[ovs-discuss] How to make Open vSwitch kernel module drop all packet by default
voravit at kth.se
Wed Nov 2 14:57:53 UTC 2011
On 11/02/2011 03:39 PM, Ben Pfaff wrote:
> On Wed, Nov 02, 2011 at 03:20:51PM +0100, Voravit T. wrote:
>> I noticed that by default the openvswitch kernel module will forward an
>> incoming packet out on all ports.
> Not true. By default it forwards incoming packets to userspace.
Thank you for your response.
In my case, I noticed from ovs-dpctl for the incoming packet that the
actions is 0,2.
Does this mean that when there is no userspace controller, it will also
forward out to other ports then?
>> I tried to overwrite this by introducing a controller that should drop
>> all packets.
>> But I didn't get it to work. Could anyone please let me know what I
>> missed here?
>> Below is how I setup my openvswitch and the controller:
>> insmod datapath/linux/openvswitch_mod.ko
>> ovsdb-tool create /usr/local/etc/openvswitch/conf.db
>> ovsdb-server --remote=punix:/usr/local/var/run/openvswitch/db.sock
>> --remote=db:Open_vSwitch,manager_options --pidfile --detach
>> ovs-vsctl --no-wait init
>> ovs-vswitchd --pidfile --detach
>> ovs-vsctl add-br br0
>> ovs-vsctl add-port br0 eth4
>> ovs-vsctl add-port br0 eth5
>> touch /usr/local/var/run/openvswitch/controller.sock
> This "touch" isn't useful (though it doesn't hurt anything).
In my setup, if I didn't create the socket file beforehand, it will fail
to start ovs-controller.
>> ovs-controller --noflow --pidfile --detach
> This tells ovs-controller to listen on
>> ovs-vsctl set-controller br0
> This also tells ovs-vswitchd to listen on
> /usr/local/var/run/openvswitch/controller.sock. Not good: you need it
> to connect to that socket. So that's "unix:" instead of "punix:". (If
> you'd read the ovs-vswitchd log messages you'd have seen the problem.)
My /usr/local/var/run/openvswitch/log folder is empty. I suppose I need
to give explicit logging options to get a log file then.
> Unless you're using a very new ovs-vswitchd, though, you'll have to use
> a tcp connection to localhost instead.
More information about the discuss