[ovs-discuss] 'DROP' functionality of ebtables using OpenVSwitch

Kaushal Shubhank kshubhank at gmail.com
Thu Apr 12 13:00:11 PDT 2012


Thanks Ben for the suggestion. This is what I did.

sudo ovs-ofctl add-flow br0 "priority=1,in_port=1,action=output:2"
sudo ovs-ofctl add-flow br0 "priority=1,in_port=2,action=output:1"
sudo ovs-ofctl add-flow br0 "priority=2,tcp,tp_src=80,action=LOCAL"
sudo ovs-ofctl add-flow br0 "priority=2,tcp,tp_dst=80,action=LOCAL"

br0 has the ports 1 (eth5) and 2 (eth6).

I could see port 80 packets sent to br0 (via tcpdump), but they are not
being picked up by iptables. I use iptables to send the packets to squid
via TPROXY (iptables commands given below). What am I missing?

    iptables -t mangle -N DIVERT
    iptables -t mangle -A DIVERT -j MARK --set-mark 1
    iptables -t mangle -A DIVERT -j ACCEPT
    iptables -t mangle -A PREROUTING -p tcp -m socket -j DIVERT
    iptables -t mangle -A PREROUTING -p tcp --dport 80 -j TPROXY --on-port
3140 --tproxy-mark 1

-Kaushal


On Sun, Apr 8, 2012 at 8:56 PM, Ben Pfaff <blp at nicira.com> wrote:

> If you want to route a packet through the Linux routing stack, then you
> should deliver the packet to an "internal" network device with an output
> action.
>
> On Sun, Apr 08, 2012 at 04:45:53PM +0530, Kaushal Shubhank wrote:
> > Thanks Justin for the reply. I should have been more clear about the
> > DROP action that I want to use.
> >
> > The action DROP in ebtables in the 'broute' table actually sends the
> > packet to be routed while ACCEPT sends it to be bridged. The DROP in
> > ovs-ofctl actually drops the packet.
> >
> > By sending the port 80 packets to routing process (by DROPping them
> > via ebtables), I want to set the 'fwmark' which iptables later will
> > read and decide the path of the packet.
> >
> > I figured action=NORMAL would send the packets to the routing process,
> > but it seems I am missing something very basic here. Please advise.
> >
> > -Kaushal
> >
> > On 4/6/12, Justin Pettit <jpettit at nicira.com> wrote:
> > > You can drop packets by using the "drop" action.  It's equivalent to
> not
> > > listing any actions.  Keep in mind the rules you've specified overlap,
> so
> > > you'll need priorities to disambiguate them.  (This was just discussed
> in
> > > the "icmp paket matching ip packet rule" thread.)
> > >
> > > --Justin
> > >
> > >
> > > On Apr 6, 2012, at 2:57 AM, Kaushal Shubhank wrote:
> > >
> > >> Hello,
> > >>
> > >> I was reading about OpenVSwitch and really appreciated the concept. I
> am a
> > >> newbie and do not have a good understanding of OVS yet. I installed
> OVS
> > >> and and I was able to create a bridge reading the instructions.
> > >>
> > >> I read that ebtables is useless in case of OVS and ovs-ofctl can do
> things
> > >> similar to ebtables.
> > >>
> > >> I want to filter packets for port 80 http traffic only. For this when
> I
> > >> was using ebtables operating on a Linux bridge. But with ovs I was
> able to
> > >> add flow but I am not sure on how to get the ebtables -j DROP type
> > >> functionality using OVS.
> > >>
> > >> The commands which I used with ovs-ofctl ware as follow:
> > >>
> > >> ovs-ofctl add-flow br0 "in_port=ANY out_port=ANY action=NORMAL" # for
> my
> > >> bridge traffic
> > >> ovs-ofctl add-flow br0 "in_port=1 tcp, tp_src=80 action=NORMAL"
> > >> ovs-ofctl add-flow br0 "in_port=2 tcp, tp_dst=80 action=NORMAL"
> > >>
> > >> I also tried using action=LOCAL but then I was not able to use port 80
> > >> traffic below the bridge.
> > >>
> > >> Any help on this will be appreciated. If there is some documentation
> out
> > >> there with examples for a similar case kindly redirect me to it.
> > >>
> > >> PS: I have no VMs in my system and I was wondering whether I can use
> the
> > >> capabilities of OVS bridge which is transparent to VLAN trunk where I
> can
> > >> filter port 80 traffic from different VLAN.
> > >>
> > >> {Router, Gateway}
> > >>          | |
> > >>          | |
> > >>          | |{VLAN TRUNK}
> > >>          {OVS- BRIDGE}
> > >>          | |
> > >>          | |
> > >>          | |{Local Network}
> > >> _______________________________________________
> > >> discuss mailing list
> > >> discuss at openvswitch.org
> > >> http://openvswitch.org/mailman/listinfo/discuss
> > >
> > >
> > _______________________________________________
> > discuss mailing list
> > discuss at openvswitch.org
> > http://openvswitch.org/mailman/listinfo/discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/discuss/attachments/20120413/c5101862/attachment.htm>


More information about the discuss mailing list