[ovs-discuss] How to make Open vSwitch kernel module drop all packet by default

Voravit T. voravit at kth.se
Wed Nov 2 19:36:44 UTC 2011

On 11/02/2011 04:27 PM, Ben Pfaff wrote:
> On Wed, Nov 02, 2011 at 03:57:53PM +0100, Voravit T. wrote:
>> On 11/02/2011 03:39 PM, Ben Pfaff wrote:
>>> On Wed, Nov 02, 2011 at 03:20:51PM +0100, Voravit T. wrote:
>>>> I noticed that by default the openvswitch kernel module will forward an
>>>> incoming packet out on all ports.
>>> Not true.  By default it forwards incoming packets to userspace.
>> Thank you for your response.
>> In my case, I noticed from ovs-dpctl for the incoming packet that the
>> actions is 0,2.
>> Does this mean that when there is no userspace controller, it will also
>> forward out to other ports then?
> Yes: by default, if there is no controller, or if the controller cannot
> be contacted, then OVS acts as a MAC-learning Ethernet switch.
>>>> touch /usr/local/var/run/openvswitch/controller.sock
>>> This "touch" isn't useful (though it doesn't hurt anything).
>> In my setup, if I didn't create the socket file beforehand, it will fail
>> to start ovs-controller.
> What error message do you get?
Sorry, it was my mistake here. The error was due to a typo.

>>>> ovs-controller --noflow --pidfile --detach
>>>> punix:/usr/local/var/run/openvswitch/controller.sock
>>> This tells ovs-controller to listen on
>>> /usr/local/var/run/openvswitch/controller.sock.
>>>> ovs-vsctl set-controller br0
>>>> punix:/usr/local/var/run/openvswitch/controller.sock
>>> This also tells ovs-vswitchd to listen on
>>> /usr/local/var/run/openvswitch/controller.sock.  Not good: you need it
>>> to connect to that socket.  So that's "unix:" instead of "punix:".  (If
>>> you'd read the ovs-vswitchd log messages you'd have seen the problem.)
It is not possible to create my own socket. I got error message below:
Nov 02 17:23:36|00012|bridge|ERR|bridge br0: Not adding Unix domain
socket controller "unix:/usr/local/var/run/openvswitch/controller.sock"
due to possibility for remote exploit.  Instead, specify whitelisted
"unix:/usr/local/var/run/openvswitch/br0.controller" or connect to
"unix:/usr/local/var/run/openvswitch/br0.mgmt" (which is always
available without special configuration).

So, I tried to use the whitelisted socket by running the two commands below:
ovs-controller --noflow --pidfile --detach
ovs-vsctl set-controller br0

It seems like I can connect to but it is unable to find the controller.
I don't know why it uses this IP address ( though.
This time it find no match in the lookup table but the switch still
forward incoming packet from port1 out on port 2.
Another thing I noticed is that this time "ovs-dpctl dump-flows br0"
showed no entry.

from ovs-vswitchd.log
Nov 02
Nov 02 19:14:07|00013|in_band|WARN|cannot find route for controller
( No such device or address
Nov 02
Nov 02 19:14:08|00015|in_band|WARN|cannot find route for controller
( No such device or address
Nov 02 19:14:09|00016|in_band|WARN|cannot find route for controller
( No such device or address
Nov 02 19:14:10|00017|in_band|WARN|cannot find route for controller
( No such device or address

host1:/home/voravit/openvswitch# ovs-vsctl show   
    Bridge "br0"
        Controller "unix:/usr/local/var/run/openvswitch/br0.controller"
            is_connected: true
        Port "br0"
            Interface "br0"
                type: internal
        Port "eth4"
            Interface "eth4"
        Port "eth5"
            Interface "eth5"

host1:/home/voravit/openvswitch# ovs-ofctl dump-flows br0
NXST_FLOW reply (xid=0x4):

host1:/home/voravit/openvswitch# ovs-dpctl show br0
system at br0:
    lookups: hit:0 missed:1 lost:0
    flows: 0
    port 0: br0 (internal)
    port 1: eth4
    port 2: eth5
host1:/home/voravit/openvswitch# ovs-ofctl dump-tables br0|more
OFPST_TABLE reply (xid=0x1): 255 tables
  0: classifier: wild=0x3fffff, max=1000000, active=7
               lookup=1, matched=0

I also tried it with tcp socket to using these two command line:
ovs-controller --noflow --pidfile --detach ptcp:6633:
ovs-vsctl set-controller br0 tcp:
I got pretty much the same result with the error cannot find route for
controller (

By the way, in my setup, I use Bifrost Linux running on a USB flash. It
does not write any log files locally.
I did add --log-file options when I ran ovs-vswitchd and ovs-controller.
But I don't know if I miss any messages or not.
I'll try to get a syslog server setup on another machine to relay log
messages later.

>> My /usr/local/var/run/openvswitch/log folder is empty. I suppose I need
>> to give explicit logging options to get a log file then.
> You can use --log-file to enable logging to a file.  Logs are also sent
> by default to syslog.

More information about the discuss mailing list