You could enable the same set of ports in the other direction, but as source ports.
On Mon, Mar 18, 2013 at 02:51:50PM +0100, Oriol Mart? wrote: > Does anybody know? > > On 03/14/2013 09:42 PM, Oriol Marti wrote: > >Hello, I'm searching for a solution to allow the returning traffic for a VM > >when > >all the ports, or most of them are filtered. > >I'm filtering with ovs-ofctl with masks, for example for a given VM if I > >want to > >allow only port 80 and 22 incoming i execute: > > > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x1/0xffff,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x2/0xfffe,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x4/0xfffc,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x8/0xfff8,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x10/0xfffc,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x14/0xfffe,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x17/0xffff,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x18/0xfff8,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x20/0xffe0,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x40/0xfff0,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x51/0xffff,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x52/0xfffe,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x54/0xfffc,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x58/0xfff8,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x60/0xffe0,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x80/0xff80,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x100/0xff00,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x200/0xfe00,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x400/0xfc00,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x800/0xf800,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x1000/0xf000,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x2000/0xe000,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x4000/0xc000,actions=drop > >ovs-ofctl add-flow bridge tcp,dl_dst=mac,tp_dst=0x8000/0x8000,actions=drop > > > >But with all the incoming ports filtered I've seen that the returning traffic > >when I'm doing for example a wget from the VM is filtered too, this is caused > >because the connection is made in a random port in the VM starting the > >connection and when it returns is filtered. I don't know if there is > >something > >like the ESTABLISHED in iptables to detect the established traffic. > >Maybe there is a flag in the returning packets that I can check with the > >rules > >in ovs-ofctl? > >Does anybody know a solution for this scenario? > > > >Cheers, > >_______________________________________________ > >discuss mailing list > >[email protected] > >http://openvswitch.org/mailman/listinfo/discuss > > > _______________________________________________ > discuss mailing list > [email protected] > http://openvswitch.org/mailman/listinfo/discuss _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
