Adding tcp and udp made the port numbers show up, which is helpful and allowed me to debug some more. I had to allow dns over 5353, as those flows were being deleted.
I found the cause of the second NIC getting an IP on the external network, that happens when the arp rules are enabled. I will have to find a way to restrict those. I can still connect out on SSH and ping, so I don't think enough is being blocked and/or I am still allowing too much through, but I can try to pin down the problem and debug some more tomorrow. Here is my current ovs-ofctl dump-flows externalbr duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, arp,dl_dst=52:54:00:aa:bb:cc,tp_src=0,tp_dst=0,actions=NORMAL duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, arp,dl_src=52:54:00:aa:bb:cc,tp_src=0,tp_dst=0,actions=NORMAL duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, udp,dl_dst=52:54:00:aa:bb:cc,tp_dst=68,actions=NORMAL duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, udp,dl_src=52:54:00:aa:bb:cc,tp_dst=67,actions=NORMAL duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, udp,dl_dst=52:54:00:aa:bb:cc,tp_src=5353,actions=NORMAL duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, udp,dl_src=52:54:00:aa:bb:cc,tp_dst=5353,actions=NORMAL duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, udp,dl_dst=52:54:00:aa:bb:cc,tp_src=53,actions=NORMAL duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, udp,dl_src=52:54:00:aa:bb:cc,tp_dst=53,actions=NORMAL duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, tcp,dl_dst=52:54:00:aa:bb:cc,tp_src=80,actions=NORMAL duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, tcp,dl_src=52:54:00:aa:bb:cc,tp_dst=80,actions=NORMAL I will go through tomorrow and see if I can find my problem. Any suggestions or hints are always welcome. Thanks! Todd On Thu, Feb 11, 2010 at 10:15 PM, Justin Pettit <[email protected]> wrote: > The first thing to check is that you're specifying the protocols all the way > up in your flow-add command. For TCP/IP/Ethernet you can use the shortcut > "tcp". Similarly, there's "udp" for UDP, etc. It should be in the ovs-ofctl > man page, but it's easy to miss. > > Try that and let us know how the other things work out. > > --Justin > > (Sent from my phone. Sorry for any typos.) > > > > On Feb 11, 2010, at 6:42 PM, Todd Deshane <[email protected]> wrote: > >> Hi All, >> >> I almost have open vSwitch working the way I want it to, but I am >> running across some unexpected problems. I've setup 2 switches, an >> internal and an external, with the initial configuration of: >> >> bridge.internalbr.port=internalbr >> bridge.externalbr.port=externalbr >> bridge.internalbr.mac=00:11:22:aa:cc:ee >> bridge.externalbr.mac=00:11:22:bb:aa:dd >> bridge.externalbr.port=eth0 >> >> I have a script that starts a VM with two nics, and connects one nic >> to the internal switch and one to the external switch by automatically >> appending to the ovs-switchd.conf and then sending a HUP signal to the >> ovs-switchd process (as was suggested in a previous thread). >> >> As the guest boots the following lines are added (before sending the HUP) >> bridge.internalbr.port=tap0 >> bridge.externalbr.port=tap1 >> >> I then remove the default flow from the externalbr flow table with: >> ovs-ofctl del-flows externalbr priority=0 >> >> And add a series of flows from a file (with the ovs-ofctl add-flows >> command) >> dl_src=52:54:00:aa:bb:cc,tp_dst=80,idle_timeout=0,actions=normal >> dl_dst=52:54:00:aa:bb:cc,tp_src=80,idle_timeout=0,actions=normal >> dl_src=52:54:00:aa:bb:cc,tp_dst=53,idle_timeout=0,actions=normal >> dl_dst=52:54:00:aa:bb:cc,tp_src=53,idle_timeout=0,actions=normal >> dl_src=52:54:00:aa:bb:cc,tp_dst=67,idle_timeout=0,actions=normal >> dl_dst=52:54:00:aa:bb:cc,tp_dst=68,idle_timeout=0,actions=normal >> >> My intention is to default deny all and only allow what is absolutely >> necessary for this particular VM to get an IP (dhcp outgoing to server >> port 67 and dhcp incoming to port 68), and connect to web servers >> (over port 80) and do dns lookups (port 53) >> >> There are a couple things that I can't figure out yet, one is how to >> get a dump-flows that includes the port numbers (tp_dst and dp_src). >> Is there a command that will show them? >> >> The VM can connect on port 22 and can be contacted over port 22, both >> of which should be disallowed. >> >> The relevant output of: >> ovs-ofctl dump-flows externalbr (which doesn't show the tp_dst or tp_src >> ports) >> >> Feb 11 20:33:03|00001|ofctl|INFO|connecting to >> unix:/usr/local/var/run/externalbr.mgmt >> stats_reply (xid=0x80bb7ffe): flags=none type=1(flow) >> duration=1955s, table_id=1, priority=32768, n_packets=46, >> n_bytes=8753, dl_src=52:54:00:aa:bb:cc,actions=NORMAL >> duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0, >> dl_dst=52:54:00:aa:bb:cc,actions=NORMAL >> duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0, >> dl_src=52:54:00:aa:bb:cc,actions=NORMAL >> duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0, >> dl_dst=52:54:00:aa:bb:cc,actions=NORMAL >> duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0, >> dl_src=52:54:00:aa:bb:cc,actions=NORMAL >> duration=1955s, table_id=1, priority=0, n_packets=16, n_bytes=3092, >> actions=NORMAL >> >> The output of other commands, such as ovs-dpctl show, seem to make >> sense, but I can post other things if that helps, just let me know. >> >> Other things that don't make sense to me are that the base system >> can't connect to the guest via SSH (even though it can be connected to >> from external hosts), and the guest NIC connected to the internalbr >> gets an external IP address over DHCP on the eth0 (external) network, >> and finally that the network for the host doesn't work correctly >> (without it being restarted), which probably has something to do with >> how the switch does its learning. >> >> Any thoughts, suggestions, or things to try would be greatly appreciated. >> >> Thanks, >> Todd >> >> >> -- >> Todd Deshane >> http://todddeshane.net >> http://runningxen.com >> >> _______________________________________________ >> discuss mailing list >> [email protected] >> http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org > -- Todd Deshane http://todddeshane.net http://runningxen.com _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
