[one-users] BLACK and WHITE_PORTS with open vswitch
Jaime Melis
jmelis at opennebula.org
Thu Mar 7 09:25:07 PST 2013
Hi Oriol,
thanks a lot for your patch! yes, when we created the openvswitch drivers,
we considered using the mask functionality, but like you said, that
requires a newer version of Open vSwitch which is not yet available in the
major distributions, so I think we should hold on for the moment.
However, I think it's definitely the way to go in the future, so I'm
bookmarking this patch!
cheers,
Jaime
On Tue, Mar 5, 2013 at 5:41 PM, Oriol Martí <omarti at cesca.cat> wrote:
> Hi Jaime,
>
> I have developed the driver to work with the openvswitch and black_ports
> and white_ports as you said, I tried to do filtering all the ports one by
> one, but it takes more than 4 or 5 hours to terminate with the net
> deployment. Then I saw that you can specify a port with a mask, but only
> Open vSwitch 1.6 and later supports masks, my nodes are Ubuntu 12.04 and I
> had to compile the last version of Open vSwitch
> http://openvswitch.org/cgi-bin/ovsman.cgi?page=utilities%2Fovs-ofctl.8
> Attached you can find my new OpenvSwitch.rb that does the filtering with
> the minimum rules possible applying masks.
> I don't know if this could be uploaded to the issue tracking system, but
> by now with this driver you must compile Open vSwitch ( Ubuntu 12.04 )
>
>
> On 02/19/2013 11:19 AM, Jaime Melis wrote:
>
> Hi Oriol
>
> I don't know if creating that many rules will impact Open vSwitch's
> performance, I guess it's something you could ask in the Open vSwitch
> mailing list, or give it a try yourself and see if it works fine.
>
> In any case I think that the approach you described above is the correct
> one.
>
> cheers,
> Jaime
>
>
> On Mon, Feb 18, 2013 at 1:24 PM, Oriol Martí <omarti at cesca.cat> wrote:
>
>> Hi Jaime,
>> looking at the file /var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb
>> My idea is to add that black_ports look for : and do the command
>> add_flow("tcp,dl_dst=#{@nic[:mac]},tp_dst=#{p}",:drop)
>> for every port in the range.
>> With the white_port, the normal behaviour is all closed but the indicated
>> ports? my idea is to do the drop for all the ports but the indicated ports.
>> Is this correct? I'm not sure if this big amount of rules can add extra
>> load to the node or it can derive to problems...
>>
>> Thanks,
>>
>>
>> On 02/18/2013 12:33 PM, Jaime Melis wrote:
>>
>> Hi Oriol,
>>
>> yes, WHITE_PORTS is not implement, and neither are port ranges with
>> semi-colon:
>> http://opennebula.org/documentation:rel3.8:openvswitch#network_filtering
>>
>> The reason is because iptables filters won't work with Open vSwitch, so
>> port filtering is implemented via OpenFlow. If you find a way to improve
>> the drivers it would be really nice. Let me know if I can help in any way.
>>
>> cheers,
>> Jaime
>>
>>
>> On Mon, Feb 18, 2013 at 11:52 AM, Oriol Martí <omarti at cesca.cat> wrote:
>>
>>> Hi,
>>> I'm deploying the Open vswitch driver and when I create one VM with the
>>> BLACK and WHITE_PORTS it doesn't work.
>>>
>>> I've seen the code and I'm not sure, but I think that white port is not
>>> implemented and the black ports only is doing a strip for "," not by ":",
>>> then if you want to configure a VM with all the ports closed and only
>>> opened the 80 is very difficult to do because you would have to write all
>>> the ports, one by one, and is impossible to indicate a range of ports like
>>> 80:65535
>>>
>>> I'm thinking to write the code necessary to do that, but I'm not sure,
>>> because I don't know the reason why is not finished.... Does anybody know
>>> something about that?
>>>
>>> Best regards,
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>
>>
>>
>> --
>> Jaime Melis
>> Project Engineer
>> OpenNebula - The Open Source Toolkit for Cloud Computing
>> www.OpenNebula.org | jmelis at opennebula.org
>>
>>
>>
>
>
> --
> Jaime Melis
> Project Engineer
> OpenNebula - The Open Source Toolkit for Cloud Computing
> www.OpenNebula.org | jmelis at opennebula.org
>
>
>
> --
>
> ......................................................................
> __
> / / Oriol Martí Bonvehí
> C E / S / C A Administrador de Sistemes
> /_/ Centre de Supercomputació de Catalunya
>
> Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona
> T. 93 551 6212 · F. 93 205 6979 · omarti at cesca.cat
> ......................................................................
>
>
--
Jaime Melis
Project Engineer
OpenNebula - The Open Source Toolkit for Cloud Computing
www.OpenNebula.org | jmelis at opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20130307/e85ad281/attachment-0002.htm>
More information about the Users
mailing list