[ovs-discuss] Problem with a desired flow getting deleted

Justin Pettit jpettit at nicira.com
Fri Feb 12 03:15:31 UTC 2010 

The first thing to check is that you're specifying the protocols all  
the way up in your flow-add command. For TCP/IP/Ethernet you can use  
the shortcut "tcp". Similarly, there's "udp" for UDP, etc. It should  
be in the ovs-ofctl man page, but it's easy to miss.

Try that and let us know how the other things work out.

--Justin

(Sent from my phone. Sorry for any typos.)



On Feb 11, 2010, at 6:42 PM, Todd Deshane <deshantm at gmail.com> wrote:

> Hi All,
>
> I almost have open vSwitch working the way I want it to, but I am
> running across some unexpected problems. I've setup 2 switches, an
> internal and an external, with the initial configuration of:
>
> bridge.internalbr.port=internalbr
> bridge.externalbr.port=externalbr
> bridge.internalbr.mac=00:11:22:aa:cc:ee
> bridge.externalbr.mac=00:11:22:bb:aa:dd
> bridge.externalbr.port=eth0
>
> I have a script that starts a VM with two nics, and connects one nic
> to the internal switch and one to the external switch by automatically
> appending to the ovs-switchd.conf and then sending a HUP signal to the
> ovs-switchd process (as was suggested in a previous thread).
>
> As the guest boots the following lines are added (before sending the  
> HUP)
> bridge.internalbr.port=tap0
> bridge.externalbr.port=tap1
>
> I then remove the default flow from the externalbr flow table with:
> ovs-ofctl del-flows externalbr priority=0
>
> And add a series of flows from a file (with the ovs-ofctl add-flows  
> command)
> dl_src=52:54:00:aa:bb:cc,tp_dst=80,idle_timeout=0,actions=normal
> dl_dst=52:54:00:aa:bb:cc,tp_src=80,idle_timeout=0,actions=normal
> dl_src=52:54:00:aa:bb:cc,tp_dst=53,idle_timeout=0,actions=normal
> dl_dst=52:54:00:aa:bb:cc,tp_src=53,idle_timeout=0,actions=normal
> dl_src=52:54:00:aa:bb:cc,tp_dst=67,idle_timeout=0,actions=normal
> dl_dst=52:54:00:aa:bb:cc,tp_dst=68,idle_timeout=0,actions=normal
>
> My intention is to default deny all and only allow what is absolutely
> necessary for this particular VM to get an IP (dhcp outgoing to server
> port 67 and dhcp incoming to port 68), and connect to web servers
> (over port 80) and do dns lookups (port 53)
>
> There are a couple things that I can't figure out yet, one is how to
> get a dump-flows that includes the port numbers (tp_dst and dp_src).
> Is there a command that will show them?
>
> The VM can connect on port 22 and can be contacted over port 22, both
> of which should be disallowed.
>
> The relevant output of:
> ovs-ofctl dump-flows externalbr (which doesn't show the tp_dst or  
> tp_src ports)
>
> Feb 11 20:33:03|00001|ofctl|INFO|connecting to
> unix:/usr/local/var/run/externalbr.mgmt
> stats_reply (xid=0x80bb7ffe): flags=none type=1(flow)
>  duration=1955s, table_id=1, priority=32768, n_packets=46,
> n_bytes=8753, dl_src=52:54:00:aa:bb:cc,actions=NORMAL
>  duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0,
> dl_dst=52:54:00:aa:bb:cc,actions=NORMAL
>  duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0,
> dl_src=52:54:00:aa:bb:cc,actions=NORMAL
>  duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0,
> dl_dst=52:54:00:aa:bb:cc,actions=NORMAL
>  duration=1955s, table_id=1, priority=32768, n_packets=0, n_bytes=0,
> dl_src=52:54:00:aa:bb:cc,actions=NORMAL
>  duration=1955s, table_id=1, priority=0, n_packets=16, n_bytes=3092,
> actions=NORMAL
>
> The output of other commands, such as ovs-dpctl show, seem to make
> sense, but I can post other things if that helps, just let me know.
>
> Other things that don't make sense to me are that the base system
> can't connect to the guest via SSH (even though it can be connected to
> from external hosts), and the guest NIC connected to the internalbr
> gets an external IP address over DHCP on the eth0 (external) network,
> and finally that the network for the host doesn't work correctly
> (without it being restarted), which probably has something to do with
> how the switch does its learning.
>
> Any thoughts, suggestions, or things to try would be greatly  
> appreciated.
>
> Thanks,
> Todd
>
>
> -- 
> Todd Deshane
> http://todddeshane.net
> http://runningxen.com
>
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org

More information about the discuss mailing list