[ovs-dev] [OVS Conntrack] ct_state flags lead to OFPT_ERRORs
Ashwin Paranjpe
ashwin1985 at gmail.com
Fri Oct 23 19:24:09 UTC 2015
Trying to execute the following commands (source: ovs-ofctl man page,
utilities/ovs-ofctl.8.in):
The following flows provide an example of how to implement a simple
>> firewall that allows new connections from port 1 to port 2, and only allows
>> established connections to send traffic from port 2 to port 1:
>
> table=0,priority=1,action=drop
>
> table=0,priority=10,arp,action=normal
>
>
>> table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)
>
>
>> table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2
>
> table=1,in_port=1,ip,ct_state=+trk+est,action=2
>
> table=1,in_port=2,ip,ct_state=+trk+new,action=drop
>
> table=1,in_port=2,ip,ct_state=+trk+est,action=1
>
>
However, I see the following errors:
[root at PC ~]# ovs-ofctl del-flows br-int
[root at PC ~]# ovs-ofctl dump-flows br-int
NXST_FLOW reply (xid=0x4):
[root at PC ~]# ovs-ofctl add-flow br-int "table=0,priority=1,action=drop"
[root at PC ~]# ovs-ofctl add-flow br-int
> "table=0,priority=10,arp,action=normal"
[root at PC ~]# ovs-ofctl add-flow br-int
> "table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)"
[root at PC ~]# *ovs-ofctl add-flow br-int
> "table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2"*
*OFPT_ERROR (xid=0x6): OFPBMC_BAD_FIELD*
NXT_FLOW_MOD (xid=0x6):
(***truncated to 64 bytes from 104***)
00000000 01 04 00 68 00 00 00 06-00 00 23 20 00 00 00 0d |...h......# ....|
00000010 00 00 00 00 00 00 00 00-01 00 00 00 00 00 80 00 |................|
00000020 ff ff ff ff ff ff 00 00-00 18 00 00 00 00 00 00 |................|
00000030 00 00 00 02 00 01 00 00-06 02 08 00 00 01 d3 08 |................|
[root at PC ~]#
Note that the nf_conntrack_* modules are loaded:
> [root at PC ~]# lsmod | grep "^nf_conn*"
>
> ... snip ...
>
> nf_conntrack_ipv4 10289 4
>
> nf_conntrack_ipv6 10595 3
>
>
Version Info:
> [root at PC ~]# ovs-ofctl --version
ovs-ofctl (Open vSwitch) 2.4.90
Compiled Oct 21 2015 13:30:44
OpenFlow versions 0x1:0x4
[root at PC ~]#
It appears that any ct_state flag with a '+' prepended to it doesn't work.
Is this a known issue? Are there any workarounds at the moment?
Thanks,
-Ashwin
More information about the dev
mailing list