<div dir="ltr">Hi Oriol<div><br></div><div style>I don't know if creating that many rules will impact Open vSwitch's performance, I guess it's something you could ask in the Open vSwitch mailing list, or give it a try yourself and see if it works fine.</div>
<div style><br></div><div style>In any case I think that the approach you described above is the correct one.</div><div style><br></div><div style>cheers,<br>Jaime</div></div><div class="gmail_extra"><br><br><div class="gmail_quote">
On Mon, Feb 18, 2013 at 1:24 PM, Oriol Martí <span dir="ltr"><<a href="mailto:omarti@cesca.cat" target="_blank">omarti@cesca.cat</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi Jaime, <br>
looking at the file
/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb<br>
My idea is to add that black_ports look for : and do the command<br>
add_flow("tcp,dl_dst=#{@nic[:mac]},tp_dst=#{p}",:drop)<br>
for every port in the range.<br>
With the white_port, the normal behaviour is all closed but the
indicated ports? my idea is to do the drop for all the ports but
the indicated ports.<br>
Is this correct? I'm not sure if this big amount of rules can add
extra load to the node or it can derive to problems...<br>
<br>
Thanks,<div><div class="h5"><br>
<br>
On 02/18/2013 12:33 PM, Jaime Melis wrote:<br>
</div></div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Hi Oriol,
<div><br>
</div>
<div>yes, WHITE_PORTS is not implement, and neither are
port ranges with semi-colon:</div>
<div><a href="http://opennebula.org/documentation:rel3.8:openvswitch#network_filtering" target="_blank">http://opennebula.org/documentation:rel3.8:openvswitch#network_filtering</a><br>
</div>
<div><br>
</div>
<div>The reason is because iptables filters won't work
with Open vSwitch, so port filtering is implemented via
OpenFlow. If you find a way to improve the drivers it would be
really nice. Let me know if I can help in any way.</div>
<div><br>
</div>
<div>cheers,<br>
Jaime</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Feb 18, 2013 at 11:52 AM, Oriol
Martí <span dir="ltr"><<a href="mailto:omarti@cesca.cat" target="_blank">omarti@cesca.cat</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
I'm deploying the Open vswitch driver and when I create one
VM with the BLACK and WHITE_PORTS it doesn't work.<br>
<br>
I've seen the code and I'm not sure, but I think that white
port is not implemented and the black ports only is doing a
strip for "," not by ":", then if you want to configure a VM
with all the ports closed and only opened the 80 is very
difficult to do because you would have to write all the
ports, one by one, and is impossible to indicate a range of
ports like 80:65535<br>
<br>
I'm thinking to write the code necessary to do that, but I'm
not sure, because I don't know the reason why is not
finished.... Does anybody know something about that?<br>
<br>
Best regards,<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
</blockquote>
</div>
<br>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
Jaime Melis<br>
Project Engineer<br>
OpenNebula - The Open Source Toolkit for Cloud Computing<br>
<a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:jmelis@opennebula.org" target="_blank">jmelis@opennebula.org</a>
</blockquote>
<br>
</div></div></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Jaime Melis<br>Project Engineer<br>OpenNebula - The Open Source Toolkit for Cloud Computing<br><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:jmelis@opennebula.org" target="_blank">jmelis@opennebula.org</a>
</div>