...
Security groups are set per VMs, and we need M x M (M=number of VMs) rules are required. We might be able to reduce the rules using subnet when all VMs in a subnet are set with the same security group.
Code Block | ||
---|---|---|
| ||
table=2,ip,nw_src=10.10.0.2,ct_state=+trk+new,action=ct(commit),goto_table:3 table=2,ip,nw_dst=10.10.0.2,ct_state=+trk+est,action=goto_table:3 table=2,ip,nw_dst=10.10.0.2,ct_state=+trk+new,action=drop |
Connection Tracking is activated only for VMs that do not have “allow all incoming” rules.
Code Block | ||
---|---|---|
| ||
table=3,ip,eth_dst=fa:00:00:00:00:00,action=goto_table:5 table=3,ip,action=goto_table:7 |
...
Code Block | ||
---|---|---|
| ||
table=5,ip,tun_id=0x402,nw_src=10.10.0.0/24,nw_dst=10.10.0.0/24, action=set_field:0x402->tun_id, goto_table:5 (1) table=5,ip,tun_id=0x501,nw_src=10.10.1.0/24,nw_dst=10.10.1.0/24, action=set_field:0x3f7->tun_id, goto_table:5 (2) table=5,ip,tun_id=0x402,nw_src=10.10.0.0/24,nw_dst=10.10.1.0/24, action=set_field:0x402->tun_id, goto_table:5 (3) table=5,ip,tun_id=0x501,nw_src=10.10.1.0/24,nw_dst=10.10.0.0/24, action=set_field:0x3f7->tun_id, goto_table:5 (4) |
Flow rules (1) & (2) are default routing rule for VMs within its subnet and set whenever a virtual network is created.
Flow rules (3) & (4) are the routing rules between subnets. NxN (N=# of subnets) rules are required.
Code Block | ||
---|---|---|
| ||
table=7,ip,tun_id=0x402,nw_dst=10.10.0.2 actions=set_field:fa:16:3e:b8:92:fe->eth_dst, output:2 table=7,ip,tun_id=0x402,nw_dst=10.10.0.3 actions=set_field:fa:16:3e:b8:92:fe->eth_dst, output:3 table=7,ip,tun_id=0x501,nw_dst=10.10.1.2 actions=set_field:fa:16:3e:b8:92:fe->eth_dst, output:4 table=7,ip,tun_id=0x501,nw_dst=10.10.1.3 actions=set_field:fa:16:3e:b8:92:fe->eth_dst, output:5 |