[ovs-discuss] in_port=local never matches for flows

2017-11-17 Thread Jan De Landtsheer 
Hello again,

I'm trying to define a conntrack flow that allows connections from linux
namespace1 to a test namespace, and block everything from the test
namespace to the host

for that I create a bridge, add a port, send the port into the namespace,
give it an IP. on the host I add an IP ont the local interface of the
bridge:

```
ovs-vsctl add-br test
ovs-vsctl add-port test tst -- set Interface test type=internal

# namespace
ip netns add test
ip -n test l set lo up
ip -n test addr add 10.0.0.100/24 dev tst
ip -n test link set tst up

# host
ip addr add 10.0.0.1/24 dev test #bridge local port
ip l set test up


# ping -> works
[root@delandtj-XPS ~]# ping 10.0.0.1
PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data.
64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.481 ms
64 bytes from 10.0.0.1: icmp_seq=2 ttl=64 time=0.052 ms

# ok
ovs-ofctl del-flows test
cat << EOF | ovs-ofctl add-flows test -
table=0,actions=normal
table=0,priority=100,in_port=local,actions=normal
EOF

# expected:
# ping should still work
# flow with in_port=local should have packet counters

```

in_port=local never seems to match , so following rules won't work either.

```
table=0, priority=1,arp actions=NORMAL
table=0, priority=1,ct_state=-trk,ip actions=ct(table=1)
table=1, priority=100,ct_state=+new+trk,icmp,in_port=tst
actions=ct(commit),LOCAL
table=1, priority=100,ct_state=+est+trk,icmp,in_port=LOCAL
actions=output:tst
table=1, priority=100,ct_state=+est+trk,icmp,in_port=tst actions=LOCAL
```

Given the extremely summary info or documentation I found to do flows, I
wonder if there's some magical page hidden in the interwebs that explains
it all. Are there more docs ?
I mean, if one can write
https://docs.openstack.org/developer/neutron/devref/openvswitch_firewall.html ,
I suppose he/she got that knowledge from __somewhere__ ?

Thanks,

Jan
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

[ovs-discuss] Openvswitch 2.5 stateful conntrack diode for a port

2017-11-15 Thread Jan De Landtsheer 
Gents,
I’d like to get a filter for ovs (with conntracking) in where ip-sessions
only get through in one direction.

I have tested many things, but I never seem to get it right :-(

# drop network chatter (1)
table=0,priority=100,dl_src=01:00:00:00:00:00/01:00:00:00:00:00, actions=drop
# drop all UDP
table=0,priority=100,dl_type=0x0800,nw_proto=17,actions=drop
# drop all ipv6
table=0,in_port=131,priority=100,dl_src=52:54:00:de:ec:8d,dl_type=0x86dd,actions=drop
# send rest in table 1 (2)
table=0, priority=0, actions=resubmit(,1)
# Table 1 ; stateful packet filter ( ovs >= 2.5 )
# start dropping it all (fallthrough (lowest priority)) (3)
table=1,priority=1,action=drop
# allow all arp (for now) (4)
table=1,priority=10,arp,nw_src=10.199.2.154,action=normal
table=1,priority=10,arp,nw_dst=10.199.2.154,action=normal
# when an ip packet arrives and is not tracked, send it to the
conntracker and continue table2 (5)
table=1,priority=100,ip,ct_state=-trk,action=ct(table=2)
# a packet from 10... with dest MAC, that is IP, and is a NEW session
packet, commit it in conntracker
table=2,in_port=local,ip,ct_state=+trk+new,action=ct(commit),131
# and do normal packet forwarding processing on it
table=2,nw_src=10.199.0.0/22,dl_src=52:54:00:de:ec:8d,ip,ct_state=+trk+est,action=normal
table=2,nw_src=10.199.0.0/22,dl_dst=52:54:00:de:ec:8d,ip,ct_state=+trk+est,action=normal
# otherwise, all new IP sessions get dropped (6)
table=2,in_port=131,ip,ct_state=+trk+new,action=drop
# unless they are related to a comitted session
table=2,in_port=131,ip,ct_state=+trk+est,action=normal

(1) -> never matches, which is odd, as I would suspect that all lldp would
fall in the category
(2) -> packets get matched, but…
(3) -> gets them all, instead of …. -> go to (5)
(4) -> here all ok , packets for arp are ok
(5) -> never matches -> and then it’s of course no point to get further.
OTOH from a vm on the specific port, (5) and (6) match, doing exactly what
I want.

What am I doing wrong ?

Thanks

Jan
​
___
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss