On Mon, Feb 6, 2012 at 7:21 AM, Mike Bursell <[email protected]> wrote: > Given that there are a number of hooks provided by netfilter, when using OVS, > at which point do the OVS rules get applied with respect to the netfilter > hooks for things like iptables, please? > > Also, does the use of OVS disable any of the netfilter hooks, or are they > completely independent of each other? > > I guess the underlying question is: what interactions might be expected > between OVS and netfilter hook-using components? What's considered safe, and > what isn't? I could see some pretty confusing behaviours if they start > interacting in unexpected ways. Are there any differences in behaviour > between ebtables, iptables and arptables in this context? > > Given that there's some overlap in the capabilities of iptables and OVS, is > it expected that people would/should use both iptables and OVS at the same > time, or would we expect OVS to be used to replace iptables in all cases?
It doesn't disable any hooks per-se but those that reside in the bridge module won't get called because traffic doesn't flow through the bridge. Specifically, ebtables won't have any effect. For things like filtering or anti-spoofing where you might use ebtables or arptables it makes sense to use the equivalent OVS mechanisms (and for complex rule sets OVS will be faster). If the packet passes through the IP stack for routing or NAT then iptables will have an effect and it makes sense to use it for those types of stateful or ALG-based mechanisms since OVS isn't really setup to handle that. In other words, it replaces the link-layer section of your diagram. _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
