[ovs-dev] [OVS Conntrack] ct_state flags lead to OFPT_ERRORs
Joe Stringer
joestringer at nicira.com
Fri Oct 23 20:36:00 UTC 2015
On 23 October 2015 at 12:24, Ashwin Paranjpe <ashwin1985 at gmail.com> wrote:
> Trying to execute the following commands (source: ovs-ofctl man page,
> utilities/ovs-ofctl.8.in):
>
> The following flows provide an example of how to implement a simple
>>> firewall that allows new connections from port 1 to port 2, and only allows
>>> established connections to send traffic from port 2 to port 1:
>>
>> table=0,priority=1,action=drop
>>
>> table=0,priority=10,arp,action=normal
>>
>>
>>> table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)
>>
>>
>>> table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2
>>
>> table=1,in_port=1,ip,ct_state=+trk+est,action=2
>>
>> table=1,in_port=2,ip,ct_state=+trk+new,action=drop
>>
>> table=1,in_port=2,ip,ct_state=+trk+est,action=1
>>
>>
> However, I see the following errors:
>
> [root at PC ~]# ovs-ofctl del-flows br-int
>
> [root at PC ~]# ovs-ofctl dump-flows br-int
>
> NXST_FLOW reply (xid=0x4):
>
> [root at PC ~]# ovs-ofctl add-flow br-int "table=0,priority=1,action=drop"
>
> [root at PC ~]# ovs-ofctl add-flow br-int
>> "table=0,priority=10,arp,action=normal"
>
> [root at PC ~]# ovs-ofctl add-flow br-int
>> "table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)"
>
> [root at PC ~]# *ovs-ofctl add-flow br-int
>> "table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2"*
>
> *OFPT_ERROR (xid=0x6): OFPBMC_BAD_FIELD*
>
> NXT_FLOW_MOD (xid=0x6):
>
> (***truncated to 64 bytes from 104***)
>
> 00000000 01 04 00 68 00 00 00 06-00 00 23 20 00 00 00 0d |...h......# ....|
>
> 00000010 00 00 00 00 00 00 00 00-01 00 00 00 00 00 80 00 |................|
>
> 00000020 ff ff ff ff ff ff 00 00-00 18 00 00 00 00 00 00 |................|
>
> 00000030 00 00 00 02 00 01 00 00-06 02 08 00 00 01 d3 08 |................|
>
> [root at PC ~]#
>
>
>
>
> Note that the nf_conntrack_* modules are loaded:
>
>> [root at PC ~]# lsmod | grep "^nf_conn*"
>>
>> ... snip ...
>>
>> nf_conntrack_ipv4 10289 4
>>
>> nf_conntrack_ipv6 10595 3
>>
>>
> Version Info:
>
>> [root at PC ~]# ovs-ofctl --version
>
> ovs-ofctl (Open vSwitch) 2.4.90
>
> Compiled Oct 21 2015 13:30:44
>
> OpenFlow versions 0x1:0x4
>
> [root at PC ~]#
>
>
>
>
> It appears that any ct_state flag with a '+' prepended to it doesn't work.
> Is this a known issue? Are there any workarounds at the moment?
It looks like your OVS kernel module doesn't support connection
tracking. In this case, ovs-ofctl reports back a BAD_FIELD error.
If you want to use this feature at the moment, you need to get the
latest "net" development kernel and use the OVS kernel module from
there.
More information about the dev
mailing list