Hello! I'm trying to use OVS as a stateful firewall for all the VMs connected to a OVS bridge. I'm trying to use the conntrack feature to achieve this based off examples I've put together, but have yet to make it work fully.
My end goal is to be able to block or allow a port for a VM for egress or ingress. In the below example I'm trying to block all ports to a VM except for 80 while also allowing all outbound connections from the VM. Setup: (00:16:3e:5a:ff:c2 is the mac address of the VMs eth0) 1) ovs-ofctl del-flows br0 && sudo ovs-ofctl add-flow br0 action=normal 2) ovs-ofctl add-flow br0 "table=10 action=normal" 3) ovs-ofctl add-flow br0 "table=0, tcp, dl_dst=00:16:3e:5a:ff:c2 priority=38000 actions=ct(table=1)" 4) ovs-ofctl add-flow br0 "table=1, ip, dl_dst=00:16:3e:5a:ff:c2 priority=202,ct_state=+est+rpl+trk actions=normal" 5) ovs-ofctl add-flow br0 "table=1, tcp, priority=200,dl_dst=00:16:3e:5a:ff:c2 actions=resubmit(,2)" 6) ovs-ofctl add-flow br0 "table=2, tcp, priority=1000,ct_state=+new+trk,dl_dst=00:16:3e:5a:ff:c2,tcp_dst=80 actions=ct(commit,table=10)" 7) ovs-ofctl add-flow br0 "table=2, tcp, priority=100,dl_dst=00:16:3e:5a:ff:c2 actions=drop" Here's the dump from ovs-ofctl: cookie=0x0, duration=27.099s, table=0, n_packets=316, n_bytes=103582, priority=38000,tcp,dl_dst=00:16:3e:5a:ff:c2 actions=ct(table=1) cookie=0x0, duration=27.486s, table=0, n_packets=581, n_bytes=127617, actions=NORMAL cookie=0x0, duration=27.090s, table=1, n_packets=0, n_bytes=0, priority=202,ct_state=+est+rpl+trk,ip,dl_dst=00:16:3e:5a:ff:c2 actions=NORMAL cookie=0x0, duration=27.081s, table=1, n_packets=316, n_bytes=103582, priority=200,tcp,dl_dst=00:16:3e:5a:ff:c2 actions=resubmit(,2) cookie=0x0, duration=27.072s, table=2, n_packets=205, n_bytes=65022, priority=1000,ct_state=+new+trk,tcp,dl_dst=00:16:3e:5a:ff:c2,tp_dst=80 actions=ct(commit,table=10) cookie=0x0, duration=26.830s, table=2, n_packets=111, n_bytes=38560, priority=100,tcp,dl_dst=00:16:3e:5a:ff:c2 actions=drop cookie=0x0, duration=27.107s, table=10, n_packets=205, n_bytes=65022, actions=NORMAL Odd thing is #4 rule looks to never get hit (based off ovs-ofctl dump-flows br0). If I change the rule to +inv+trk, it gets hits. Does that mean invalid packets are coming through? I checked and the host OS has nf_conntrack_ipv4 loaded. It kind of works if I change command #6 to ovs-ofctl add-flow br0 "table=1, ip, dl_dst=00:16:3e:5a:ff:c2 priority=202,ct_state=+est+rpl+trk actions=normal" However all outbound traffic is still blocked and entry #4 never gets hit still either. I'm fairly new to OVS and have been google'ing / stackoverflow'ing for the last few days with no luck. I apologize for my newbie'ness and thank you in advance for any help or direction!
_______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
