[Xen-users] Re: XCP - openvswitch network isolation / antispoofing

[Kristoffer Egefelt <dr.fersken@xxxxxxxxx>]

Hi George,

I tried your patch on XCP 1.0 but the rules does not seem to work.
The vm is on a vlan, that maybe part of the problem?

Do you have an idea why its not working in my case?

The vswitch/bridge is xapi5
The vlan/bridge is on xapi13 (however theres no xapi13 switch, only a port on xapi5...)

From the messages log when the vm is booting:
Mar 30 15:40:19 node0106 scripts-vif: VIF uuid=b2f59aca-69c0-6ab8-d450-7e68943a206a device=vif31.0 ovs_port=8 bridge=xapi5 restricted to use IPv4 10.10.8.73 only with mac a6:1e:29:3d:69:51 address.
Mar 30 15:40:19 node0106 scripts-vif: /usr/bin/ovs-ofctl add-flow xapi5 in_port=8 priority=39000 dl_type=0x0800 nw_src=10.10.8.73 dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action="">Mar 30 15:40:19 node0106 scripts-vif: /usr/bin/ovs-ofctl add-flow xapi5 in_port=8 priority=38500 dl_type=0x0806 dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=""> Mar 30 15:40:19 node0106 scripts-vif: /usr/bin/ovs-ofctl add-flow xapi5 in_port=8 priority=38000 idle_timeout=0 action="">

ovs-ofctl dump-flows xapi5 in_port=8:
Mar 30 15:40:39|00001|ofctl|INFO|connecting to unix:/var/run/openvswitch/xapi5.mgmt
stats_reply (xid=0x7cfc2): flags=none type=1(flow)
 cookie=0x0, duration_sec=20s, duration_nsec=251000000ns, table_id=1, priority=39000, n_packets=0, n_bytes=0, ip,in_port=8,dl_src=a6:1e:29:3d:69:51,nw_src=10.10.8.73,actions=NORMAL
 cookie=0x0, duration_sec=20s, duration_nsec=244000000ns, table_id=1, priority=38500, n_packets=0, n_bytes=0, arp,in_port=8,dl_src=a6:1e:29:3d:69:51,actions=NORMAL
 cookie=0x0, duration_sec=20s, duration_nsec=237000000ns, table_id=1, priority=38000, n_packets=0, n_bytes=0, in_port=8,actions=drop


ovs-ofctl show xapi5:
Mar 30 16:23:33|00001|ofctl|INFO|connecting to unix:/var/run/openvswitch/xapi5.mgmt
features_reply (xid=0x54910): ver:0x1, dpid:00005a976383e68c
n_tables:2, n_buffers:256
features: capabilities:0x87, actions:0xfff
1(bond0): addr:00:23:20:b7:47:73, config: 0, state:0
2(eth1): addr:00:26:b9:f9:cd:e2, config: 0, state:0
    current:    1GB-FD FIBER AUTO_NEG
    advertised: 1GB-FD AUTO_NEG
    supported:  10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER FIBER AUTO_NEG
3(eth0): addr:00:26:b9:f9:cd:e0, config: 0, state:0
    current:    1GB-FD FIBER AUTO_NEG
    advertised: 1GB-FD AUTO_NEG
    supported:  10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER FIBER AUTO_NEG
4(xapi6): addr:00:26:b9:f9:cd:e0, config: 0, state:0
5(xapi13): addr:00:26:b9:f9:cd:e0, config: 0, state:0
6(xapi8): addr:00:26:b9:f9:cd:e0, config: 0, state:0
7(xapi2): addr:00:26:b9:f9:cd:e0, config: 0, state:0
8(vif31.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
9(vif17.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
10(vif18.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
11(vif32.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
LOCAL(xapi5): addr:00:26:b9:f9:cd:e0, config: 0, state:0
Mar 30 16:23:33|00002|ofctl|INFO|connecting to unix:/var/run/openvswitch/xapi5.mgmt
get_config_reply (xid=0x5a12a): miss_send_len=0

xe network-list name-label=VLAN8:

uuid ( RO)                : 10af916d-22bf-bfd3-5c24-e3d49e39fe13

          name-label ( RW): VLAN8

    name-description ( RW): Setup sandbox

              bridge ( RO): xapi13

xe network-list name-label="Bond 0+1"

uuid ( RO)                : 8197709c-2e1c-88d2-f51e-48a15793c954

          name-label ( RW): Bond 0+1

    name-description ( RW): 

              bridge ( RO): xapi5

Best regards

Kristoffer

_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users