[ovs-discuss] Newbie and q. about implementing firewall-rules ala iptables with openflow for qemu-VMs
Oliver Francke
Oliver.Francke at filoo.de
Fri May 4 11:42:25 PDT 2012
Hi Ben,
thanks for the quick response, I think I was too much affiliated with the iptables-chains, which improves readability.
But, yes, each one table for all interfaces should do it.
Does one have any experiences with workload for ca. 150 VMs, what das ovs-vswitchd say to this, with at least one rule for every VM?
Thnx again,
Oliver.
Am 04.05.2012 um 19:11 schrieb Ben Pfaff:
> On Fri, May 04, 2012 at 06:32:11PM +0200, Oliver Francke wrote:
>> First try was then:
>>
>> ovs-ofctl add-flow vmbr0 'in_port=504 ip idle_timeout=0
>> dl_src=00:00:AA:BB:CC:DD nw_src=192.168.1.35 priority=40000
>> action=resubmit(504,1)'
>> ovs-ofctl add-flow vmbr0 'in_port=504 ip idle_timeout=0
>> priority=30000 action=drop'
>>
>> # individual rules:
>> ovs-ofctl del-flows vmbr0 'in_port=504'
>> ovs-ofctl add-flow vmbr0 'in_port=504 table=1 tcp
>> nw_src=192.168.1.35 tp_src=80 priority=1000 action=normal'
>> .
>> .
>>
>> Well, it works this way.
>> But we only have 255 table-entries, and up to 150 VM's per node with
>> perhaps more than one network-card ( private-backnet,
>> backup-network, etc...) will brake this setup.
>> Any other ideas? What did I miss at this point? How "expensive" will
>> it be, if every VM has at least some rules to prevent
>> MAC-/IP-fake-ing?
>
> You don't need a table per VM. Use table 0 to check your ingress
> rules and resubmit to table 1 if they pass. Use table 1 to check
> egress rules and forward to the destination if they pass.
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> http://openvswitch.org/mailman/listinfo/discuss
More information about the discuss
mailing list