[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openvswitch-discuss
Subject:    [ovs-discuss] TCP flags(SYN, ACK etc.) support in open vswitch 	ACL
From:       jesse () nicira ! com (Jesse Gross)
Date:       2010-02-15 20:14:25
Message-ID: 25cfcaf91002151214l74986dc7sa644630f2ccf243 () mail ! gmail ! com
[Download RAW message or body]

On Mon, Feb 15, 2010 at 10:56 AM, Justin Pettit <jpettit at nicira.com> wrote:

> On Feb 15, 2010, at 3:27 AM, devang.vyas at aol.in wrote:
> 
> > I can use ovs-ofctl to add flow to deny or allow specific network
> traffic.
> > Does it supports TCP flags (SYN,ACK etc.)? Is there any way that define
> direction (inbound/outbound) of this traffic?
> 
> Open vSwitch's flow matching capabilities are mostly based on what's
> defined by OpenFlow.  OpenFlow is based on flow-matching, and as such, does
> not support match of TCP flags.  Also, there's no way to define matching
> based on direction.  Obviously, you can limit based on ingress port, but I
> suspect that's not sufficient for you.
> 
> Jesse has a branch that supports more advanced ACLs when the switch is
> disconnected from a controller.  It should be merged into our mainline
> branches before too long.  I don't remember the capabilities off the top of
> my head.  Jesse, I know it doesn't support inbound/outbound directly, but it
> does support egress port, correct?


Yes, you can define ACLs based on the switch egress port.  However, there is
no connection state tracking.  Therefore it is possible to define an ACL
that prevents a VM from receiving traffic not destined for its IP or MAC
address but not an ACL that only allows traffic that is in response to an
outgoing connection.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/discuss_openvswitch.org/attachments/20100215/bbf4ba1a/attachment.html>



[prev in list] [next in list] [prev in thread] [next in thread]