On 2012-5-20, at 上午12:27, Sergio Kviato wrote: > > > Sent from my iPhone > > On May 19, 2012, at 19:02, faicker mo <[email protected]> wrote: > >> >> On 2012-5-19, at 下午11:11, Ben Pfaff wrote: >> >>> On Sat, May 19, 2012 at 09:30:40PM +0800, faicker mo wrote: >>>> I have viewed the ovs-ofctl man page, I found that the arp match has >>>> only arp_sha and arp_dha. It can't match the source ip in arp(SPA) and >>>> destination ip(DPA) in arp. Without this, the arp spoofing can't be >>>> prevented. >>> >>> Use nw_src or nw_dst. This is documented in ovs-ofctl(8). >> >> Sorry for my overlook. >> >>> >>>> OVS replaces the bridge default in kernel. Ebtables can't >>>> work. But now OVS doesn't have enough function to replace >>>> eatables. For example, arp_reply module in eatables. >>> >>> No, OVS doesn't replace anything, it provides a supplement. >> >> But when I use OVS, I can't use eatables.(need bridge module) > > Why you need ebtables. You can construct rules to block ARP and IP spoofing > using ovs-ofctl for example. > >>> >>>> I have successfully realized the broute which is in eatables by OVS. >>> >>> I don't understand that sentence. >> >> For this, OVS replaces ebtables
I need the arp_reply module like in eatables. ARP and IP spoofing are realized already by ovs-ofctl. _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
