[ovs-dev] [OVS Conntrack] ct_state flags lead to OFPT_ERRORs

Fri Oct 23 23:25:33 UTC 2015

Thanks Joe.

Adding more information about the kernel version requirement for the
benefit of others:
The version needs to be > 3.9.0.
>From (datapath/conntrack.h):
>
> #if IS_ENABLED(CONFIG_NF_CONNTRACK) && LINUX_VERSION_CODE >
> KERNEL_VERSION(3,9,0)
>
... snip ...

#else

... snip ...

static inline bool ovs_ct_state_supported(u32 state)

{

    return false;

}

Thanks,
-Ashwin

On Fri, Oct 23, 2015 at 1:36 PM, Joe Stringer <joestringer at nicira.com>
wrote:

> On 23 October 2015 at 12:24, Ashwin Paranjpe <ashwin1985 at gmail.com> wrote:
> > Trying to execute the following commands (source: ovs-ofctl man page,
> > utilities/ovs-ofctl.8.in):
> >
> > The following flows provide an example of how to implement a simple
> >>> firewall that allows new connections from port 1 to port 2, and only
> allows
> >>> established connections to send traffic from port 2 to port 1:
> >>
> >>                          table=0,priority=1,action=drop
> >>
> >>                          table=0,priority=10,arp,action=normal
> >>
> >>
> >>>  table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)
> >>
> >>
> >>>  table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2
> >>
> >>                          table=1,in_port=1,ip,ct_state=+trk+est,action=2
> >>
> >>
> table=1,in_port=2,ip,ct_state=+trk+new,action=drop
> >>
> >>                          table=1,in_port=2,ip,ct_state=+trk+est,action=1
> >>
> >>
> > However, I see the following errors:
> >
> > [root at PC ~]# ovs-ofctl del-flows br-int
> >
> > [root at PC ~]# ovs-ofctl dump-flows br-int
> >
> > NXST_FLOW reply (xid=0x4):
> >
> > [root at PC ~]# ovs-ofctl add-flow br-int "table=0,priority=1,action=drop"
> >
> > [root at PC ~]# ovs-ofctl add-flow br-int
> >> "table=0,priority=10,arp,action=normal"
> >
> > [root at PC ~]# ovs-ofctl add-flow br-int
> >> "table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)"
> >
> > [root at PC ~]# *ovs-ofctl add-flow br-int
> >> "table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2"*
> >
> > *OFPT_ERROR (xid=0x6): OFPBMC_BAD_FIELD*
> >
> > NXT_FLOW_MOD (xid=0x6):
> >
> > (***truncated to 64 bytes from 104***)
> >
> > 00000000  01 04 00 68 00 00 00 06-00 00 23 20 00 00 00 0d |...h......#
> ....|
> >
> > 00000010  00 00 00 00 00 00 00 00-01 00 00 00 00 00 80 00
> |................|
> >
> > 00000020  ff ff ff ff ff ff 00 00-00 18 00 00 00 00 00 00
> |................|
> >
> > 00000030  00 00 00 02 00 01 00 00-06 02 08 00 00 01 d3 08
> |................|
> >
> > [root at PC ~]#
> >
> >
> >
> >
> > Note that the nf_conntrack_* modules are loaded:
> >
> >> [root at PC ~]# lsmod | grep "^nf_conn*"
> >>
> >> ... snip ...
> >>
> >> nf_conntrack_ipv4      10289  4
> >>
> >> nf_conntrack_ipv6      10595  3
> >>
> >>
> > Version Info:
> >
> >> [root at PC ~]# ovs-ofctl --version
> >
> > ovs-ofctl (Open vSwitch) 2.4.90
> >
> > Compiled Oct 21 2015 13:30:44
> >
> > OpenFlow versions 0x1:0x4
> >
> > [root at PC ~]#
> >
> >
> >
> >
> > It appears that any ct_state flag with a '+' prepended to it doesn't
> work.
> > Is this a known issue? Are there any workarounds at the moment?
>
> It looks like your OVS kernel module doesn't support connection
> tracking. In this case, ovs-ofctl reports back a BAD_FIELD error.
>
> If you want to use this feature at the moment, you need to get the
> latest "net" development kernel and use the OVS kernel module from
> there.
>