Hello, I'm searching for a solution to allow the returning traffic for a VM when all the ports, or most of them are filtered. I'm filtering with ovs-ofctl with masks, for example for a given VM if I want to allow only port 80 and 22 incoming i execute:
ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x1/0xffff,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x2/0xfffe,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x4/0xfffc,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x8/0xfff8,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x10/0xfffc,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x14/0xfffe,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x17/0xffff,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x18/0xfff8,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x20/0xffe0,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x40/0xfff0,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x51/0xffff,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x52/0xfffe,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x54/0xfffc,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x58/0xfff8,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x60/0xffe0,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x80/0xff80,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x100/0xff00,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x200/0xfe00,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x400/0xfc00,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x800/0xf800,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x1000/0xf000,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x2000/0xe000,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x4000/0xc000,actions=drop ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x8000/0x8000,actions=drop But with all the incoming ports filtered I've seen that the returning traffic when I'm doing for example a wget from the VM is filtered too, this is caused because the connection is made in a random port in the VM starting the connection and when it returns is filtered. I don't know if there is something like the ESTABLISHED in iptables to detect the established traffic. Maybe there is a flag in the returning packets that I can check with the rules in ovs-ofctl? Does anybody know a solution for this scenario? Cheers, _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
