[ovs-dev] [OVS Conntrack] ct_state flags lead to OFPT_ERRORs

Ashwin Paranjpe ashwin1985 at gmail.com
Fri Oct 23 19:24:09 UTC 2015 

Trying to execute the following commands (source: ovs-ofctl man page,
utilities/ovs-ofctl.8.in):

The following flows provide an example of how to implement a simple
>> firewall that allows new connections from port 1 to port 2, and only allows
>> established connections to send traffic from port 2 to port 1:
>
>                          table=0,priority=1,action=drop
>
>                          table=0,priority=10,arp,action=normal
>
>
>>  table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)
>
>
>>  table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2
>
>                          table=1,in_port=1,ip,ct_state=+trk+est,action=2
>
>                          table=1,in_port=2,ip,ct_state=+trk+new,action=drop
>
>                          table=1,in_port=2,ip,ct_state=+trk+est,action=1
>
>
However, I see the following errors:

[root at PC ~]# ovs-ofctl del-flows br-int

[root at PC ~]# ovs-ofctl dump-flows br-int

NXST_FLOW reply (xid=0x4):

[root at PC ~]# ovs-ofctl add-flow br-int "table=0,priority=1,action=drop"

[root at PC ~]# ovs-ofctl add-flow br-int
> "table=0,priority=10,arp,action=normal"

[root at PC ~]# ovs-ofctl add-flow br-int
> "table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)"

[root at PC ~]# *ovs-ofctl add-flow br-int
> "table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2"*

*OFPT_ERROR (xid=0x6): OFPBMC_BAD_FIELD*

NXT_FLOW_MOD (xid=0x6):

(***truncated to 64 bytes from 104***)

00000000  01 04 00 68 00 00 00 06-00 00 23 20 00 00 00 0d |...h......# ....|

00000010  00 00 00 00 00 00 00 00-01 00 00 00 00 00 80 00 |................|

00000020  ff ff ff ff ff ff 00 00-00 18 00 00 00 00 00 00 |................|

00000030  00 00 00 02 00 01 00 00-06 02 08 00 00 01 d3 08 |................|

[root at PC ~]#




Note that the nf_conntrack_* modules are loaded:

> [root at PC ~]# lsmod | grep "^nf_conn*"
>
> ... snip ...
>
> nf_conntrack_ipv4      10289  4
>
> nf_conntrack_ipv6      10595  3
>
>
Version Info:

> [root at PC ~]# ovs-ofctl --version

ovs-ofctl (Open vSwitch) 2.4.90

Compiled Oct 21 2015 13:30:44

OpenFlow versions 0x1:0x4

[root at PC ~]#




It appears that any ct_state flag with a '+' prepended to it doesn't work.
Is this a known issue? Are there any workarounds at the moment?

Thanks,
-Ashwin

More information about the dev mailing list