On Fri, May 04, 2012 at 06:32:11PM +0200, Oliver Francke wrote: > First try was then: > > ovs-ofctl add-flow vmbr0 'in_port=504 ip idle_timeout=0 > dl_src=00:00:AA:BB:CC:DD nw_src=192.168.1.35 priority=40000 > action=resubmit(504,1)' > ovs-ofctl add-flow vmbr0 'in_port=504 ip idle_timeout=0 > priority=30000 action=drop' > > # individual rules: > ovs-ofctl del-flows vmbr0 'in_port=504' > ovs-ofctl add-flow vmbr0 'in_port=504 table=1 tcp > nw_src=192.168.1.35 tp_src=80 priority=1000 action=normal' > . > . > > Well, it works this way. > But we only have 255 table-entries, and up to 150 VM's per node with > perhaps more than one network-card ( private-backnet, > backup-network, etc...) will brake this setup. > Any other ideas? What did I miss at this point? How "expensive" will > it be, if every VM has at least some rules to prevent > MAC-/IP-fake-ing?
You don't need a table per VM. Use table 0 to check your ingress rules and resubmit to table 1 if they pass. Use table 1 to check egress rules and forward to the destination if they pass. _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
