Hello!
I'm trying to filter incoming traffic on OVS ports, but struggle to find a
proper configuration that would allow me to. I was hoping someone could point
me to the right direction or share personal experience with a similar task.
I'm using OVS with QEMU virtual machines, which are configured to use OVS
virtual port. Example of my configuration:
=============================================
# ovs-vsctl show
0bd2487c-0bf0-4c39-a620-4caf5fd8e8ca
Bridge br-int
Port vmnet3
Interface vmnet3
Port vmnet4
Interface vmnet4
Port br-int
Interface br-int
type: internal
Port patch-br-int
Interface patch-br-int
type: patch
options: {peer=patch-br-ext}
Bridge br-ext
Port ens3
Interface ens3
Port br-ext
Interface br-ext
type: internal
Port patch-br-ext
Interface patch-br-ext
type: patch
options: {peer=patch-br-int}
ovs_version: "3.1.0"
=============================================
<interface type='bridge'>
<mac address='52:54:00:bb:54:3f'/>
<source bridge='br-int'/>
<virtualport type='openvswitch'>
<parameters interfaceid='5bbf7316-8e6d-4003-89e3-d281b3935649'/>
</virtualport>
<target dev='vmnet4'/>
<model type='virtio'/>
<alias name='net0'/>
<address type='pci' domain='0x0000' bus='0x00' slot='0x03'
function='0x0'/>
</interface>
=============================================
ens3 is a physical interface in bridge br-ext, br-ext interface holds ip
address configuration. All VMs ports are in br-int bridge. br-ext and br-int
are connected through a patch.
I would like to filter unrelated arp requests on each VM, so I'm not only
interested in filtering outside traffic, but also traffic of other VMs in the
same bridge. I.e. "for port vmnet4 drop arp requests where arp_tpa is not IP
address of vmnet4". This configuration could be easily attained with ebtables
on native linux bridges in nat's postrouting chain, however I couldn't solve
this with OpenFlow. There is "in_port" filtering option, but no "out_port" and
I couldn't find anything that would act in a similar way. As far as I am aware
netfilter does not work with OVS traffic, thus I couldn't apply my ebtables
experience either.
I've seen some RedHat paper suggesting to configure veth pair to connect VM and
ovs bridge. While it may work, it would require huge effort to change current
configuration, thus I would prefer to avoid it if possible. Can this task be
solved in the current configuration? If not, what would you change?
Thanks in advance!
Best regards,
Pavel
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
