{"id":48320246,"url":"https://github.com/anarkiwi/dovesnap","last_synced_at":"2026-04-05T00:39:00.970Z","repository":{"id":37252059,"uuid":"255980893","full_name":"anarkiwi/dovesnap","owner":"anarkiwi","description":"Docker OVS Network Plugin","archived":false,"fork":false,"pushed_at":"2026-04-01T10:32:00.000Z","size":24812,"stargazers_count":36,"open_issues_count":2,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2026-04-01T12:30:45.041Z","etag":null,"topics":["docker","docker-plugin","faucet","hacktoberfest","networking","openflow","openvswitch","ovs","ovs-bridge","ovs-plugin"],"latest_commit_sha":null,"homepage":"","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/anarkiwi.png","metadata":{"files":{"readme":"README.md","changelog":"CHANGELOG.md","contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2020-04-15T16:51:49.000Z","updated_at":"2026-04-01T10:30:43.000Z","dependencies_parsed_at":"2023-02-17T01:31:44.734Z","dependency_job_id":"90d17560-f371-40f7-9c7d-0895dfaabdf4","html_url":"https://github.com/anarkiwi/dovesnap","commit_stats":null,"previous_names":["cyberreboot/dovesnap","anarkiwi/dovesnap"],"tags_count":62,"template":false,"template_full_name":null,"purl":"pkg:github/anarkiwi/dovesnap","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anarkiwi%2Fdovesnap","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anarkiwi%2Fdovesnap/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anarkiwi%2Fdovesnap/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anarkiwi%2Fdovesnap/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/anarkiwi","download_url":"https://codeload.github.com/anarkiwi/dovesnap/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/anarkiwi%2Fdovesnap/sbom","scorecard":{"id":64956,"data":{"date":"2025-08-11","repo":{"name":"github.com/IQTLabs/dovesnap","commit":"b2d4f0e8716a2206b1e158ce829682577119a532"},"scorecard":{"version":"v5.2.1-40-gf6ed084d","commit":"f6ed084d17c9236477efd66e5b258b9d4cc7b389"},"score":5.6,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#maintained"}},{"name":"Code-Review","score":-1,"reason":"Found no human activity in the last 15 changesets","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":0,"reason":"detected GitHub workflow tokens with excessive permissions","details":["Warn: no topLevel permission defined: .github/workflows/docker.yaml:1","Warn: no topLevel permission defined: .github/workflows/golangci-lint.yml:1","Warn: no topLevel permission defined: .github/workflows/pypi.yaml:1","Warn: no topLevel permission defined: .github/workflows/stale.yml:1","Warn: no topLevel permission defined: .github/workflows/test.yml:1","Info: no jobLevel write permissions found"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#token-permissions"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#cii-best-practices"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#binary-artifacts"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#fuzzing"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#license"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":-1,"reason":"internal error: error during branchesHandler.setup: internal error: githubv4.Query: Resource not accessible by integration","details":null,"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#branch-protection"}},{"name":"Security-Policy","score":0,"reason":"security policy file not detected","details":["Warn: no security policy file detected","Warn: no security file to analyze","Warn: no security file to analyze","Warn: no security file to analyze"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#security-policy"}},{"name":"Pinned-Dependencies","score":0,"reason":"dependency not pinned by hash detected -- score normalized to 0","details":["Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/docker.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/docker.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yaml:22: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/docker.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/docker.yaml:27: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/docker.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/golangci-lint.yml:9: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/golangci-lint.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/golangci-lint.yml:11: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/golangci-lint.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yaml:12: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/pypi.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/pypi.yaml:14: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/pypi.yaml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/pypi.yaml:18: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/pypi.yaml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/stale.yml:10: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/stale.