2

I just realised that all the iptables rules I have been applying to my open Vswitch interfaces never match.

I am using iptables to mark some packets, and then I use TC (traffic control) filters to put packets into different priority queues depending on the Iptables match. That works for every interface, and even for Linux Bridges (using -m physdev module).

How can I filter packets that go through an ovs interface and put them into different priority queues if I can not mark them with iptables?

Rules (simplified):

iptables -w -t mangle -A POSTROUTING -m physdev --physdev-out interface-name -m ttl --ttl-lt 10 ! -p 89 -j MARK --set-mark 10

tc filter add dev interface-name parent 1:0 protocol all prio 1 handle 10 fw flowid 1:10

Then I am using HTB for the priorities, lets say that there are two queues 1:10 and 1:20. The rule should send all the traffic with ttl < 10 and not OSPF to the first queue 1:10.

Improve this question
1
  • OVS documentation says that OVS hooks packets before iptables so they do not affect, but I can add the rules that work for normal interfaces and the linux bridge, but not for OVS Commented Oct 17, 2016 at 11:38

1 Answer 1

Reset to default
3

That's an old problem. You'll have to know how your distro handles the netfilter kernel module. Sometimes it's loaded and the trick is to create a rule to mark them all then split afterwards. The mangle chain is kinda tricky.

Add this as your first mark rule:

iptables -t mangle -A POSTROUTING -m physdev --physdev-out interface-name -j MARK --set-mark 10

A second issue is that your distro might not compile and/or load xt_mark kernel module. Use lsmod | grep xt_mark to check if it's there.

I also have issues with OVS and iptables sometimes. I find iptables a great 90's tool, but I feel it kinda obsolete theses days. The "check how your distro handle netfilter's module" is very important to understand your problem.

If you just want to mark your packages and iptables has no other purpose, you can use OVS tool called ovs-ofctl with pkt_mark option.

Improve this answer
9
  • With that rule every packet will be market, whats the point? In theory, what I read is that OVS interfaces catches all the packets before they hit iptables, so iptables rules will never work. Do you know any alternative? I just want to fix that for the ovs interfaces, for the hosts and routers everything works fine. Commented Oct 17, 2016 at 12:29
  • 1
    @edgarcosta I updated my answer. Commented Oct 17, 2016 at 12:43
  • Is that pkt_mark option equivalent to iptables --set-mark? if its so thats my solution for sure, just have to translate the iptables rules to openflow rules. Commented Oct 17, 2016 at 12:45
  • Yes, it's equivalent.I'm just not sure if OVS will mark the packages only internally. Commented Oct 17, 2016 at 12:48
  • 1
    Good question, did you tried to add the "mark all" rule before? They say it's a trick to make the rest of the rules work. Commented Oct 17, 2016 at 13:10

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.