[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [libvirt-users] network filter and openvswitch bridge

On 10/01/2013 10:27 AM, Pavel Tokarev wrote:
> Hello all!
> I try to use network filters for openvswitch interfaces.  This is the
> xml configuration of my bridge interface
> <interface type='bridge'>
>    <mac address='00:11:22:33:44:55'/>
>    <source bridge='virbr1'/>
>    <virtualport type='openvswitch'>
>         <parameters interfaceid='0529d6b5-627c-4330-803f-0d7018e6d496'/>
>    </virtualport>
>    <model type='virtio'/>
>    <filterref filter='myfilter'>
>       <parameter name='IP' value=''/>
>    </filterref>
>    <address type='pci' domain='0x0000' bus='0x00' slot='0x06'
> function='0x0'/>
>  </interface>
> The filter 'myfilter' is defined. If I start a domain with this
> interface all ports are correctly added to the 'virbr1' bridge, plus
> libvirt creates firewall rules using ebtables tool. BUT ebtables
> controls linux bridges, not openvswich bridges. As far as I know OVS
> has its own tool to create firewall rules for its bridges - ovs-ofctl.
> How to make libvirt to use the right tool for creating firewall rules
> for OVS bridges?

If Open vSwitch bridges ignore iptables/ebtables, then I guess you would
need to write a separate nwfilter driver for libvirt that dealt with
whatever ovs-ofctl uses. From the point of view of integrating Open
vSwitch with the rest of the host system that seems "really bad" though.
Is this really the case? If so, this would make a painful time for
pretty much everyone and every package who wants to adopt Open vSwitch
usage into their ecosystem. (think about what would be required for any
general purpose firewall management application - it would need to speak
two different languages)

> If I remove ebtables tool and try to start the domain, libvirt
> complains "cannot create rule since ebtables tool is missing.

Because you have nwfilter rules defined, and nwfilter is going to
interpret those as requests to add ebtables/iptables rules in the
kernel, but you've removed its method of doing that.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]