Hello all! I try to use network filters for openvswitch interfaces. This is the xml configuration of my bridge interface <interface type='bridge'> <mac address='00:11:22:33:44:55'/> <source bridge='virbr1'/> <virtualport type='openvswitch'> <parameters interfaceid='0529d6b5-627c-4330-803f-0d7018e6d496'/> </virtualport> <model type='virtio'/> <filterref filter='myfilter'> <parameter name='IP' value='10.10.10.99'/> </filterref> <address type='pci' domain='0x0000' bus='0x00' slot='0x06' function='0x0'/> </interface> The filter 'myfilter' is defined. If I start a domain with this interface all ports are correctly added to the 'virbr1' bridge, plus libvirt creates firewall rules using ebtables tool. BUT ebtables controls linux bridges, not openvswich bridges. As far as I know OVS has its own tool to create firewall rules for its bridges - ovs-ofctl. How to make libvirt to use the right tool for creating firewall rules for OVS bridges? If I remove ebtables tool and try to start the domain, libvirt complains "cannot create rule since ebtables tool is missing." Thank you.
Laine Stump
2013-Oct-07 11:04 UTC
Re: [libvirt-users] network filter and openvswitch bridge
On 10/01/2013 10:27 AM, Pavel Tokarev wrote:> > Hello all! > > I try to use network filters for openvswitch interfaces. This is the > xml configuration of my bridge interface > > <interface type='bridge'> > <mac address='00:11:22:33:44:55'/> > <source bridge='virbr1'/> > <virtualport type='openvswitch'> > <parameters interfaceid='0529d6b5-627c-4330-803f-0d7018e6d496'/> > </virtualport> > <model type='virtio'/> > <filterref filter='myfilter'> > <parameter name='IP' value='10.10.10.99'/> > </filterref> > <address type='pci' domain='0x0000' bus='0x00' slot='0x06' > function='0x0'/> > </interface> > > The filter 'myfilter' is defined. If I start a domain with this > interface all ports are correctly added to the 'virbr1' bridge, plus > libvirt creates firewall rules using ebtables tool. BUT ebtables > controls linux bridges, not openvswich bridges. As far as I know OVS > has its own tool to create firewall rules for its bridges - ovs-ofctl. > How to make libvirt to use the right tool for creating firewall rules > for OVS bridges?If Open vSwitch bridges ignore iptables/ebtables, then I guess you would need to write a separate nwfilter driver for libvirt that dealt with whatever ovs-ofctl uses. From the point of view of integrating Open vSwitch with the rest of the host system that seems "really bad" though. Is this really the case? If so, this would make a painful time for pretty much everyone and every package who wants to adopt Open vSwitch usage into their ecosystem. (think about what would be required for any general purpose firewall management application - it would need to speak two different languages)> > If I remove ebtables tool and try to start the domain, libvirt > complains "cannot create rule since ebtables tool is missing.Because you have nwfilter rules defined, and nwfilter is going to interpret those as requests to add ebtables/iptables rules in the kernel, but you've removed its method of doing that.