[ovs-discuss] MAC address rule blocking failure
Ben Pfaff
blp at nicira.com
Thu Dec 22 18:45:37 UTC 2011
OK. So it seems that MAC learning entries are expiring in cases where
we expect them to persist. I can look into that, if you can give me
some more details; to start, the version of OVS involved. (I think
that you might have already given detail to our support team in
parallel; I'm trying to find out how I get direct access to that
information.)
Let me reiterate that the "normal" action isn't an effective way to
enforce ACLs. Nevertheless, there appears to be a bug that I should
investigate here.
Thanks,
Ben.
On Thu, Dec 22, 2011 at 06:35:50PM +0000, Mike Bursell wrote:
> I believe that there is nothing else going on at all.
>
> The CLI tools were used to construct the rules: no DVSC in play.
>
> -Mike.
> --
> Mike Bursell.
>
>
>
> Ben Pfaff <blp at nicira.com> wrote:
>
>
> On Thu, Dec 22, 2011 at 04:35:45PM +0000, Mike Bursell wrote:
> > We've discovered what we suspect is a bug, and are looking for
> > thoughts, please!
> >
> > Observed behaviour:
> > - Continuous pings being sent from laptop to vm1
> > - vm2 is quiescent
> > - Intermittently, the response to a ping from laptop is seen on vm2
>
> Is anything else going on? Certain kinds of changes to a bridge
> (adding and removing ports, etc.) can cause the MAC learning table, or
> particular entries in it, to be flushed. If VMs are being brought up
> or down, VLANs being created or destroyed, etc., one might expect to
> see a need to re-learn MAC addresses immediately after those events.
>
> I have not carefully looked over your flow table. Is this flow table
> constructed by hand, generated by DVS, or generated by some other
> controller? I ask because the "normal" action may not be an effective
> way to enforce ACLs--it is an implementation of a MAC learning switch,
> which is not itself an effective way to enforce ACLs--so I wonder what
> assumptions lie behind this flow table construction.
More information about the discuss
mailing list