<div dir="ltr"><div>Ok now I understand what you meant by out_port in openflow. Maybe we have to wait for conntrack support in OpenFlow. Because right now I don't see how I could drop traffic to all tcp ports except some specificed in the WHITE_TCP_PORTS (that part works) without blocking all the outbound tcp traffic from my VM or any tcp responses.<br><br></div>By the way I have found why the opennebula openflow rules are not working here, that's because of the dl_vlan indicated in the drop rule. I guess it's never matched because I'm ussing access port and therefor my ethernet frames are not taggued. I will check that to be sure.<br> <br><div><div><div class="gmail_extra"><br><div class="gmail_quote">2014-11-26 17:32 GMT+01:00 Madko <span dir="ltr"><<a href="mailto:madko77@gmail.com" target="_blank">madko77@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div class="gmail_extra"><div class="gmail_quote"><span class="">2014-11-26 17:12 GMT+01:00 Jaime Melis <span dir="ltr"><<a href="mailto:jmelis@opennebula.org" target="_blank">jmelis@opennebula.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>It would be great if we could figure out a way to provide this functionality for Open vSwitch. It is a top priority in OpenNebula's roadmap, so any ideas are very welcome!<br><br></div>What do you mean by adapting OpenvSwitch.rb? What changes do you need in the short-term?<br></div></blockquote><div><br></div></span><div>Right now I'm trying to add white_ports support to block incomming traffic on the VM except for a few ports. I will certainly face the same conclusion as you. However it's just a good way for me to learn ruby (and OpenNebula). <br><br></div><div>Thanks for your help<br><br></div><div><div class="h5"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"></div><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Wed, Nov 26, 2014 at 4:59 PM, Madko <span dir="ltr"><<a href="mailto:madko77@gmail.com" target="_blank">madko77@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Thanks Jaime for this explaination. Right now openflow is not really a top priority for us and OpenNebula 4.12 seems quite interesting. So we could wait for this release. We will certainly switch from OpenStack to OpenNebula because of all this mess they have done on the network stack (ovs => bridge => iptables + network namespace etc). Your "Keep It Simple" approach is very reconforting. But we really need openvswitch support, so I will try to adapt OpenvSwitch.rb.<br></div><div><div><div class="gmail_extra"><div><div><br><div class="gmail_quote">2014-11-26 16:04 GMT+01:00 Jaime Melis <span dir="ltr"><<a href="mailto:jmelis@opennebula.org" target="_blank">jmelis@opennebula.org</a>></span>:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div><div><div>Hi,<br><br></div>Unfortunately WHITE_PORTS_* is not supported for the Open vSwitch drivers (see here: <a href="http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#network-filtering" target="_blank">http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#network-filtering</a>)<br><br></div>We'd like very much to be able to provide this feature, but as far as we know there's no way to do this satisfactorily. There is nothing similar to 'in_port' but that matches the outgoing switch port, i.e. there's no 'out_port'.<br><br></div>We are currently re-evaluating this, because in OpenNebula 4.12 we're going to provide a new resource type: Security Groups, and you can define a lot of things: INBOUND, or OUTBOUND, protocol (TCP, UDP, ICMP, IPSEC) ICMP_TYPE, Port ranges, and best of all, specific networks, so for example you can block out all the traffic to port 22 except if they're on the same network. And we can't do this for Open vSwitch. AFAIK OpenStack does this by sending the traffic to an ad-hoc linux bridge, running iptables rules on it, and sending it back to Open vSwitch. Which is something we would like to avoid at all costs!<br><br></div>With regard to your first message, it's very strange, the rules look perfectly fine, not sure why it's not working...<br></div><div class="gmail_extra"><br><div class="gmail_quote"><div><div>On Wed, Nov 26, 2014 at 3:53 PM, Madko <span dir="ltr"><<a href="mailto:madko77@gmail.com" target="_blank">madko77@gmail.com</a>></span> wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div><div><div dir="ltr"><div><div><div>Hi,<br><br></div>I also have tested WHITE_PORTS_TCP but it seems worse since I don't have any specific openflow rules:<br><br> cookie=0x0, duration=819.774s, table=0, n_packets=0, n_bytes=0, idle_age=819, icmp,dl_vlan=199,dl_dst=02:00:c0:a8:c7:05 actions=drop<br> cookie=0x0, duration=819.800s, table=0, n_packets=2, n_bytes=134, idle_age=798, priority=40000,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=NORMAL<br> cookie=0x0, duration=819.825s, table=0, n_packets=4, n_bytes=168, idle_age=806, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05 actions=drop<br> cookie=0x0, duration=2952.547s, table=0, n_packets=41, n_bytes=5323, idle_age=803, priority=0 actions=NORMAL<br> cookie=0x0, duration=819.813s, table=0, n_packets=4, n_bytes=168, idle_age=803, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:c7:05,arp_spa=192.168.199.5 actions=NORMAL<br> cookie=0x0, duration=819.786s, table=0, n_packets=0, n_bytes=0, idle_age=819, priority=39000,in_port=3 actions=drop<br></div><br>Only the icmp drop rule is added. Is it normal?