Hi, I also have tested WHITE_PORTS_TCP but it seems worse since I don't have any specific openflow rules:
cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0, idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134, idle_age=798, priority=40000,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=NORMAL cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168, idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=drop cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323, idle_age=803, priority=0 actions=NORMAL cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168, idle_age=803, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5 actions=NORMAL cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0, idle_age=819, priority=39000,in_port=3 actions=drop Only the icmp drop rule is added. Is it normal? Is there anyone here using OpenNebula with OpenVswitch? 2014-11-21 9:33 GMT+01:00 Madko <madk...@gmail.com>: > Hi, > > I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some network > filtering. > I'm following the documentation found here: > http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch > > Here is my VM network definition: > NIC=[ > AR_ID="0", > BLACK_PORTS_TCP="80", > BRIDGE="br0", > ICMP="drop", > IP="192.168.2.50", > MAC="02:00:c0:a8:02:32", > NETWORK="LAN", > NETWORK_ID="0", > NETWORK_UNAME="oneadmin", > NIC_ID="0", > VLAN="YES", > VLAN_ID="2" ] > > But on my hypervisor where this VM is running, here are the openflows > rules: > [root@node02 ~]# ovs-ofctl dump-flows br0 > NXST_FLOW reply (xid=0x4): > cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0, > idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop > cookie=0x0, duration=1893.173s, table=0, n_packets=6360, n_bytes=649693, > idle_age=4, priority=40000,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL > cookie=0x0, duration=4295.078s, table=0, n_packets=1444549, > n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL > cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84, > idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32 > actions=drop > cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462, > idle_age=559, > priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50 > actions=NORMAL > cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, > idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop > cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0, > idle_age=1893, priority=39000,in_port=3 actions=drop > > is it correct? I can see the relevant rule here: > cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, > idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop > but packets never pass thru this rule (n_packets=0), and port 80 is not > blocked. > > ➜ ~ curl -s http://192.168.2.50 -o /dev/null && echo success > success > > If anyone can help :) > what am I missing? > > Best regards > > > -- > Edouard Bourguignon > -- Edouard Bourguignon
_______________________________________________ Users mailing list Users@lists.opennebula.org http://lists.opennebula.org/listinfo.cgi/users-opennebula.org