[one-users] blacklist ports with openvswitch

Madko madko77 at gmail.com
Wed Nov 26 07:59:38 PST 2014 

Thanks Jaime for this explaination. Right now openflow is not really a top
priority for us and OpenNebula 4.12 seems quite interesting. So we could
wait for this release. We will certainly switch from OpenStack to
OpenNebula because of all this mess they have done on the network stack
(ovs => bridge => iptables + network namespace etc). Your "Keep It Simple"
approach is very reconforting. But we really need openvswitch support, so I
will try to adapt OpenvSwitch.rb.

2014-11-26 16:04 GMT+01:00 Jaime Melis <jmelis at opennebula.org>:

> Hi,
>
> Unfortunately WHITE_PORTS_* is not supported for the Open vSwitch drivers
> (see here:
> http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#network-filtering
> )
>
> We'd like very much to be able to provide this feature, but as far as we
> know there's no way to do this satisfactorily. There is nothing similar to
> 'in_port' but that matches the outgoing switch port, i.e. there's no
> 'out_port'.
>
> We are currently re-evaluating this, because in OpenNebula 4.12 we're
> going to provide a new resource type: Security Groups, and you can define a
> lot of things: INBOUND, or OUTBOUND, protocol (TCP, UDP, ICMP, IPSEC)
> ICMP_TYPE, Port ranges,  and best of all, specific networks, so for example
> you can block out all the traffic to port 22 except if they're on the same
> network. And we can't do this for Open vSwitch. AFAIK OpenStack does this
> by sending the traffic to an ad-hoc linux bridge, running iptables rules on
> it, and sending it back to Open vSwitch. Which is something we would like
> to avoid at all costs!
>
> With regard to your first message, it's very strange, the rules look
> perfectly fine, not sure why it's not working...
>
> On Wed, Nov 26, 2014 at 3:53 PM, Madko <madko77 at gmail.com> wrote:
>
>> Hi,
>>
>> I also have tested WHITE_PORTS_TCP but it seems worse since I don't have
>> any specific openflow rules:
>>
>>  cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0,
>> idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop
>>  cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134,
>> idle_age=798, priority=40000,in_port=3,dl_src=02:00:c0:a8:c7:05
>> actions=NORMAL
>>  cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168,
>> idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05
>> actions=drop
>>  cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323,
>> idle_age=803, priority=0 actions=NORMAL
>>  cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168,
>> idle_age=803,
>> priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5
>> actions=NORMAL
>>  cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0,
>> idle_age=819, priority=39000,in_port=3 actions=drop
>>
>> Only the icmp drop rule is added. Is it normal?
>>
>> Is there anyone here using OpenNebula with OpenVswitch?
>>
>> 2014-11-21 9:33 GMT+01:00 Madko <madko77 at gmail.com>:
>>
>>> Hi,
>>>
>>> I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some network
>>> filtering.
>>> I'm following the documentation found here:
>>> http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch
>>>
>>> Here is my VM network definition:
>>> NIC=[
>>>   AR_ID="0",
>>>   BLACK_PORTS_TCP="80",
>>>   BRIDGE="br0",
>>>   ICMP="drop",
>>>   IP="192.168.2.50",
>>>   MAC="02:00:c0:a8:02:32",
>>>   NETWORK="LAN",
>>>   NETWORK_ID="0",
>>>   NETWORK_UNAME="oneadmin",
>>>   NIC_ID="0",
>>>   VLAN="YES",
>>>   VLAN_ID="2" ]
>>>
>>> But on my hypervisor where this VM is running, here are the openflows
>>> rules:
>>> [root at node02 ~]# ovs-ofctl dump-flows br0
>>> NXST_FLOW reply (xid=0x4):
>>>  cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0,
>>> idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop
>>>  cookie=0x0, duration=1893.173s, table=0, n_packets=6360,
>>> n_bytes=649693, idle_age=4,
>>> priority=40000,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL
>>>  cookie=0x0, duration=4295.078s, table=0, n_packets=1444549,
>>> n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL
>>>  cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84,
>>> idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32
>>> actions=drop
>>>  cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462,
>>> idle_age=559,
>>> priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50
>>> actions=NORMAL
>>>  cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
>>> idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop
>>>  cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0,
>>> idle_age=1893, priority=39000,in_port=3 actions=drop
>>>
>>> is it correct? I can see the relevant rule here:
>>>  cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
>>> idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop
>>> but packets never pass thru this rule (n_packets=0), and port 80 is not
>>> blocked.
>>>
>>> ➜  ~  curl -s http://192.168.2.50 -o /dev/null && echo success
>>> success
>>>
>>> If anyone can help :)
>>> what am I missing?
>>>
>>> Best regards
>>>
>>>
>>> --
>>> Edouard Bourguignon
>>>
>>
>>
>>
>> --
>> Edouard Bourguignon
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>
>
> --
> Jaime Melis
> Project Engineer
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org | jmelis at opennebula.org
>



-- 
Edouard Bourguignon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20141126/257a28ac/attachment-0001.htm>

More information about the Users mailing list