Hi Oriol I don't know if creating that many rules will impact Open vSwitch's performance, I guess it's something you could ask in the Open vSwitch mailing list, or give it a try yourself and see if it works fine.
In any case I think that the approach you described above is the correct one. cheers, Jaime On Mon, Feb 18, 2013 at 1:24 PM, Oriol Martí <[email protected]> wrote: > Hi Jaime, > looking at the file /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb > My idea is to add that black_ports look for : and do the command > add_flow("tcp,dl_dst=#{@nic[:mac]},tp_dst=#{p}",:drop) > for every port in the range. > With the white_port, the normal behaviour is all closed but the indicated > ports? my idea is to do the drop for all the ports but the indicated ports. > Is this correct? I'm not sure if this big amount of rules can add extra > load to the node or it can derive to problems... > > Thanks, > > > On 02/18/2013 12:33 PM, Jaime Melis wrote: > > Hi Oriol, > > yes, WHITE_PORTS is not implement, and neither are port ranges with > semi-colon: > http://opennebula.org/documentation:rel3.8:openvswitch#network_filtering > > The reason is because iptables filters won't work with Open vSwitch, so > port filtering is implemented via OpenFlow. If you find a way to improve > the drivers it would be really nice. Let me know if I can help in any way. > > cheers, > Jaime > > > On Mon, Feb 18, 2013 at 11:52 AM, Oriol Martí <[email protected]> wrote: > >> Hi, >> I'm deploying the Open vswitch driver and when I create one VM with the >> BLACK and WHITE_PORTS it doesn't work. >> >> I've seen the code and I'm not sure, but I think that white port is not >> implemented and the black ports only is doing a strip for "," not by ":", >> then if you want to configure a VM with all the ports closed and only >> opened the 80 is very difficult to do because you would have to write all >> the ports, one by one, and is impossible to indicate a range of ports like >> 80:65535 >> >> I'm thinking to write the code necessary to do that, but I'm not sure, >> because I don't know the reason why is not finished.... Does anybody know >> something about that? >> >> Best regards, >> >> _______________________________________________ >> Users mailing list >> [email protected] >> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org >> > > > > -- > Jaime Melis > Project Engineer > OpenNebula - The Open Source Toolkit for Cloud Computing > www.OpenNebula.org | [email protected] > > > -- Jaime Melis Project Engineer OpenNebula - The Open Source Toolkit for Cloud Computing www.OpenNebula.org | [email protected]
_______________________________________________ Users mailing list [email protected] http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
