Re: [one-users] blacklist ports with openvswitch

2014-11-27 Thread Madko
Ok now I understand what you meant by out_port in openflow. Maybe we have to wait for conntrack support in OpenFlow. Because right now I don't see how I could drop traffic to all tcp ports except some specificed in the WHITE_TCP_PORTS (that part works) without blocking all the outbound tcp traffic

Re: [one-users] blacklist ports with openvswitch

2014-11-26 Thread Madko
2014-11-26 17:12 GMT+01:00 Jaime Melis : > It would be great if we could figure out a way to provide this > functionality for Open vSwitch. It is a top priority in OpenNebula's > roadmap, so any ideas are very welcome! > > What do you mean by adapting OpenvSwitch.rb? What changes do you need in >

Re: [one-users] blacklist ports with openvswitch

2014-11-26 Thread Jaime Melis
It would be great if we could figure out a way to provide this functionality for Open vSwitch. It is a top priority in OpenNebula's roadmap, so any ideas are very welcome! What do you mean by adapting OpenvSwitch.rb? What changes do you need in the short-term? On Wed, Nov 26, 2014 at 4:59 PM, Mad

Re: [one-users] blacklist ports with openvswitch

2014-11-26 Thread Madko
Thanks Jaime for this explaination. Right now openflow is not really a top priority for us and OpenNebula 4.12 seems quite interesting. So we could wait for this release. We will certainly switch from OpenStack to OpenNebula because of all this mess they have done on the network stack (ovs => bridg

Re: [one-users] blacklist ports with openvswitch

2014-11-26 Thread Jaime Melis
Hi, Unfortunately WHITE_PORTS_* is not supported for the Open vSwitch drivers (see here: http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#network-filtering ) We'd like very much to be able to provide this feature, but as far as we know there's no way to do this satisfact

Re: [one-users] blacklist ports with openvswitch

2014-11-26 Thread Madko
Hi, I also have tested WHITE_PORTS_TCP but it seems worse since I don't have any specific openflow rules: cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0, idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop cookie=0x0, duration=819.800s, table=0, n_packets=2, n_b