<div dir="ltr"><div><div><div>Hi,<br><br></div>I also have tested WHITE_PORTS_TCP but it seems worse since I don't have any specific openflow rules:<br><br> cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0, idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop<br> cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134, idle_age=798, priority=40000,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=NORMAL<br> cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168, idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=drop<br> cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323, idle_age=803, priority=0 actions=NORMAL<br> cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168, idle_age=803, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5 actions=NORMAL<br> cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0, idle_age=819, priority=39000,in_port=3 actions=drop<br></div><br>Only the icmp drop rule is added. Is it normal?<br><br></div>Is there anyone here using OpenNebula with OpenVswitch?<br><div><div><div><div><div><div class="gmail_extra"><br><div class="gmail_quote">2014-11-21 9:33 GMT+01:00 Madko <span dir="ltr"><<a href="mailto:madko77@gmail.com" target="_blank">madko77@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div><div><div>Hi,<br><br></div>I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some network filtering.<br></div>I'm following the documentation found here: <a href="http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch" target="_blank">http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch</a><br><br></div>Here is my VM network definition:<br>NIC=[<br> AR_ID="0",<br> BLACK_PORTS_TCP="80",<br> BRIDGE="br0",<br> ICMP="drop",<br> IP="192.168.2.50",<br> MAC="02:00:c0:a8:02:32",<br> NETWORK="LAN",<br> NETWORK_ID="0",<br> NETWORK_UNAME="oneadmin",<br> NIC_ID="0",<br> VLAN="YES",<br> VLAN_ID="2" ]<br><br></div>But on my hypervisor where this VM is running, here are the openflows rules:<br>[root@node02 ~]# ovs-ofctl dump-flows br0<br>NXST_FLOW reply (xid=0x4):<br> cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0, idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop<br> cookie=0x0, duration=1893.173s, table=0, n_packets=6360, n_bytes=649693, idle_age=4, priority=40000,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL<br> cookie=0x0, duration=4295.078s, table=0, n_packets=1444549, n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL<br> cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84, idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32 actions=drop<br> cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462, idle_age=559, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50 actions=NORMAL<br> cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop<br> cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0, idle_age=1893, priority=39000,in_port=3 actions=drop<br><br></div>is it correct? I can see the relevant rule here:<br> cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80
actions=drop<br></div>but packets never pass thru this rule (n_packets=0), and port 80 is not blocked.<br><br>➜ ~ curl -s <a href="http://192.168.2.50" target="_blank">http://192.168.2.50</a> -o /dev/null && echo success<br>success<br><br></div>If anyone can help :)<br></div>what am I missing?<br><br></div>Best regards<span><font color="#888888"><br><div><div><div><div><div><br clear="all"><div><div><div><div><div><br>-- <br><div>Edouard Bourguignon</div>
</div></div></div></div></div></div></div></div></div></div></font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br><div>Edouard Bourguignon</div>
</div></div></div></div></div></div></div>