[one-users] blacklist ports with openvswitch

Jaime Melis jmelis at opennebula.org
Wed Nov 26 07:04:25 PST 2014


Hi,

Unfortunately WHITE_PORTS_* is not supported for the Open vSwitch drivers
(see here:
http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#network-filtering
)

We'd like very much to be able to provide this feature, but as far as we
know there's no way to do this satisfactorily. There is nothing similar to
'in_port' but that matches the outgoing switch port, i.e. there's no
'out_port'.

We are currently re-evaluating this, because in OpenNebula 4.12 we're going
to provide a new resource type: Security Groups, and you can define a lot
of things: INBOUND, or OUTBOUND, protocol (TCP, UDP, ICMP, IPSEC)
ICMP_TYPE, Port ranges,  and best of all, specific networks, so for example
you can block out all the traffic to port 22 except if they're on the same
network. And we can't do this for Open vSwitch. AFAIK OpenStack does this
by sending the traffic to an ad-hoc linux bridge, running iptables rules on
it, and sending it back to Open vSwitch. Which is something we would like
to avoid at all costs!

With regard to your first message, it's very strange, the rules look
perfectly fine, not sure why it's not working...

On Wed, Nov 26, 2014 at 3:53 PM, Madko <madko77 at gmail.com> wrote:

> Hi,
>
> I also have tested WHITE_PORTS_TCP but it seems worse since I don't have
> any specific openflow rules:
>
>  cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0,
> idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop
>  cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134,
> idle_age=798, priority=40000,in_port=3,dl_src=02:00:c0:a8:c7:05
> actions=NORMAL
>  cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168,
> idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05
> actions=drop
>  cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323,
> idle_age=803, priority=0 actions=NORMAL
>  cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168,
> idle_age=803,
> priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5
> actions=NORMAL
>  cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0,
> idle_age=819, priority=39000,in_port=3 actions=drop
>
> Only the icmp drop rule is added. Is it normal?
>
> Is there anyone here using OpenNebula with OpenVswitch?
>
> 2014-11-21 9:33 GMT+01:00 Madko <madko77 at gmail.com>:
>
>> Hi,
>>
>> I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some network
>> filtering.
>> I'm following the documentation found here:
>> http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch
>>
>> Here is my VM network definition:
>> NIC=[
>>   AR_ID="0",
>>   BLACK_PORTS_TCP="80",
>>   BRIDGE="br0",
>>   ICMP="drop",
>>   IP="192.168.2.50",
>>   MAC="02:00:c0:a8:02:32",
>>   NETWORK="LAN",
>>   NETWORK_ID="0",
>>   NETWORK_UNAME="oneadmin",
>>   NIC_ID="0",
>>   VLAN="YES",
>>   VLAN_ID="2" ]
>>
>> But on my hypervisor where this VM is running, here are the openflows
>> rules:
>> [root at node02 ~]# ovs-ofctl dump-flows br0
>> NXST_FLOW reply (xid=0x4):
>>  cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0,
>> idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop
>>  cookie=0x0, duration=1893.173s, table=0, n_packets=6360, n_bytes=649693,
>> idle_age=4, priority=40000,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL
>>  cookie=0x0, duration=4295.078s, table=0, n_packets=1444549,
>> n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL
>>  cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84,
>> idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32
>> actions=drop
>>  cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462,
>> idle_age=559,
>> priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50
>> actions=NORMAL
>>  cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
>> idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop
>>  cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0,
>> idle_age=1893, priority=39000,in_port=3 actions=drop
>>
>> is it correct? I can see the relevant rule here:
>>  cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
>> idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop
>> but packets never pass thru this rule (n_packets=0), and port 80 is not
>> blocked.
>>
>> ➜  ~  curl -s http://192.168.2.50 -o /dev/null && echo success
>> success
>>
>> If anyone can help :)
>> what am I missing?
>>
>> Best regards
>>
>>
>> --
>> Edouard Bourguignon
>>
>
>
>
> --
> Edouard Bourguignon
>
> _______________________________________________
> Users mailing list
> Users at lists.opennebula.org
> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>
>


-- 
Jaime Melis
Project Engineer
OpenNebula - Flexible Enterprise Cloud Made Simple
www.OpenNebula.org | jmelis at opennebula.org
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20141126/dc33dee7/attachment-0001.htm>


More information about the Users mailing list