[ovs-discuss] Newbie and q. about implementing firewall-rules ala iptables with openflow for qemu-VMs

Fri, 04 May 2012 09:36:17 -0700 

Hi,
first of all: I have things up n running, but it does not scale at the end of the day. 

Tasks:
    - prevent user making trouble if he fakes MAC-address inside the VM
    - prevent user making trouble if he fakes IP-address inside the VM
    - continue with valid packet and "normal" firewall-rules.

Solved in iptables via:

iptables -N tap822i0d0

iptables -A FORWARD -m physdev --physdev-in tap822i0d0 -m mac \! 
--mac-source 00:00:AA:BB:CC:DD -j DROP
iptables -A FORWARD -m physdev --physdev-in tap822i0d0 -d 224.0.0.0/24 
-j DROP
iptables -A FORWARD -s 192.168.1.35/32 -m physdev --physdev-in 
tap822i0d0 -j tap822i0d0
iptables -A FORWARD -m physdev --physdev-in tap822i0d0 -j LOG 
--log-prefix [IF=tap822i0d0]:

iptables -A FORWARD -m physdev --physdev-in tap822i0d0 -j DROP

# individual rules:

iptables -A tap822i0d0 -m physdev --physdev-in tap822i0d0 -s 
192.168.1.35/32 -d 0.0.0.0/0 -p tcp --sport 80 -j ACCEPT

.
.

The biggest difficulty is the exclamation mark to negate a MAC.
    "If MAC != <MAC-applied> DROP"

This is not available in the openflow-syntax? I could have been too 
blind, though.


First try was then:


ovs-ofctl add-flow vmbr0 'in_port=504 ip idle_timeout=0 
dl_src=00:00:AA:BB:CC:DD nw_src=192.168.1.35 priority=40000 
action=resubmit(504,1)'
ovs-ofctl add-flow vmbr0 'in_port=504 ip idle_timeout=0 priority=30000 
action=drop'


# individual rules:
ovs-ofctl del-flows vmbr0 'in_port=504'

ovs-ofctl add-flow vmbr0 'in_port=504 table=1 tcp nw_src=192.168.1.35 
tp_src=80 priority=1000 action=normal'

.
.

Well, it works this way.

But we only have 255 table-entries, and up to 150 VM's per node with 
perhaps more than one network-card ( private-backnet, backup-network, 
etc...) will brake this setup.
Any other ideas? What did I miss at this point? How "expensive" will it 
be, if every VM has at least some rules to prevent MAC-/IP-fake-ing?


Sorry for this longish mail and thnx for any hints ;)

Regards,


Oliver.


--

Oliver Francke

filoo GmbH
Moltkestraße 25a
33330 Gütersloh
HRB4355 AG Gütersloh

Geschäftsführer: S.Grewing | J.Rehpöhler | C.Kunz

Folgen Sie uns auf Twitter: http://twitter.com/filoogmbh

_______________________________________________
discuss mailing list
[email protected]
http://openvswitch.org/mailman/listinfo/discuss






















					Reply via email to