Gents, I’d like to get a filter for ovs (with conntracking) in where ip-sessions only get through in one direction.
I have tested many things, but I never seem to get it right :-( # drop network chatter (1) table=0,priority=100,dl_src=01:00:00:00:00:00/01:00:00:00:00:00, actions=drop # drop all UDP table=0,priority=100,dl_type=0x0800,nw_proto=17,actions=drop # drop all ipv6 table=0,in_port=131,priority=100,dl_src=52:54:00:de:ec:8d,dl_type=0x86dd,actions=drop # send rest in table 1 (2) table=0, priority=0, actions=resubmit(,1) # Table 1 ; stateful packet filter ( ovs >= 2.5 ) # start dropping it all (fallthrough (lowest priority)) (3) table=1,priority=1,action=drop # allow all arp (for now) (4) table=1,priority=10,arp,nw_src=10.199.2.154,action=normal table=1,priority=10,arp,nw_dst=10.199.2.154,action=normal # when an ip packet arrives and is not tracked, send it to the conntracker and continue table2 (5) table=1,priority=100,ip,ct_state=-trk,action=ct(table=2) # a packet from 10... with dest MAC, that is IP, and is a NEW session packet, commit it in conntracker table=2,in_port=local,ip,ct_state=+trk+new,action=ct(commit),131 # and do normal packet forwarding processing on it table=2,nw_src=10.199.0.0/22,dl_src=52:54:00:de:ec:8d,ip,ct_state=+trk+est,action=normal table=2,nw_src=10.199.0.0/22,dl_dst=52:54:00:de:ec:8d,ip,ct_state=+trk+est,action=normal # otherwise, all new IP sessions get dropped (6) table=2,in_port=131,ip,ct_state=+trk+new,action=drop # unless they are related to a comitted session table=2,in_port=131,ip,ct_state=+trk+est,action=normal (1) -> never matches, which is odd, as I would suspect that all lldp would fall in the category (2) -> packets get matched, but… (3) -> gets them all, instead of …. -> go to (5) (4) -> here all ok , packets for arp are ok (5) -> never matches -> and then it’s of course no point to get further. OTOH from a vm on the specific port, (5) and (6) match, doing exactly what I want. What am I doing wrong ? Thanks Jan
_______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