<br><br></div>Is there anyone here using OpenNebula with OpenVswitch?<br><div><div><div><div><div><div class="gmail_extra"><div><div><br><div class="gmail_quote">2014-11-21 9:33 GMT+01:00 Madko <span dir="ltr"><<a href="mailto:madko77@gmail.com" target="_blank">madko77@gmail.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div><div><div><div><div><div><div>Hi,<br><br></div>I'm using OpenNebula 4.10 on CentOS 7 and I'm trying to use some network filtering.<br></div>I'm following the documentation found here: <a href="http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch" target="_blank">http://docs.opennebula.org/4.10/administration/networking/openvswitch.html#openvswitch</a><br><br></div>Here is my VM network definition:<br>NIC=[<br> AR_ID="0",<br> BLACK_PORTS_TCP="80",<br> BRIDGE="br0",<br> ICMP="drop",<br> IP="192.168.2.50",<br> MAC="02:00:c0:a8:02:32",<br> NETWORK="LAN",<br> NETWORK_ID="0",<br> NETWORK_UNAME="oneadmin",<br> NIC_ID="0",<br> VLAN="YES",<br> VLAN_ID="2" ]<br><br></div>But on my hypervisor where this VM is running, here are the openflows rules:<br>[root@node02 ~]# ovs-ofctl dump-flows br0<br>NXST_FLOW reply (xid=0x4):<br> cookie=0x0, duration=1893.122s, table=0, n_packets=0, n_bytes=0, idle_age=1893, icmp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32 actions=drop<br> cookie=0x0, duration=1893.173s, table=0, n_packets=6360, n_bytes=649693, idle_age=4, priority=40000,in_port=3,dl_src=02:00:c0:a8:02:32 actions=NORMAL<br> cookie=0x0, duration=4295.078s, table=0, n_packets=1444549, n_bytes=3534959110, idle_age=0, priority=0 actions=NORMAL<br> cookie=0x0, duration=1893.208s, table=0, n_packets=2, n_bytes=84, idle_age=1870, priority=45000,arp,in_port=3,dl_src=02:00:c0:a8:02:32 actions=drop<br> cookie=0x0, duration=1893.189s, table=0, n_packets=11, n_bytes=462, idle_age=559, priority=46000,arp,in_port=3,dl_src=02:00:c0:a8:02:32,arp_spa=192.168.2.50 actions=NORMAL<br> cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0, idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80 actions=drop<br> cookie=0x0, duration=1893.156s, table=0, n_packets=0, n_bytes=0, idle_age=1893, priority=39000,in_port=3 actions=drop<br><br></div>is it correct? I can see the relevant rule here:<br> cookie=0x0, duration=1893.139s, table=0, n_packets=0, n_bytes=0,
idle_age=1893, tcp,dl_vlan=2,dl_dst=02:00:c0:a8:02:32,tp_dst=80
actions=drop<br></div>but packets never pass thru this rule (n_packets=0), and port 80 is not blocked.<br><br>➜ ~ curl -s <a href="http://192.168.2.50" target="_blank">http://192.168.2.50</a> -o /dev/null && echo success<br>success<br><br></div>If anyone can help :)<br></div>what am I missing?<br><br></div>Best regards<span><font color="#888888"><br><div><div><div><div><div><br clear="all"><div><div><div><div><div><br>-- <br><div>Edouard Bourguignon</div>
</div></div></div></div></div></div></div></div></div></div></font></span></div>
</blockquote></div><br><br clear="all"><br></div></div><span><font color="#888888">-- <br><div>Edouard Bourguignon</div>
</font></span></div></div></div></div></div></div></div>
<br></div></div>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br></blockquote></div><span><font color="#888888"><br></font></span></div><span><font color="#888888"><br clear="all"><br>-- <br><div><div dir="ltr"><div>Jaime Melis<br>Project Engineer<br>OpenNebula - Flexible Enterprise Cloud Made Simple<br><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:jmelis@opennebula.org" target="_blank">jmelis@opennebula.org</a></div></div></div>
</font></span></blockquote></div><br><br clear="all"><br></div></div><span><font color="#888888">-- <br><div>Edouard Bourguignon</div>
</font></span></div></div></div></div>
<br>_______________________________________________<br>
Users mailing list<br>
<a href="mailto:Users@lists.opennebula.org" target="_blank">Users@lists.opennebula.org</a><br>
<a href="http://lists.opennebula.org/listinfo.cgi/users-opennebula.org" target="_blank">http://lists.opennebula.org/listinfo.cgi/users-opennebula.org</a><br>
<br></blockquote></div><br><br clear="all"><br>-- <br><div><div dir="ltr"><div>Jaime Melis<br>Project Engineer<br>OpenNebula - Flexible Enterprise Cloud Made Simple<br><a href="http://www.OpenNebula.org" target="_blank">www.OpenNebula.org</a> | <a href="mailto:jmelis@opennebula.org" target="_blank">jmelis@opennebula.org</a></div></div></div>
</div>
</div></div></blockquote></div></div></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><br>-- <br><div>Edouard Bourguignon</div>
</font></span></div></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature">Edouard Bourguignon</div>
</div></div></div></div>