local/var/run/externalbr.mgmt stats_reply (xid=0x80bb7ffe): flags=none type=1(flow) duration=1955s, table_id=1, priority=32768, n_packets=46, n_bytes=8753, dl_src=52:54:00:aa:bb:cc,actions=NORMAL duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0, dl_dst=52:54:00:aa:bb:cc,actions=NORMAL duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0, dl_src=52:54:00:aa:bb:cc,actions=NORMAL duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0, dl_dst=52:54:00:aa:bb:cc,actions=NORMAL duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0, dl_src=52:54:00:aa:bb:cc,actions=NORMAL duration=1955s, table_id=1, priority=0, n_packets=16, n_bytes=3092, actions=NORMAL The output of other commands, such as ovs-dpctl show, seem to make sense, but I can post other things if that helps, just let me know. Other things that don't make sense to me are that the base system can't connect to the guest via SSH (even though it can be connected to from external hosts), and the guest NIC connected to the internalbr gets an external IP address over DHCP on the eth0 (external) network, and finally that the network for the host doesn't work correctly (without it being restarted), which probably has something to do with how the switch does its learning. Any thoughts, suggestions, or things to try would be greatly appreciated. Thanks, Todd -- Todd Deshane http://todddeshane.net http://runningxen.com _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
