Hello again, I'm trying to define a conntrack flow that allows connections from linux namespace1 to a test namespace, and block everything from the test namespace to the host
for that I create a bridge, add a port, send the port into the namespace, give it an IP. on the host I add an IP ont the local interface of the bridge: ``` ovs-vsctl add-br test ovs-vsctl add-port test tst -- set Interface test type=internal # namespace ip netns add test ip -n test l set lo up ip -n test addr add 10.0.0.100/24 dev tst ip -n test link set tst up # host ip addr add 10.0.0.1/24 dev test #bridge local port ip l set test up # ping -> works [root@delandtj-XPS ~]# ping 10.0.0.1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.481 ms 64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.052 ms # ok ovs-ofctl del-flows test cat << EOF | ovs-ofctl add-flows test - table=0,actions=normal table=0,priority=100,in_port=local,actions=normal EOF # expected: # ping should still work # flow with in_port=local should have packet counters ``` in_port=local never seems to match , so following rules won't work either. ``` table=0, priority=1,arp actions=NORMAL table=0, priority=1,ct_state=-trk,ip actions=ct(table=1) table=1, priority=100,ct_state=+new+trk,icmp,in_port=tst actions=ct(commit),LOCAL table=1, priority=100,ct_state=+est+trk,icmp,in_port=LOCAL actions=output:tst table=1, priority=100,ct_state=+est+trk,icmp,in_port=tst actions=LOCAL ``` Given the extremely summary info or documentation I found to do flows, I wonder if there's some magical page hidden in the interwebs that explains it all. Are there more docs ? I mean, if one can write https://docs.openstack.org/developer/neutron/devref/openvswitch_firewall.html , I suppose he/she got that knowledge from __somewhere__ ? Thanks, Jan
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss