[ovs-discuss] "local" flow match rules + a controller

Dave Scott Dave.Scott at eu.citrix.com
Wed Oct 13 17:12:35 UTC 2010

Hi Justin,
> Hi, Dave.  You are correct that the controller "owns" all the rules on
> the switch.  (Technically, there are exceptions to this, but that's a
> road I wouldn't recommend going down.)  It is up to the
> controller/application to decide how to handle existing flows, but all
> the ones I know of wipe the existing flows on OpenFlow connection
> establishment.  (It's kind of a nightmare to debug a controller app
> otherwise.)

Thanks for the clarification-- I'll avoid digging into the exceptions (emergency mode rules?) :)

> Would a proxy, generic port forwarding application, or IP tables rules
> work for you?  I would think any of those would do the job you want and
> not interfere with any OpenFlow controllers.  (Unless, of course, it's
> specifically dropping those flows, which is probably a configuration
> problem anyway.)

I did a few experiments and it looks like iptables and NAT will do what I want. I'll assign dom0 and the helper domains link-local 169.254.* addresses on a private network and then use a DNAT iptables rule to readdress traffic heading to a port on the dom0 management ip. No additional openflow hackery needed [a pity because I was looking forward to playing with it more :)]


> We should be able to come up with a solution that works for you, so let
> me know if none of those suggestions seems appropriate.
> --Justin
> (I don't know how this became such a parenthetical message.)
> On Oct 5, 2010, at 7:31 AM, Dave Scott wrote:
> > Hi,
> >
> > I'm currently exploring ways of moving parts of XenServer/XCP's
> domain0 into helper domains and I think the openvswitch may be able to
> help. FYI here's the kind of thing I'm thinking of:
> >
> > * Client sends HTTP request to domain0's management IP (call this M)
> > * xapi binds a random local port on the management IP (call this P)
> > * xapi boots up a helper domain, tells it to listen on M:P
> > * xapi uses openflow (or ovs-ofctl) to program the local openvswitch
> to redirect TCP traffic to M:P to the helper domain's switch port,
> while translating the MACs using mod_dl_{src,dst}
> > * xapi issues an HTTP 302 redirect to M:P
> >
> > Although sharing the management IP between two domains is a bit
> hacky :) it's nice not to require the admin to configure a means for
> xapi to allocate IP addresses for all its non-domain0 children.
> >
> > Apart from comments on the general (in)sanity (which I'm also
> interested in), I'm curious about how connecting a controller would
> affect this scheme. My understanding is that the controller "owns" all
> the rules in the lower switches: would a controller always wipe out
> these "local" rules I've added, or does that just depend on the
> controller? Is there any general way to prevent a controller doing that,
> for some small subset of the rules?
> >
> > Any comments appreciated.
> >
> > Cheers,
> > Dave
> >
> >
> > _______________________________________________
> > discuss mailing list
> > discuss at openvswitch.org
> > http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org

More information about the discuss mailing list