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:96: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:98: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:102: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:117: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:119: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:123: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:138: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:140: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:144: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:159: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:161: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:165: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:13: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:15: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:19: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:33: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:35: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:39: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:54: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:56: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:60: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:75: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: GitHub-owned GitHubAction not pinned by hash: .github/workflows/test.yml:77: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/test.yml:81: update your workflow using https://app.stepsecurity.io/secureworkflow/IQTLabs/dovesnap/test.yml/main?enable=pin","Warn: containerImage not pinned by hash: Dockerfile:1","Warn: containerImage not pinned by hash: Dockerfile:9: pin your Docker image by updating ubuntu:24.04 to ubuntu:24.04@sha256:a08e551cb33850e4740772b38217fc1796a66da2506d312abe51acda354ff061","Warn: containerImage not pinned by hash: openvswitch/Dockerfile:1","Warn: containerImage not pinned by hash: openvswitch/Dockerfile:13: pin your Docker image by updating debian:bookworm-slim to debian:bookworm-slim@sha256:2424c1850714a4d94666ec928e24d86de958646737b1d113f5b2207be44d37d8","Info:   0 out of  21 GitHub-owned GitHubAction dependencies pinned","Info:   0 out of  12 third-party GitHubAction dependencies pinned","Info:   0 out of   4 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#pinned-dependencies"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/docker.yaml:9"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#packaging"}},{"name":"SAST","score":0,"reason":"SAST tool is not run on all commits -- score normalized to 0","details":["Warn: 0 commits out of 30 are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#sast"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GO-2025-3829"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/f6ed084d17c9236477efd66e5b258b9d4cc7b389/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-15T02:24:25.489Z","repository_id":37252059,"created_at":"2025-08-15T02:24:25.489Z","updated_at":"2025-08-15T02:24:25.489Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31420466,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-05T00:25:07.052Z","status":"ssl_error","status_checked_at":"2026-04-05T00:25:05.923Z","response_time":60,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","docker-plugin","faucet","hacktoberfest","networking","openflow","openvswitch","ovs","ovs-bridge","ovs-plugin"],"created_at":"2026-04-05T00:38:57.785Z","updated_at":"2026-04-05T00:39:00.955Z","avatar_url":"https://github.com/anarkiwi.png","language":"Go","readme":"dovesnap\n=================\n\ndovesnap is a docker network provider, that works with FAUCET and OVS. This allows docker networks to make use of FAUCET's features, such as mirroring, ACLs, and Prometheus based monitoring.\n\nThanks to the folks who wrote the orginal [docker-ovs-plugin](https://github.com/gopher-net/docker-ovs-plugin) which is what this project was forked from.\n\nSee also https://docs.faucet.nz for FAUCET documentation, including monitoring documentation (dovesnap will supply FAUCET-based monitoring without needing configuration, when started as below).\n\n### Requirements\n\n* Linux host running a supported version docker (x86 and Pi are supported)\n* Optionally: additional physical interfaces to connect other hosts also running dovesnap\n* non-netfilter iptables. For Debian/Ubuntu, follow the legacy option at https://wiki.debian.org/iptables (this will be addressed in a future version):\n\n```\n$ sudo apt-get install nftables \u0026\u0026 sudo nft flush ruleset \u0026\u0026 sudo apt-get purge nftables\n$ sudo apt-get --reinstall install iptables \u0026\u0026 sudo update-alternatives --set iptables /usr/sbin/iptables-legacy \u0026\u0026 sudo /etc/init.d/docker restart\n```\n\n### Installing as a systemd service\n\nThe `install.sh` and `uninstall.sh` scripts can be used to install and uninstall dovesnap as a systemd managed service. An upgrade can be accomplished by executing a `git pull` within `~dovesnap` as the `dovesnap` user, and restarting the service. Persistent configuration is stored in `~dovesnap/service.env`.\n\n### QuickStart Instructions\n\nThese instructions describe the most basic use of dovesnap - creating a docker network with Internet access, where dovesnap provides all the FAUCET infrastructure. See below for more advanced usage.\n\n**1.** Make sure you are using Docker 1.10 or later\n\n**2.** You need to `modprobe openvswitch` on the machine where the Docker Daemon is located. Make sure that while the module is loaded, OVS is not running on the host.\n\n```\n$ sudo modprobe openvswitch\n```\n\n**3.