Sent from my iPhone
On May 19, 2012, at 19:02, faicker mo <[email protected]> wrote: > > On 2012-5-19, at 下午11:11, Ben Pfaff wrote: > >> On Sat, May 19, 2012 at 09:30:40PM +0800, faicker mo wrote: >>> I have viewed the ovs-ofctl man page, I found that the arp match has >>> only arp_sha and arp_dha. It can't match the source ip in arp(SPA) and >>> destination ip(DPA) in arp. Without this, the arp spoofing can't be >>> prevented. >> >> Use nw_src or nw_dst. This is documented in ovs-ofctl(8). > > Sorry for my overlook. > >> >>> OVS replaces the bridge default in kernel. Ebtables can't >>> work. But now OVS doesn't have enough function to replace >>> eatables. For example, arp_reply module in eatables. >> >> No, OVS doesn't replace anything, it provides a supplement. > > But when I use OVS, I can't use eatables.(need bridge module) Why you need ebtables. You can construct rules to block ARP and IP spoofing using ovs-ofctl for example. >> >>> I have successfully realized the broute which is in eatables by OVS. >> >> I don't understand that sentence. > > For this, OVS replaces ebtables _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
