9:27 a.m.
Hello all!
I try to use network filters for openvswitch interfaces. This is the xml configuration of
my bridge interface
<interface type='bridge'>
<mac address='00:11:22:33:44:55'/>
<source bridge='virbr1'/>
<virtualport type='openvswitch'>
<parameters interfaceid='0529d6b5-627c-4330-803f-0d7018e6d496'/>
</virtualport>
<model type='virtio'/>
<filterref filter='myfilter'>
<parameter name='IP' value='10.10.10.99'/>
</filterref>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x06' function='0x0'/>
</interface>
The filter 'myfilter' is defined. If I start a domain with this interface all
ports are correctly added to the 'virbr1' bridge, plus libvirt creates firewall
rules using ebtables tool. BUT ebtables controls linux bridges, not openvswich bridges. As
far as I know OVS has its own tool to create firewall rules for its bridges - ovs-ofctl.
How to make libvirt to use the right tool for creating firewall rules for OVS bridges?
If I remove ebtables tool and try to start the domain, libvirt complains "cannot
create rule since ebtables tool is missing."
Thank you.
6:04 a.m.
On 10/01/2013 10:27 AM, Pavel Tokarev wrote:
Hello all!
I try to use network filters for openvswitch interfaces. This is the
xml configuration of my bridge interface
<interface type='bridge'>
<mac address='00:11:22:33:44:55'/>
<source bridge='virbr1'/>
<virtualport type='openvswitch'>
<parameters interfaceid='0529d6b5-627c-4330-803f-0d7018e6d496'/>
</virtualport>
<model type='virtio'/>
<filterref filter='myfilter'>
<parameter name='IP' value='10.10.10.99'/>
</filterref>
<address type='pci' domain='0x0000' bus='0x00'
slot='0x06'
function='0x0'/>
</interface>
The filter 'myfilter' is defined. If I start a domain with this
interface all ports are correctly added to the 'virbr1' bridge, plus
libvirt creates firewall rules using ebtables tool. BUT ebtables
controls linux bridges, not openvswich bridges. As far as I know OVS
has its own tool to create firewall rules for its bridges - ovs-ofctl.
How to make libvirt to use the right tool for creating firewall rules
for OVS bridges?
If Open vSwitch bridges ignore iptables/ebtables, then I guess you would
need to write a separate nwfilter driver for libvirt that dealt with
whatever ovs-ofctl uses. From the point of view of integrating Open
vSwitch with the rest of the host system that seems "really bad" though.
Is this really the case? If so, this would make a painful time for
pretty much everyone and every package who wants to adopt Open vSwitch
usage into their ecosystem. (think about what would be required for any
general purpose firewall management application - it would need to speak
two different languages)
If I remove ebtables tool and try to start the domain, libvirt
complains "cannot create rule since ebtables tool is missing.
Because you have nwfilter rules defined, and nwfilter is going to
interpret those as requests to add ebtables/iptables rules in the
kernel, but you've removed its method of doing that.
4064
days inactive
4070
days old
1 comments
2 participants
participants (2)
-
Laine Stump -
Pavel Tokarev