Example condition 1

Only packets whose network source is in 10.0.0.0/16 are allowed through to network 10.0.5.0/24. You can accomplish this a few different ways.

One way is to construct a DROP or REJECT rule that has a Condition and an ACCEPT rule with these attributes specify:

  1. DROP when (ethertype equal 2048) AND (src NOT equal (10.0.0.0, 16))
  2. ACCEPT when (dst equal (10.0.5.0, 24))
  3. DROP
[Note]Note

The unconditional drop is needed to make rule 2 meaningful.

To create a rule chain with the above attributes:

  1. If necessary, use the sett command or some other means to access the desired tenant.

    midonet> sett 10a83af63f9342118433c3a43a329528
    tenant_id: 10a83af63f9342118433c3a43a329528
  2. Enter the command to create a new rule chain and assign it a name:

    midonet> chain create name "drop_not_src_mynetwork_INBOUND"
    chain5
  3. Enter the command to drop IPv4 traffic that does not have the source 10.0.0.0/16:

    midonet> chain chain5 add rule ethertype 2048 src !10.0.0.0/16 type drop
    chain5:rule0
  4. Enter the command to accept IPv4 traffic with the destination 10.0.5.0/24:

    midonet> chain chain5 add rule ethertype 2048 dst 10.0.5.0/24 pos 2 type accept
    chain5:rule2
  5. Enter the command to list the rules added to the new rule chain:

    midonet> chain chain5 list rule
    rule rule3 ethertype 2048 src !10.0.0.0/16 proto 0 tos 0 pos 1 type drop
    rule rule2 ethertype 2048 dst 10.0.5.0/24 proto 0 tos 0 pos 2 type accept
Questions? Discuss on Mailing Lists or Chat.
Found an error? Report a bug.


loading table of contents...