[libvirt] Libvirt, nwfilter, openvswitch

Jan De Landtsheer jan.delandtsheer at gmail.com
Thu Nov 7 20:40:30 UTC 2013 

Not very hard ? please enlighten me ;-)
I'm _really_ struggling, mainly because I'm a neophyte in OpenVSwitch and
Flow

the only thing I want is block outgoing dhcp{4,6} and routing
advertisements coming out of VM's




On Thu, Nov 7, 2013 at 9:05 PM, Vasiliy Tolstov <v.tolstov at selfip.ru> wrote:

> Why not use ovs-ofctl add-flow for this? Translate iptables rules to
> openflow flows not very hard....
>
> 2013/11/7 Laine Stump <laine at laine.org>:
> > On 11/07/2013 06:04 AM, Daniel P. Berrange wrote:
> >> On Wed, Nov 06, 2013 at 02:44:57PM +0100, Jan De Landtsheer wrote:
> >>> Hello,
> >>> I _was_ trying to set up an nwfilter for our networking set-up with
> VXLAN
> >>> and openvswitch, where we use VXLAN as carrier for separate networks
> >>> (unlike OpenStack gre-tunnels).
> >>>
> >>> But with OVS, ebtables do not work, and the basic setup of nwfilter
> rules
> >>> are based on this premise... or so I understand...
> >>>
> >>> Now..
> >>> Is there a way to define nwfilter rules _without_ ebtables ?
> >>>
> >>> What I would like to do is quite simple (block out dhcp{4,6} services
> from
> >>> VM's, and ipv6 router advertisements )
> >> There's no support for nwfilter at all when using openvswitch, due to
> >> the kernel limitations you mention. The (disgusting) way openstack deals
> >> with this is to create a traditional bridge  per vm so you have
> >>
> >>
> >>    phys nic <-> openvswitch
> >>                           \--->  vm bridge <-> vm tap dev
> >>                           \--->  vm bridge <-> vm tap dev
> >>                           \--->  vm bridge <-> vm tap dev
> >
> > It would be an "interesting exercise" to see if it was possible to write
> > a backend for nwfilter that used OVS flows or whatever it is they have.
> > My suspicion is that the configuration model used by nwfilter may be too
> > low level and (ip|eb)tables-specific to be mapped into a different
> > backend implementation, so it could require some new higher level
> > elements that would then need to be implemented for the (ip|eb)tables
> > backend as well (and the original config elements deprecated).
> >
> > --
> > libvir-list mailing list
> > libvir-list at redhat.com
> > https://www.redhat.com/mailman/listinfo/libvir-list
>
>
>
> --
> Vasiliy Tolstov,
> e-mail: v.tolstov at selfip.ru
> jabber: vase at selfip.ru
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/libvir-list/attachments/20131107/58f599a9/attachment-0001.htm>

More information about the libvir-list mailing list