[one-users] blacklist ports with openvswitch

Madko madko77 at gmail.com
Wed Nov 26 06:53:38 PST 2014 

Hi,

I also have tested WHITE_PORTS_TCP but it seems worse since I don't have
any specific openflow rules:

 cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0,
idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop
 cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134,
idle_age=798, priority=40000,in_port=3,dl_src=02:00:c0:a8:c7:05
actions=NORMAL
 cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168,
idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05
actions=drop
 cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323,
idle_age=803, priority=0 actions=NORMAL
 cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168,
idle_age=803,
priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5
actions=NORMAL
 cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0,
idle_age=819, priority=39000,in_port=3 actions=drop

Only the icmp drop rule is added. Is it normal?

Is there anyone here using OpenNebula with OpenVswitch?

2014-11-21 9:33 GMT+01:00 Madko <madko77 at gmail.com>:

> Hi,
>
> I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some network
> filtering.
> I'm following the documentation found here:
> http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch
>
> Here is my VM network definition:
> NIC=[
>   AR_ID="0",
>   BLACK_PORTS_TCP="80",
>   BRIDGE="br0",
>   ICMP="drop",
>   IP="192.168.2.50",
>   MAC="02:00:c0:a8:02:32",
>   NETWORK="LAN",
>   NETWORK_ID="0",
>   NETWORK_UNAME="oneadmin",
>   NIC_ID="0",
>   VLAN="YES",
>   VLAN_ID="2" ]
>
> But on my hypervisor where this VM is running, here are the openflows
> rules:
> [root at node02 ~]# ovs-ofctl dump-flows br0
> NXST_FLOW reply (xid=0x4):
>  cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0,
> idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop
>  cookie=0x0, duration=1893.173s, table=0, n_packets=6360, n_bytes=649693,
> idle_age=4, priority=40000,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL
>  cookie=0x0, duration=4295.078s, table=0, n_packets=1444549,
> n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL
>  cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84,
> idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32
> actions=drop
>  cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462,
> idle_age=559,
> priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50
> actions=NORMAL
>  cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
> idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop
>  cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0,
> idle_age=1893, priority=39000,in_port=3 actions=drop
>
> is it correct? I can see the relevant rule here:
>  cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
> idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop
> but packets never pass thru this rule (n_packets=0), and port 80 is not
> blocked.
>
> ➜  ~  curl -s http://192.168.2.50 -o /dev/null && echo success
> success
>
> If anyone can help :)
> what am I missing?
>
> Best regards
>
>
> --
> Edouard Bourguignon
>



-- 
Edouard Bourguignon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20141126/c9c04b05/attachment.htm>

More information about the Users mailing list