[one-users] blacklist ports with openvswitch
Madko
madko77 at gmail.com
Thu Nov 27 01:02:54 PST 2014
Ok now I understand what you meant by out_port in openflow. Maybe we have
to wait for conntrack support in OpenFlow. Because right now I don't see
how I could drop traffic to all tcp ports except some specificed in the
WHITE_TCP_PORTS (that part works) without blocking all the outbound tcp
traffic from my VM or any tcp responses.
By the way I have found why the opennebula openflow rules are not working
here, that's because of the dl_vlan indicated in the drop rule. I guess
it's never matched because I'm ussing access port and therefor my ethernet
frames are not taggued. I will check that to be sure.
2014-11-26 17:32 GMT+01:00 Madko <madko77 at gmail.com>:
> 2014-11-26 17:12 GMT+01:00 Jaime Melis <jmelis at opennebula.org>:
>
>> It would be great if we could figure out a way to provide this
>> functionality for Open vSwitch. It is a top priority in OpenNebula's
>> roadmap, so any ideas are very welcome!
>>
>> What do you mean by adapting OpenvSwitch.rb? What changes do you need in
>> the short-term?
>>
>
> Right now I'm trying to add white_ports support to block incomming traffic
> on the VM except for a few ports. I will certainly face the same conclusion
> as you. However it's just a good way for me to learn ruby (and OpenNebula).
>
> Thanks for your help
>
>
>> On Wed, Nov 26, 2014 at 4:59 PM, Madko <madko77 at gmail.com> wrote:
>>
>>> Thanks Jaime for this explaination. Right now openflow is not really a
>>> top priority for us and OpenNebula 4.12 seems quite interesting. So we
>>> could wait for this release. We will certainly switch from OpenStack to
>>> OpenNebula because of all this mess they have done on the network stack
>>> (ovs => bridge => iptables + network namespace etc). Your "Keep It Simple"
>>> approach is very reconforting. But we really need openvswitch support, so I
>>> will try to adapt OpenvSwitch.rb.
>>>
>>> 2014-11-26 16:04 GMT+01:00 Jaime Melis <jmelis at opennebula.org>:
>>>
>>>> Hi,
>>>>
>>>> Unfortunately WHITE_PORTS_* is not supported for the Open vSwitch
>>>> drivers (see here:
>>>> http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#network-filtering
>>>> )
>>>>
>>>> We'd like very much to be able to provide this feature, but as far as
>>>> we know there's no way to do this satisfactorily. There is nothing similar
>>>> to 'in_port' but that matches the outgoing switch port, i.e. there's no
>>>> 'out_port'.
>>>>
>>>> We are currently re-evaluating this, because in OpenNebula 4.12 we're
>>>> going to provide a new resource type: Security Groups, and you can define a
>>>> lot of things: INBOUND, or OUTBOUND, protocol (TCP, UDP, ICMP, IPSEC)
>>>> ICMP_TYPE, Port ranges, and best of all, specific networks, so for example
>>>> you can block out all the traffic to port 22 except if they're on the same
>>>> network. And we can't do this for Open vSwitch. AFAIK OpenStack does this
>>>> by sending the traffic to an ad-hoc linux bridge, running iptables rules on
>>>> it, and sending it back to Open vSwitch. Which is something we would like
>>>> to avoid at all costs!
>>>>
>>>> With regard to your first message, it's very strange, the rules look
>>>> perfectly fine, not sure why it's not working...
>>>>
>>>> On Wed, Nov 26, 2014 at 3:53 PM, Madko <madko77 at gmail.com> wrote:
>>>>
>>>>> Hi,
>>>>>
>>>>> I also have tested WHITE_PORTS_TCP but it seems worse since I don't
>>>>> have any specific openflow rules:
>>>>>
>>>>> cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0,
>>>>> idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop
>>>>> cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134,
>>>>> idle_age=798, priority=40000,in_port=3,dl_src=02:00:c0:a8:c7:05
>>>>> actions=NORMAL
>>>>> cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168,
>>>>> idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05
>>>>> actions=drop
>>>>> cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323,
>>>>> idle_age=803, priority=0 actions=NORMAL
>>>>> cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168,
>>>>> idle_age=803,
>>>>> priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5
>>>>> actions=NORMAL
>>>>> cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0,
>>>>> idle_age=819, priority=39000,in_port=3 actions=drop
>>>>>
>>>>> Only the icmp drop rule is added. Is it normal?
