[one-users] BLACK and WHITE_PORTS with open vswitch

Oriol Martí omarti at cesca.cat
Tue Mar 5 08:41:49 PST 2013 

Hi Jaime,

I have developed the driver to work with the openvswitch and black_ports 
and white_ports as you said, I tried to do filtering all the ports one 
by one, but it takes more than 4 or 5 hours to terminate with the net 
deployment. Then I saw that you can specify a port with a mask, but only 
Open vSwitch 1.6 and later supports masks, my nodes are Ubuntu 12.04 and 
I had to compile the last version of Open vSwitch
http://openvswitch.org/cgi-bin/ovsman.cgi?page=utilities%2Fovs-ofctl.8
Attached you can find my new OpenvSwitch.rb that does the filtering with 
the minimum rules possible applying masks.
I don't know if this could be uploaded to the issue tracking system, but 
by now with this driver you must compile Open vSwitch ( Ubuntu 12.04 )

On 02/19/2013 11:19 AM, Jaime Melis wrote:
> Hi Oriol
>
> I don't know if creating that many rules will impact Open vSwitch's 
> performance, I guess it's something you could ask in the Open vSwitch 
> mailing list, or give it a try yourself and see if it works fine.
>
> In any case I think that the approach you described above is the 
> correct one.
>
> cheers,
> Jaime
>
>
> On Mon, Feb 18, 2013 at 1:24 PM, Oriol Martí <omarti at cesca.cat 
> <mailto:omarti at cesca.cat>> wrote:
>
>     Hi Jaime,
>     looking at the file /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb
>     My idea is to add that black_ports look for : and do the command
>     add_flow("tcp,dl_dst=#{@nic[:mac]},tp_dst=#{p}",:drop)
>     for every port in the range.
>     With the white_port, the normal behaviour is all closed but the
>     indicated ports? my idea is to do the drop for all the ports but
>     the indicated ports.
>     Is this correct? I'm not sure if this big amount of rules can add
>     extra load to the node or it can derive to problems...
>
>     Thanks,
>
>
>     On 02/18/2013 12:33 PM, Jaime Melis wrote:
>>     Hi Oriol,
>>
>>     yes, WHITE_PORTS is not implement, and neither are port ranges
>>     with semi-colon:
>>     http://opennebula.org/documentation:rel3.8:openvswitch#network_filtering
>>
>>     The reason is because iptables filters won't work with Open
>>     vSwitch, so port filtering is implemented via OpenFlow. If you
>>     find a way to improve the drivers it would be really nice. Let me
>>     know if I can help in any way.
>>
>>     cheers,
>>     Jaime
>>
>>
>>     On Mon, Feb 18, 2013 at 11:52 AM, Oriol Martí <omarti at cesca.cat
>>     <mailto:omarti at cesca.cat>> wrote:
>>
>>         Hi,
>>         I'm deploying the Open vswitch driver and when I create one
>>         VM with the BLACK and WHITE_PORTS it doesn't work.
>>
>>         I've seen the code and I'm not sure, but I think that white
>>         port is not implemented and the black ports only is doing a
>>         strip for "," not by ":", then if you want to configure a VM
>>         with all the ports closed and only opened the 80 is very
>>         difficult to do because you would have to write all the
>>         ports, one by one, and is impossible to indicate a range of
>>         ports like 80:65535
>>
>>         I'm thinking to write the code necessary to do that, but I'm
>>         not sure, because I don't know the reason why is not
>>         finished.... Does anybody know something about that?
>>
>>         Best regards,
>>
>>         _______________________________________________
>>         Users mailing list
>>         Users at lists.opennebula.org <mailto:Users at lists.opennebula.org>
>>         http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>>
>>
>>     -- 
>>     Jaime Melis
>>     Project Engineer
>>     OpenNebula - The Open Source Toolkit for Cloud Computing
>>     www.OpenNebula.org <http://www.OpenNebula.org> |
>>     jmelis at opennebula.org <mailto:jmelis at opennebula.org> 
>
>
>
>
> -- 
> Jaime Melis
> Project Engineer
> OpenNebula - The Open Source Toolkit for Cloud Computing
> www.OpenNebula.org <http://www.OpenNebula.org> | jmelis at opennebula.org 
> <mailto:jmelis at opennebula.org>


-- 

......................................................................
          __
         / /          Oriol Martí Bonvehí
   C E / S / C A      Administrador de Sistemes
       /_/            Centre de Supercomputació de Catalunya

   Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona
   T. 93 551 6212  · F.  93 205 6979 ·omarti at cesca.cat
......................................................................

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130305/23c1c2fc/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenvSwitch.rb
Type: application/x-ruby
Size: 8452 bytes
Desc: not available
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130305/23c1c2fc/attachment-0001.rb>

More information about the Users mailing list