[one-users] blacklist ports with openvswitch

Madko madko77 at gmail.com
Wed Nov 26 08:32:08 PST 2014


2014-11-26 17:12 GMT+01:00 Jaime Melis <jmelis at opennebula.org>:

> It would be great if we could figure out a way to provide this
> functionality for Open vSwitch. It is a top priority in OpenNebula's
> roadmap, so any ideas are very welcome!
>
> What do you mean by adapting OpenvSwitch.rb? What changes do you need in
> the short-term?
>

Right now I'm trying to add white_ports support to block incomming traffic
on the VM except for a few ports. I will certainly face the same conclusion
as you. However it's just a good way for me to learn ruby (and OpenNebula).

Thanks for your help


> On Wed, Nov 26, 2014 at 4:59 PM, Madko <madko77 at gmail.com> wrote:
>
>> Thanks Jaime for this explaination. Right now openflow is not really a
>> top priority for us and OpenNebula 4.12 seems quite interesting. So we
>> could wait for this release. We will certainly switch from OpenStack to
>> OpenNebula because of all this mess they have done on the network stack
>> (ovs => bridge => iptables + network namespace etc). Your "Keep It Simple"
>> approach is very reconforting. But we really need openvswitch support, so I
>> will try to adapt OpenvSwitch.rb.
>>
>> 2014-11-26 16:04 GMT+01:00 Jaime Melis <jmelis at opennebula.org>:
>>
>>> Hi,
>>>
>>> Unfortunately WHITE_PORTS_* is not supported for the Open vSwitch
>>> drivers (see here:
>>> http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#network-filtering
>>> )
>>>
>>> We'd like very much to be able to provide this feature, but as far as we
>>> know there's no way to do this satisfactorily. There is nothing similar to
>>> 'in_port' but that matches the outgoing switch port, i.e. there's no
>>> 'out_port'.
>>>
>>> We are currently re-evaluating this, because in OpenNebula 4.12 we're
>>> going to provide a new resource type: Security Groups, and you can define a
>>> lot of things: INBOUND, or OUTBOUND, protocol (TCP, UDP, ICMP, IPSEC)
>>> ICMP_TYPE, Port ranges,  and best of all, specific networks, so for example
>>> you can block out all the traffic to port 22 except if they're on the same
>>> network. And we can't do this for Open vSwitch. AFAIK OpenStack does this
>>> by sending the traffic to an ad-hoc linux bridge, running iptables rules on
>>> it, and sending it back to Open vSwitch. Which is something we would like
>>> to avoid at all costs!
>>>
>>> With regard to your first message, it's very strange, the rules look
>>> perfectly fine, not sure why it's not working...
>>>
>>> On Wed, Nov 26, 2014 at 3:53 PM, Madko <madko77 at gmail.com> wrote:
>>>
>>>> Hi,
>>>>
>>>> I also have tested WHITE_PORTS_TCP but it seems worse since I don't
>>>> have any specific openflow rules:
>>>>
>>>>  cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0,
>>>> idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop
>>>>  cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134,
>>>> idle_age=798, priority=40000,in_port=3,dl_src=02:00:c0:a8:c7:05
>>>> actions=NORMAL
>>>>  cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168,
>>>> idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05
>>>> actions=drop
>>>>  cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323,
>>>> idle_age=803, priority=0 actions=NORMAL
>>>>  cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168,
>>>> idle_age=803,
>>>> priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5
>>>> actions=NORMAL
>>>>  cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0,
>>>> idle_age=819, priority=39000,in_port=3 actions=drop
>>>>
>>>> Only the icmp drop rule is added. Is it normal?
>>>>
>>>> Is there anyone here using OpenNebula with OpenVswitch?
>>>>
>>>> 2014-11-21 9:33 GMT+01:00 Madko <madko77 at gmail.com>:
>>>>
>>>>> Hi,
>>>>>
>>>>> I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some
>>>>> network filtering.
>>>>> I'm following the documentation found here:
>>>>> http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch
>>>>>
>>>>> Here is my VM network definition:
>>>>> NIC=[
>>>>>   AR_ID="0",
>>>>>   BLACK_PORTS_TCP="80",
>>>>>   BRIDGE="br0",
>>>>>   ICMP="drop",
>>>>>   IP="192.168.2.50",
>>>>>   MAC="02:00:c0:a8:02:32",
>>>>>   NETWORK="LAN",
>>>>>   NETWORK_ID="0",
>>>>>   NETWORK_UNAME="oneadmin",
>>>>>   NIC_ID="0",
>>>>>   VLAN="YES",
>>>>>   VLAN_ID="2" ]
>>>>>
>>>>> But on my hypervisor where this VM is running, here are the openflows
>>>>> rules:
>>>>> [root at node02 ~]# ovs-ofctl dump-flows br0
>>>>> NXST_FLOW reply (xid=0x4):
>>>>>  cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0,
>>>>> idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop
>>>>>  cookie=0x0, duration=1893.173s, table=0, n_packets=6360,
>>>>> n_bytes=649693, idle_age=4,
>>>>> priority=40000,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL
>>>>>  cookie=0x0, duration=4295.078s, table=0, n_packets=1444549,
>>>>> n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL
>>>>>  cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84,
>>>>> idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32
>>>>> actions=drop
>>>>>  cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462,
>>>>> idle_age=559,
>>>>> priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50
>>>>> actions=NORMAL
>>>>>  cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
>>>>> idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop
>>>>>  cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0,
>>>>> idle_age=1893, priority=39000,in_port=3 actions=drop
>>>>>
>>>>> is it correct? I can see the relevant rule here:
>>>>>  cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
>>>>> idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop
>>>>> but packets never pass thru this rule (n_packets=0), and port 80 is
>>>>> not blocked.
>>>>>
>>>>> ➜  ~  curl -s http://192.168.2.50 -o /dev/null && echo success
>>>>> success
>>>>>
>>>>> If anyone can help :)
>>>>> what am I missing?
>>>>>
>>>>> Best regards
>>>>>
>>>>>
>>>>> --
>>>>> Edouard Bourguignon
>>>>>
>>>>
>>>>
>>>>
>>>> --
>>>> Edouard Bourguignon
>>>>
>>>> _______________________________________________
>>>> Users mailing list
>>>> Users at lists.opennebula.org
>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>
>>>>
>>>
>>>
>>> --
>>> Jaime Melis
>>> Project Engineer
>>> OpenNebula - Flexible Enterprise Cloud Made Simple
>>> www.OpenNebula.org | jmelis at opennebula.org
>>>
>>
>>
>>
>> --
>> Edouard Bourguignon
>>
>> _______________________________________________
>> Users mailing list
>> Users at lists.opennebula.org
>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>
>>
>
>
> --
> Jaime Melis
> Project Engineer
> OpenNebula - Flexible Enterprise Cloud Made Simple
> www.OpenNebula.org | jmelis at opennebula.org
>



-- 
Edouard Bourguignon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20141126/9b1e8993/attachment-0001.htm>


More information about the Users mailing list