WARNING - OLD ARCHIVES

This is an archived copy of the Xen.org mailing list, which we have preserved to ensure that existing links to archives are not broken. The live archive, which contains the latest emails, can be found at http://lists.xen.org/
   
 
 
Xen 
 
Home Products Support Community News
 
   
 

xen-users

[Xen-users] Re: XCP - openvswitch network isolation / antispoofing

To: xen-users@xxxxxxxxxxxxxxxxxxx
Subject: [Xen-users] Re: XCP - openvswitch network isolation / antispoofing
From: Kristoffer Egefelt <dr.fersken@xxxxxxxxx>
Date: Wed, 30 Mar 2011 16:47:32 +0200
Delivery-date: Wed, 30 Mar 2011 07:48:41 -0700
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:date:message-id:subject:from:to :content-type; bh=U6XMkMKSlo8xLjzJEd8+GYqHY0fR8MXgLA18leraJd0=; b=J3b6HZx1csEzmo0ni+HaYULVken941DyZviInCH/oomnD/7AzN5XcBUOc0wKIP6vry CgmwLW/m6nGotH3HuNj03skPVRarISJIw7/Ta0EmmEyzepViDpNlt0F87HI1tVp0GcIL sIcE3J6wnRBlFaCAXvfqgeOVU39u3nP+Z8SNE=
Domainkey-signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=FV5sfS2d4vB8gmRtuN92do/GlVlYNO5ibCQRQrU2/3yDnk3xNYHKXxTOqoNEKm3Cei kaBH9xTyzNKMu/F46SCWKwPAaGRGN3WE2/wq6PwH1dvAxCRcGuytIr7iONMYxVZCOmfw oNh5V8KncdFml5v1XF4Ofmye6MitBAU+PjKwY=
Envelope-to: www-data@xxxxxxxxxxxxxxxxxxx
List-help: <mailto:xen-users-request@lists.xensource.com?subject=help>
List-id: Xen user discussion <xen-users.lists.xensource.com>
List-post: <mailto:xen-users@lists.xensource.com>
List-subscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=subscribe>
List-unsubscribe: <http://lists.xensource.com/mailman/listinfo/xen-users>, <mailto:xen-users-request@lists.xensource.com?subject=unsubscribe>
Sender: xen-users-bounces@xxxxxxxxxxxxxxxxxxx
Hi George,

I tried your patch on XCP 1.0 but the rules does not seem to work.
The vm is on a vlan, that maybe part of the problem?

Do you have an idea why its not working in my case?

The vswitch/bridge is xapi5
The vlan/bridge is on xapi13 (however theres no xapi13 switch, only a port on xapi5...)

From the messages log when the vm is booting:
Mar 30 15:40:19 node0106 scripts-vif: VIF uuid=b2f59aca-69c0-6ab8-d450-7e68943a206a device=vif31.0 ovs_port=8 bridge=xapi5 restricted to use IPv4 10.10.8.73 only with mac a6:1e:29:3d:69:51 address.
Mar 30 15:40:19 node0106 scripts-vif: /usr/bin/ovs-ofctl add-flow xapi5 in_port=8 priority=39000 dl_type=0x0800 nw_src=10.10.8.73 dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action="">Mar 30 15:40:19 node0106 scripts-vif: /usr/bin/ovs-ofctl add-flow xapi5 in_port=8 priority=38500 dl_type=0x0806 dl_src=a6:1e:29:3d:69:51 idle_timeout=0 action=""> Mar 30 15:40:19 node0106 scripts-vif: /usr/bin/ovs-ofctl add-flow xapi5 in_port=8 priority=38000 idle_timeout=0 action="">

ovs-ofctl dump-flows xapi5 in_port=8:
Mar 30 15:40:39|00001|ofctl|INFO|connecting to unix:/var/run/openvswitch/xapi5.mgmt
stats_reply (xid=0x7cfc2): flags=none type=1(flow)
 cookie=0x0, duration_sec=20s, duration_nsec=251000000ns, table_id=1, priority=39000, n_packets=0, n_bytes=0, ip,in_port=8,dl_src=a6:1e:29:3d:69:51,nw_src=10.10.8.73,actions=NORMAL
 cookie=0x0, duration_sec=20s, duration_nsec=244000000ns, table_id=1, priority=38500, n_packets=0, n_bytes=0, arp,in_port=8,dl_src=a6:1e:29:3d:69:51,actions=NORMAL
 cookie=0x0, duration_sec=20s, duration_nsec=237000000ns, table_id=1, priority=38000, n_packets=0, n_bytes=0, in_port=8,actions=drop


ovs-ofctl show xapi5:
Mar 30 16:23:33|00001|ofctl|INFO|connecting to unix:/var/run/openvswitch/xapi5.mgmt
features_reply (xid=0x54910): ver:0x1, dpid:00005a976383e68c
n_tables:2, n_buffers:256
features: capabilities:0x87, actions:0xfff
1(bond0): addr:00:23:20:b7:47:73, config: 0, state:0
2(eth1): addr:00:26:b9:f9:cd:e2, config: 0, state:0
    current:    1GB-FD FIBER AUTO_NEG
    advertised: 1GB-FD AUTO_NEG
    supported:  10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER FIBER AUTO_NEG
3(eth0): addr:00:26:b9:f9:cd:e0, config: 0, state:0
    current:    1GB-FD FIBER AUTO_NEG
    advertised: 1GB-FD AUTO_NEG
    supported:  10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER FIBER AUTO_NEG
4(xapi6): addr:00:26:b9:f9:cd:e0, config: 0, state:0
5(xapi13): addr:00:26:b9:f9:cd:e0, config: 0, state:0
6(xapi8): addr:00:26:b9:f9:cd:e0, config: 0, state:0
7(xapi2): addr:00:26:b9:f9:cd:e0, config: 0, state:0
8(vif31.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
9(vif17.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
10(vif18.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
11(vif32.0): addr:fe:ff:ff:ff:ff:ff, config: 0, state:0
LOCAL(xapi5): addr:00:26:b9:f9:cd:e0, config: 0, state:0
Mar 30 16:23:33|00002|ofctl|INFO|connecting to unix:/var/run/openvswitch/xapi5.mgmt
get_config_reply (xid=0x5a12a): miss_send_len=0

xe network-list name-label=VLAN8:
uuid ( RO)                : 10af916d-22bf-bfd3-5c24-e3d49e39fe13
          name-label ( RW): VLAN8
    name-description ( RW): Setup sandbox
              bridge ( RO): xapi13

xe network-list name-label="Bond 0+1"
uuid ( RO)                : 8197709c-2e1c-88d2-f51e-48a15793c954
          name-label ( RW): Bond 0+1
    name-description ( RW): 
              bridge ( RO): xapi5





Best regards
Kristoffer
_______________________________________________
Xen-users mailing list
Xen-users@xxxxxxxxxxxxxxxxxxx
http://lists.xensource.com/xen-users
<Prev in Thread] Current Thread [Next in Thread>
  • [Xen-users] Re: XCP - openvswitch network isolation / antispoofing, Kristoffer Egefelt <=