[ovs-dev] [OVS Conntrack] ct_state flags lead to OFPT_ERRORs

Joe Stringer joestringer at nicira.com
Fri Oct 23 20:36:00 UTC 2015


On 23 October 2015 at 12:24, Ashwin Paranjpe <ashwin1985 at gmail.com> wrote:
> Trying to execute the following commands (source: ovs-ofctl man page,
> utilities/ovs-ofctl.8.in):
>
> The following flows provide an example of how to implement a simple
>>> firewall that allows new connections from port 1 to port 2, and only allows
>>> established connections to send traffic from port 2 to port 1:
>>
>>                          table=0,priority=1,action=drop
>>
>>                          table=0,priority=10,arp,action=normal
>>
>>
>>>  table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)
>>
>>
>>>  table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2
>>
>>                          table=1,in_port=1,ip,ct_state=+trk+est,action=2
>>
>>                          table=1,in_port=2,ip,ct_state=+trk+new,action=drop
>>
>>                          table=1,in_port=2,ip,ct_state=+trk+est,action=1
>>
>>
> However, I see the following errors:
>
> [root at PC ~]# ovs-ofctl del-flows br-int
>
> [root at PC ~]# ovs-ofctl dump-flows br-int
>
> NXST_FLOW reply (xid=0x4):
>
> [root at PC ~]# ovs-ofctl add-flow br-int "table=0,priority=1,action=drop"
>
> [root at PC ~]# ovs-ofctl add-flow br-int
>> "table=0,priority=10,arp,action=normal"
>
> [root at PC ~]# ovs-ofctl add-flow br-int
>> "table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)"
>
> [root at PC ~]# *ovs-ofctl add-flow br-int
>> "table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2"*
>
> *OFPT_ERROR (xid=0x6): OFPBMC_BAD_FIELD*
>
> NXT_FLOW_MOD (xid=0x6):
>
> (***truncated to 64 bytes from 104***)
>
> 00000000  01 04 00 68 00 00 00 06-00 00 23 20 00 00 00 0d |...h......# ....|
>
> 00000010  00 00 00 00 00 00 00 00-01 00 00 00 00 00 80 00 |................|
>
> 00000020  ff ff ff ff ff ff 00 00-00 18 00 00 00 00 00 00 |................|
>
> 00000030  00 00 00 02 00 01 00 00-06 02 08 00 00 01 d3 08 |................|
>
> [root at PC ~]#
>
>
>
>
> Note that the nf_conntrack_* modules are loaded:
>
>> [root at PC ~]# lsmod | grep "^nf_conn*"
>>
>> ... snip ...
>>
>> nf_conntrack_ipv4      10289  4
>>
>> nf_conntrack_ipv6      10595  3
>>
>>
> Version Info:
>
>> [root at PC ~]# ovs-ofctl --version
>
> ovs-ofctl (Open vSwitch) 2.4.90
>
> Compiled Oct 21 2015 13:30:44
>
> OpenFlow versions 0x1:0x4
>
> [root at PC ~]#
>
>
>
>
> It appears that any ct_state flag with a '+' prepended to it doesn't work.
> Is this a known issue? Are there any workarounds at the moment?

It looks like your OVS kernel module doesn't support connection
tracking. In this case, ovs-ofctl reports back a BAD_FIELD error.

If you want to use this feature at the moment, you need to get the
latest "net" development kernel and use the OVS kernel module from
there.



More information about the dev mailing list