<div dir="ltr">Hi Oriol,<div><br></div><div>thanks a lot for your patch! yes, when we created the openvswitch drivers, we considered using the mask functionality, but like you said, that requires a newer version of Open vSwitch which is not yet available in the major distributions, so I think we should hold on for the moment.</div>
<div><br></div><div style>However, I think it's definitely the way to go in the future, so I'm bookmarking this patch!</div><div style><br></div><div style>cheers,<br>Jaime</div></div><div class="gmail_extra"><br>
<br><div class="gmail_quote">On Tue, Mar 5, 2013 at 5:41 PM, Oriol Martí <span dir="ltr"><<a href="mailto:omarti@cesca.cat" target="_blank">omarti@cesca.cat</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi Jaime,<br>
<br>
I have developed the driver to work with the openvswitch and
black_ports and white_ports as you said, I tried to do filtering
all the ports one by one, but it takes more than 4 or 5 hours to
terminate with the net deployment. Then I saw that you can specify
a port with a mask, but only Open vSwitch 1.6 and later supports
masks, my nodes are Ubuntu 12.04 and I had to compile the last
version of Open vSwitch<br>
<a href="http://openvswitch.org/cgi-bin/ovsman.cgi?page=utilities%2Fovs-ofctl.8" target="_blank">http://openvswitch.org/cgi-bin/ovsman.cgi?page=utilities%2Fovs-ofctl.8</a><br>
Attached you can find my new OpenvSwitch.rb that does the
filtering with the minimum rules possible applying masks.<br>
I don't know if this could be uploaded to the issue tracking
system, but by now with this driver you must compile Open vSwitch
( Ubuntu 12.04 )<div class="im"><br>
<br>
On 02/19/2013 11:19 AM, Jaime Melis wrote:<br>
</div></div><div><div class="h5">
<blockquote type="cite">
<div dir="ltr">Hi Oriol
<div><br>
</div>
<div>I don't know if creating that many rules will
impact Open vSwitch's performance, I guess it's something you
could ask in the Open vSwitch mailing list, or give it a try
yourself and see if it works fine.</div>
<div><br>
</div>
<div>In any case I think that the approach you
described above is the correct one.</div>
<div><br>
</div>
<div>cheers,<br>
Jaime</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote"> On Mon, Feb 18, 2013 at 1:24 PM, Oriol
Martí <span dir="ltr"><<a href="mailto:omarti@cesca.cat" target="_blank">omarti@cesca.cat</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Hi Jaime, <br>
looking at the file
/var/lib/one/remotes/vnm/ovswitch/OpenvSwitch.rb<br>
My idea is to add that black_ports look for : and do the
command<br>
add_flow("tcp,dl_dst=#{@nic[:mac]},tp_dst=#{p}",:drop)<br>
for every port in the range.<br>
With the white_port, the normal behaviour is all closed
but the indicated ports? my idea is to do the drop for
all the ports but the indicated ports.<br>
Is this correct? I'm not sure if this big amount of
rules can add extra load to the node or it can derive to
problems...<br>
<br>
Thanks,
<div>
<div><br>
<br>
On 02/18/2013 12:33 PM, Jaime Melis wrote:<br>
</div>
</div>
</div>
<div>
<div>
<blockquote type="cite">
<div dir="ltr">Hi Oriol,
<div><br>
</div>
<div>yes, WHITE_PORTS is not implement, and
neither are port ranges with semi-colon:</div>
<div><a href="http://opennebula.org/documentation:rel3.8:openvswitch#network_filtering" target="_blank">http://opennebula.org/documentation:rel3.8:openvswitch#network_filtering</a><br>
</div>
<div><br>
</div>
<div>The reason is because iptables filters won't
work with Open vSwitch, so port filtering is
implemented via OpenFlow. If you find a way to
improve the drivers it would be really nice. Let
me know if I can help in any way.</div>
<div><br>
</div>
<div>cheers,<br>
Jaime</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Mon, Feb 18, 2013 at
11:52 AM, Oriol Martí <span dir="ltr"><<a href="mailto:omarti@cesca.cat" target="_blank">omarti@cesca.cat</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Hi,<br>
I'm deploying the Open vswitch driver and when
I create one VM with the BLACK and WHITE_PORTS
it doesn't work.<br>
<br>
I've seen the code and I'm not sure, but I
think that white port is not implemented and
the black ports only is doing a strip for ","
not by ":", then if you want to configure a VM
with all the ports closed and only opened the
80 is very difficult to do because you would
have to write all the ports, one by one, and
is impossible to indicate a range of ports
like 80:65535<br>
<br>
I'm thinking to write the code necessary to do
that, but I'm not sure, because I don't know
the reason why is not finished.... Does
anybody know something about that?<br>
<br>
Best regards,<br>
<br>
_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
</blockquote>
</div>
<br>
</div>
<br clear="all">
<div><br>
</div>
-- <br>
Jaime Melis<br>
Project Engineer<br>
OpenNebula - The Open Source Toolkit for Cloud
Computing<br>
<a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a>
| <a href="mailto:jmelis@opennebula.org" target="_blank">jmelis@opennebula.org</a> </blockquote>
<br>
</div>
</div>
</div>
</blockquote>
</div>
<br>
<br clear="all">
<div><br>
</div>
-- <br>
Jaime Melis<br>
Project Engineer<br>
OpenNebula - The Open Source Toolkit for Cloud Computing<br>
<a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:jmelis@opennebula.org" target="_blank">jmelis@opennebula.org</a> </div>
</blockquote>
<br>
<br>
</div></div><span class="HOEnZb"><font color="#888888"><pre cols="72">--
......................................................................
__
/ / Oriol Martí Bonvehí
C E / S / C A Administrador de Sistemes
/_/ Centre de Supercomputació de Catalunya
Gran Capità, 2-4 (Edifici Nexus) · 08034 Barcelona
T. 93 551 6212 · F. 93 205 6979 · <a href="mailto:omarti@cesca.cat" target="_blank">omarti@cesca.cat</a>
......................................................................
</pre>
</font></span></div>
</blockquote></div><br><br clear="all"><div><br></div>-- <br>Jaime Melis<br>Project Engineer<br>OpenNebula - The Open Source Toolkit for Cloud Computing<br><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:jmelis@opennebula.org" target="_blank">jmelis@opennebula.org</a>
</div>