[ovs-discuss] Problem with a desired flow getting deleted

Todd Deshane deshantm at gmail.com
Fri Feb 12 02:42:39 UTC 2010 

Hi All,

I almost have open vSwitch working the way I want it to, but I am
running across some unexpected problems. I've setup 2 switches, an
internal and an external, with the initial configuration of:

bridge.internalbr.port=internalbr
bridge.externalbr.port=externalbr
bridge.internalbr.mac=00:11:22:aa:cc:ee
bridge.externalbr.mac=00:11:22:bb:aa:dd
bridge.externalbr.port=eth0

I have a script that starts a VM with two nics, and connects one nic
to the internal switch and one to the external switch by automatically
appending to the ovs-switchd.conf and then sending a HUP signal to the
ovs-switchd process (as was suggested in a previous thread).

As the guest boots the following lines are added (before sending the HUP)
bridge.internalbr.port=tap0
bridge.externalbr.port=tap1

I then remove the default flow from the externalbr flow table with:
ovs-ofctl del-flows externalbr priority=0

And add a series of flows from a file (with the ovs-ofctl add-flows command)
dl_src=52:54:00:aa:bb:cc,tp_dst=80,idle_timeout=0,actions=normal
dl_dst=52:54:00:aa:bb:cc,tp_src=80,idle_timeout=0,actions=normal
dl_src=52:54:00:aa:bb:cc,tp_dst=53,idle_timeout=0,actions=normal
dl_dst=52:54:00:aa:bb:cc,tp_src=53,idle_timeout=0,actions=normal
dl_src=52:54:00:aa:bb:cc,tp_dst=67,idle_timeout=0,actions=normal
dl_dst=52:54:00:aa:bb:cc,tp_dst=68,idle_timeout=0,actions=normal

My intention is to default deny all and only allow what is absolutely
necessary for this particular VM to get an IP (dhcp outgoing to server
port 67 and dhcp incoming to port 68), and connect to web servers
(over port 80) and do dns lookups (port 53)

There are a couple things that I can't figure out yet, one is how to
get a dump-flows that includes the port numbers (tp_dst and dp_src).
Is there a command that will show them?

The VM can connect on port 22 and can be contacted over port 22, both
of which should be disallowed.

The relevant output of:
ovs-ofctl dump-flows externalbr (which doesn't show the tp_dst or tp_src ports)

Feb 11 20:33:03|00001|ofctl|INFO|connecting to
unix:/usr/local/var/run/externalbr.mgmt
stats_reply (xid=0x80bb7ffe): flags=none type=1(flow)
  duration=1955s, table_id=1, priority=32768, n_packets=46,
n_bytes=8753, dl_src=52:54:00:aa:bb:cc,actions=NORMAL
  duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0,
dl_dst=52:54:00:aa:bb:cc,actions=NORMAL
  duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0,
dl_src=52:54:00:aa:bb:cc,actions=NORMAL
  duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0,
dl_dst=52:54:00:aa:bb:cc,actions=NORMAL
  duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0,
dl_src=52:54:00:aa:bb:cc,actions=NORMAL
  duration=1955s, table_id=1, priority=0, n_packets=16, n_bytes=3092,
actions=NORMAL

The output of other commands, such as ovs-dpctl show, seem to make
sense, but I can post other things if that helps, just let me know.

Other things that don't make sense to me are that the base system
can't connect to the guest via SSH (even though it can be connected to
from external hosts), and the guest NIC connected to the internalbr
gets an external IP address over DHCP on the eth0 (external) network,
and finally that the network for the host doesn't work correctly
(without it being restarted), which probably has something to do with
how the switch does its learning.

Any thoughts, suggestions, or things to try would be greatly appreciated.

Thanks,
Todd


-- 
Todd Deshane
http://todddeshane.net
http://runningxen.com

More information about the discuss mailing list