[one-users] blacklist ports with openvswitch

Madko madko77 at gmail.com
Fri Nov 21 00:33:07 PST 2014 

Hi,

I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some network
filtering.
I'm following the documentation found here:
http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch

Here is my VM network definition:
NIC=[
  AR_ID="0",
  BLACK_PORTS_TCP="80",
  BRIDGE="br0",
  ICMP="drop",
  IP="192.168.2.50",
  MAC="02:00:c0:a8:02:32",
  NETWORK="LAN",
  NETWORK_ID="0",
  NETWORK_UNAME="oneadmin",
  NIC_ID="0",
  VLAN="YES",
  VLAN_ID="2" ]

But on my hypervisor where this VM is running, here are the openflows rules:
[root at node02 ~]# ovs-ofctl dump-flows br0
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0,
idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop
 cookie=0x0, duration=1893.173s, table=0, n_packets=6360, n_bytes=649693,
idle_age=4, priority=40000,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL
 cookie=0x0, duration=4295.078s, table=0, n_packets=1444549,
n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL
 cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84,
idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32
actions=drop
 cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462,
idle_age=559,
priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50
actions=NORMAL
 cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop
 cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0,
idle_age=1893, priority=39000,in_port=3 actions=drop

is it correct? I can see the relevant rule here:
 cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop
but packets never pass thru this rule (n_packets=0), and port 80 is not
blocked.

➜  ~  curl -s http://192.168.2.50 -o /dev/null && echo success
success

If anyone can help :)
what am I missing?

Best regards


-- 
Edouard Bourguignon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20141121/83499016/attachment.htm>

More information about the Users mailing list