** Create a directory for FAUCET to store its configuration:\n\n```\n$ sudo mkdir /etc/faucet\n```\n\n**4.** Start dovesnap.\n\n`$ docker compose build \u0026\u0026 docker compose -f docker-compose.yml -f docker-compose-standalone.yml up -d`\n\n**5.** Now you are ready to create a new network\n\n```\n$ docker network create mynet -d dovesnap --internal -o ovs.bridge.mode=nat -o ovs.bridge.dpid=0x1 -o ovs.bridge.controller=tcp:127.0.0.1:6653,tcp:127.0.0.1:6654\n```\n\n`-d dovesnap` tells docker to use dovesnap as a network provider.\n\n`--internal` tells docker not to supply an additional network connection to containers on the new network for internet access. This is essential for dovesnap to complete control over connectivity.\n\n`-o ovs.bridge.mode=nat` tells dovesnap to arrange NAT for the new network.\n\n`-o ovs.bridge.dpid=0x1 -o ovs.bridge.controller=tcp:127.0.0.1:6653,tcp:127.0.0.1:6654` tell dovesnap which FAUCET will control this network (you can provide your own FAUCET elsewhere on the network, but in this example we are using a dovesnap-provided FAUCET instance).\n\n**6.** Test it out!\n\n```\n$ docker run -d --net=mynet --rm --name=testcon busybox sleep 1h\n$ docker exec -t testcon ping 4.2.2.2\n```\n\n### Advanced usage\n\nThere are several options available when creating a network, and when creating a container on a network, to access FAUCET features.\n\nYou can view dovesnap's OVS bridges using `ovs-vsctl` and `ovs-ofctl`, from within the dovesnap OVS container. You can even use `ovs-vsctl` to add other (for example, physical) ports to a dovesnap managed bridge and dovesnap will monitor them for you. However, it's recommended that you use dovesnap's own options (below) where possible.\n\n#### Required options\n\n`ovs.bridge.dpid=\u003cdpid\u003e -o ovs.bridge.controller=tcp:\u003cip\u003e:\u003cport\u003e`\n\nEvery dovesnap network requires a DPID (for OVS and FAUCET), and at least one controller for OVS. dovesnap will provide FAUCET and Gauge processes to do forwarding and monitoring by default - at least one FAUCET is required, and one Gauge if monitoring is desired.\n\n#### Network options\n\nThese options are supplied at `docker network create` time.\n\n##### Bridge modes\n\nThere are three `ovs.bridge.mode` modes, `flat`, `nat`, and `routed`. The default mode is `flat`.\n\n- `flat` causes dovesnap to provide connectivity only between containers on this docker network - not to other networks (essentially, provide a VLAN - no routing).\n\n- `nat` causes dovesnap to provision a gateway, and NAT, for the docker network.\n\n- `routed` causes dovesnap to provision a gateway, for the docker network. An upstream network may provide NAT if needed.\n\nIf NAT is in use, you can specify `-p \u003coutside port\u003e:\u003cinside port\u003e` when starting a container. dovesnap will provision a DNAT rule, via the network's gateway from the outside port to the inside port on that container. This mapping won't show up in `docker ps`, as dovesnap is not using docker-proxy.\n\nYou can also specify an input ACL for the gateway's port with `-o ovs.bridge.nat_acl=\u003cacl\u003e`, and a default ACL for container ports with `-o ovs.bridge.default_acl=\u003cacl\u003e`.\n\n##### Preallocated ports\n\n`-o ovs.bridge.preallocate_ports=10`\n\nThis requests that N ports be pre-allocated with the default ACL (if any) when the network is created. This makes container startup faster, because FAUCET network has already\nbeen configured.\n\n##### Userspace mode\n\n`-o ovs.bridge.userspace=true`\n\nThis requests a user space (\"netdev\"), rather than kernel space switch from OVS. Certain OVS features such as meters, used to implement rate limiting, will only work on a user space bridge.\n\n##### MAC on OVS local port\n\n`-o ovs.bridge.ovs_local_mac=0e:01:00:00:00:03`\n\nThis option sets the MAC address of OVS' \"local\" port on the switch.\n\nYou can set the MAC address on a container, with `docker run --mac-address \u003cmac\u003e` (https://docs.docker.com/engine/reference/run/#network-settings)\n\n##### Adding a physical port/real VLAN\n\n`-o ovs.bridge.add_ports=eno123/8`\n\nDovesnap will connect `eno123` to the Docker network, and attempt to use OVS OFPort 8 (OVS will select another port number, if for some reason port 8 is already in use). You can specify more ports with commas. The OFPort specification is optional - if not present dovesnap will select the next free port number. If specifying a port, you can also specify a third parameter - the ACL name to be applied to the port.\n\n##### Adding a physical port/real VLAN with custom VLAN\n\n`-o ovs.bridge.add_ports=eno123/8//20`\n\nDovesnap will connect `eno123` to the Docker network, use OVS OFPort 8, and configure it with native_vlan 20.