Hi Kristoffer, Are you receive
I checked my environment for your issue. I think your ovs-ofctl flow doesn't receive response from itself. On your situation 1. ARP function Arp request; from a6:1e:29:3d:69:51 to FF:FF:FF:FF:FF:FF <= "Permit" Arp reply; from MAC of target to a6:1e:29:3d:69:51 <= "Deny" 2. PING function ICMP echo request; from a6:1e:29:3d:69:51 to ******* <= "Permit" ICMP echo reply; from ******* to a6:1e:29:3d:69:51 <= "Deny" And, I think your filter doesn't need ip addres for PING filter, because a MAC address only has one IP address, so then there are related one VIF. Would you like to use set filter on your "vif[dom-id].[eth id]". #My test filter #deny filter from 172.16.1.1 ------------------- ovs-ofctl del-flows xapi7 ovs-ofctl add-flow xapi7 "priority=30002 dl_type=0x0806 dl_dst=92:e0:5b:93:5f:50 idle_timeout=0 action=normal" ovs-ofctl add-flow xapi7 "priority=30000 dl_type=0x0806 dl_src=92:e0:5b:93:5f:50 idle_timeout=0 action=normal" ovs-ofctl add-flow xapi7 "priority=20001 ip dl_dst=92:e0:5b:93:5f:50 idle_timeout=0 action=normal" ovs-ofctl add-flow xapi7 "priority=20000 ip dl_src=92:e0:5b:93:5f:50 idle_timeout=0 action=normal" ovs-ofctl add-flow xapi7 "priority=10000 ip nw_src=192.168.0.0/16 nw_dst=192.168.0.0/16 idle_timeout=0 action=normal" ovs-ofctl add-flow xapi7 "priority=0 idle_timeout=0 actions=drop" ovs-ofctl dump-flows xapi7 ------------------- Vif level flow filter ------------------- ovs-ofctl del-flows xapi7 ovs-ofctl add-flow xapi7 "priority=20002 in_port=7 ip nw_src=172.16.1.0/24 nw_dst=172.16.1.0/24 idle_timeout=0 action=drop" ovs-ofctl add-flow xapi7 "priority=0 idle_timeout=0 actions=NORMAL" ovs-ofctl dump-flows xapi7 ------------------- ################################################################## quotation from Knowledge Base of Citrix ------------------- Note: VIF names are dynamically created on VM start. Vif names are constructed with the following structure vifx.y, where x is the domain id of the VM and y is the device number. The dynamic part of the name is the domain ID because it may change on VM start. xe vm-list name-label=<name of vm> params=dom-id Example: xe vm-list name-label=cps_att params=dom-id dom-id ( RO) : 16 Identify the VIF device number. xe vif-list vm-name-label=<name of vm> Example: xe vif-list vm-name-label=cps_att params=device device ( RO) : 0 ------------------- Knowledge Base of Citrix http://support.citrix.com/article/CTX120869 Knowledge Base of Citrix (in Japanese) http://support.citrix.com/article/CTX122455 vif"xx"."yy" => xx: dom id, yy: eth id (e.g. vif14.0 <= dom id: 4, eth id: 0) e.g. How to find the vif interface name for eth0 of 64-EN-Cent5-Pool5-1 check dom id ------------------- [root@vmatsuno1 ~]# xe vm-list name-label=64-EN-Cent5-Pool5-1 params=dom-id dom-id ( RO) : 14 ------------------- check vif list of VM ------------------- [root@vmatsuno1 ~]# xe vif-list vm-name-label=64-EN-Cent5-Pool5-1 params=device device ( RO) : 1 device ( RO) : 0 ------------------- check status of vif14.0 with ifconfig command ------------------- [root@vmatsuno1 ~]# ifconfig vif14.0 vif14.0 Link encap:Ethernet HWaddr FE:FF:FF:FF:FF:FF UP BROADCAST RUNNING NOARP MTU:1500 Metric:1 RX packets:238667 errors:0 dropped:0 overruns:0 frame:0 TX packets:85413 errors:0 dropped:0 overruns:0 carrier:0 collisions:0 txqueuelen:32 RX bytes:19558756 (18.6 MiB) TX bytes:7912064 (7.5 MiB) ------------------- ################################################################## Kind regards, Kasugai 2011/5/3 Ben Pfaff <[email protected]>: > On Mon, May 02, 2011 at 01:43:36PM +0200, Kristoffer Egefelt wrote: >> I'm trying to add rules to ovs to prevent virtual machines stealing ip >> addresses from each other. >> Using XCP, based on XENSERVER 5.6fp1 with ovs version 1.0.2. > > Your setup looks OK to me. I see that none of your rules have any > hits. That's odd--it seems likely that the switch has fallen into > "fail open" mode. Do you have a controller configured? > _______________________________________________ > discuss mailing list > [email protected] > http://openvswitch.org/mailman/listinfo/discuss > _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