>>>>>
>>>>> Is there anyone here using OpenNebula with OpenVswitch?
>>>>>
>>>>> 2014-11-21 9:33 GMT+01:00 Madko <madko77 at gmail.com>:
>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some
>>>>>> network filtering.
>>>>>> I'm following the documentation found here:
>>>>>> http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch
>>>>>>
>>>>>> Here is my VM network definition:
>>>>>> NIC=[
>>>>>> AR_ID="0",
>>>>>> BLACK_PORTS_TCP="80",
>>>>>> BRIDGE="br0",
>>>>>> ICMP="drop",
>>>>>> IP="192.168.2.50",
>>>>>> MAC="02:00:c0:a8:02:32",
>>>>>> NETWORK="LAN",
>>>>>> NETWORK_ID="0",
>>>>>> NETWORK_UNAME="oneadmin",
>>>>>> NIC_ID="0",
>>>>>> VLAN="YES",
>>>>>> VLAN_ID="2" ]
>>>>>>
>>>>>> But on my hypervisor where this VM is running, here are the openflows
>>>>>> rules:
>>>>>> [root at node02 ~]# ovs-ofctl dump-flows br0
>>>>>> NXST_FLOW reply (xid=0x4):
>>>>>> cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0,
>>>>>> idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop
>>>>>> cookie=0x0, duration=1893.173s, table=0, n_packets=6360,
>>>>>> n_bytes=649693, idle_age=4,
>>>>>> priority=40000,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL
>>>>>> cookie=0x0, duration=4295.078s, table=0, n_packets=1444549,
>>>>>> n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL
>>>>>> cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84,
>>>>>> idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32
>>>>>> actions=drop
>>>>>> cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462,
>>>>>> idle_age=559,
>>>>>> priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50
>>>>>> actions=NORMAL
>>>>>> cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
>>>>>> idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop
>>>>>> cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0,
>>>>>> idle_age=1893, priority=39000,in_port=3 actions=drop
>>>>>>
>>>>>> is it correct? I can see the relevant rule here:
>>>>>> cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
>>>>>> idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop
>>>>>> but packets never pass thru this rule (n_packets=0), and port 80 is
>>>>>> not blocked.
>>>>>>
>>>>>> ➜ ~ curl -s http://192.168.2.50 -o /dev/null && echo success
>>>>>> success
>>>>>>
>>>>>> If anyone can help :)
>>>>>> what am I missing?
>>>>>>
>>>>>> Best regards
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Edouard Bourguignon
>>>>>>
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Edouard Bourguignon
>>>>>
>>>>> _______________________________________________
>>>>> Users mailing list
>>>>> Users at lists.opennebula.org
>>>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>>>
>>>>>
>>>>
>>>>
>>>> --
>>>> Jaime Melis
>>>> Project Engineer
>>>> OpenNebula - Flexible Enterprise Cloud Made Simple
>>>> www.OpenNebula.org | jmelis at opennebula.org
>>>>
>>>
>>>
>>>
>>> --
>>> Edouard Bourguignon
>>>
>>> _______________________________________________
>>> Users mailing list
>>> Users at lists.opennebula.org
>>> http://lists.opennebula.org/listinfo.cgi/users-opennebula.org
>>>
>>>
>>
>>
>> --
>> Jaime Melis
>> Project Engineer
>> OpenNebula - Flexible Enterprise Cloud Made Simple
>> www.OpenNebula.org | jmelis at opennebula.org
>>
>
>
>
> --
> Edouard Bourguignon
>
--
Edouard Bourguignon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opennebula.org/pipermail/users-opennebula.org/attachments/20141127/1244c367/attachment-0001.htm>
More information about the Users
mailing list