\n\nFormat: `portname[/ofport][/acl_name][/native_vlan]`\n\nExamples:\n- `eth0` - Port only, auto-assign OFPort, use bridge default VLAN\n- `eth0/8` - Port with OFPort 8, use bridge default VLAN\n- `eth0/8/myacl` - Port with OFPort 8 and ACL, use bridge default VLAN\n- `eth0/8//20` - Port with OFPort 8, no ACL, VLAN 20\n- `eth0/8/myacl/20` - Port with OFPort 8, ACL 'myacl', and VLAN 20\n- `eth0///20` - Port with auto-assigned OFPort, no ACL, VLAN 20\n\nYou can specify multiple ports with different VLANs:\n`-o ovs.bridge.add_ports=eth0/8//20,eth1/9//30,eth2/10/myacl/40`\n\n##### Adding a physical port for coprocessing\n\n`-o ovs.bridge.add_copro_ports=eno123/8`\n\nDovesnap will connect `eno123` to the Docker network as a FAUCET coprocessor port, and attempt to use OVS OFPort 8 (OVS will select another port number, if for some reason port 8 is already in use). You can specify more ports with commas. The OFPort specification is optional - if not present dovesnap will select the next free port number. If specifying a port, you can also specify a third parameter - the ACL name to be applied to the port.\n\n##### Specifying a specific VLAN to use\n\n`-o ovs.bridge.vlan=100`\n\nThis adds the VLAN tag of 100 for the Docker network. The default is 100.\n\n#### Specifying an VLAN output ACL to use\n\n`-o ovs.bridge.vlan_out_acl=allowall`\n\nThis adds the output ACL `allowall` to the VLAN used on the docker network.\n\nNOTE: this enables use of Faucet's egress pipeline feature, which is currently experimental and works only on OVS.\n\n##### Specifying a specific VLAN to use for the mirror tunnel\n\n`-o ovs.bridge.mirror_tunnel_vid=200`\n\nThis sets the mirror tunnel VLAN to 200. The default is 256 + the VLAN of the network.\n\n###### Enabling DHCP\n\n`--ipam-driver null -o ovs.bridge.dhcp=true`\n\ndocker's IP management of this network will be disabled, and instead dhcp will request and maintain a DHCP lease for each container on the network, using `udhcpc`. `udhcpc` is run outside the container's PID namespace (so the container cannot see it), but within its network namespace. The container therefore does not need any special privileges and cannot change its IP address itself.\n\n##### Mirroring\n\nDovesnap provides infrastructure to do centralized mirroring - you can have dovesnap mirror the traffic for any container on a network it controls, back to a single interface (virtual or physical). This allows you to (for example) run one centralized tcpdump process that can collect all mirrored traffic.\n\nTo use physical interface `eno99` for mirroring, for example:\n\n`$ FAUCET_PREFIX=/etc/faucet MIRROR_BRIDGE_OUT=eno99 docker compose -f docker-compose.yml -f docker-compose-standalone.yml up -d`\n\nIf you want to mirror to a virtual interface on your host, use a veth pair. For example:\n\n```\n$ sudo ip link add odsmirrori type veth peer name odsmirroro\n$ sudo ip link set dev odsmirrori up\n$ sudo ip link set dev odsmirroro up\n$ FAUCET_PREFIX=/etc/faucet MIRROR_BRIDGE_OUT=odsmirrori docker compose -f docker-compose.yml -f docker-compose-standalone.yml up -d\n$ sudo tcpdump -n -e -v -i odsmirroro\n```\n\nFrom this point, any container selected for mirroring (see below) will have traffic mirrored to tcpdump running on `mirroro`\n\n###### Mirroring across multiple hosts\n\nYou might want to run docker and dovesnap on multiple hosts, and have all the mirrored traffic from all the hosts arrive on one port on one host.\n\nYou can do this by daisy-chaining the hosts together with dedicated physical ports in a so called \"mirror river\". On the hosts within the chain, specify `MIRROR_BRIDGE_IN=eth77` (where `eth77` is connected to the previous host). This will cause each host to pass the mirrored traffic along to the final host.\n\n#### Container options\n\nThese options are supplied when starting a container.\n\n#### ACLs\n\n`--label=\"dovesnap.faucet.portacl=\u003caclname\u003e\"`\n\nAn ACL will be applied to the port associated with the container. The ACL must already exist in FAUCET (e.g. by adding it to `faucet.yaml`).\n\nIf a container is connected to multiple dovesnap networks, it is possible to specify different ACLs per network:\n\n`--label=\"dovesnap.faucet.portacl=\u003cnetworkname\u003e:\u003caclname\u003e/...\"`\n\n#### Mirroring\n\n`--label=\"dovesnap.faucet.mirror=true\"`\n\nThe container's traffic (both sent and received) will be mirrored to a port on the bridge (see above).\n\nIf a container is connected to multiple dovesnap networks, it is possible to specify different mirror options for each network:\n\n`--label=\"dovesnap.faucet.mirror=\u003cnetworkname\u003e:\u003ctrue\u003e/...\"`\n\n#### MAC prefix\n\n`--label=\"dovesnap.faucet.mac_prefix=0e:99`\n\nThe prefix of the container interface's MAC address will be replaced with the specified bytes (1 to 5 bytes may be supplied).\nThis can be convenient when filtering traffic with tcpdump - containers with this label will have an easily identifiable MAC address.\n\nNOTE: where this option is used, the MAC address reported by `docker inspect` will be inaccurate.\n\n#### Visualizing dovesnap networks\n\nDovesnap can generate a diagram of how containers and interfaces are connected together, with some information about running containers (e.g. MAC and IP addresses). This can be useful for troubleshooting or verifying configuration.\n\n```\n$ sudo pip3 install -r requirements.txt\n$ cd bin\n$ ./graph_dovesnap\n```\n\nA PNG file will be created that describes the networks dovesnap controls.\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanarkiwi%2Fdovesnap","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fanarkiwi%2Fdovesnap","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fanarkiwi%2Fdovesnap/lists"}