[ovs-discuss] How to make Open vSwitch kernel module drop all packet by default

Voravit T. voravit at kth.se
Wed Nov 2 19:36:44 UTC 2011



On 11/02/2011 04:27 PM, Ben Pfaff wrote:
> On Wed, Nov 02, 2011 at 03:57:53PM +0100, Voravit T. wrote:
>> On 11/02/2011 03:39 PM, Ben Pfaff wrote:
>>> On Wed, Nov 02, 2011 at 03:20:51PM +0100, Voravit T. wrote:
>>>> I noticed that by default the openvswitch kernel module will forward an
>>>> incoming packet out on all ports.
>>> Not true.  By default it forwards incoming packets to userspace.
>> Thank you for your response.
>> In my case, I noticed from ovs-dpctl for the incoming packet that the
>> actions is 0,2.
>> Does this mean that when there is no userspace controller, it will also
>> forward out to other ports then?
> Yes: by default, if there is no controller, or if the controller cannot
> be contacted, then OVS acts as a MAC-learning Ethernet switch.
>
>>>> touch /usr/local/var/run/openvswitch/controller.sock
>>> This "touch" isn't useful (though it doesn't hurt anything).
>> In my setup, if I didn't create the socket file beforehand, it will fail
>> to start ovs-controller.
> What error message do you get?
Sorry, it was my mistake here. The error was due to a typo.

>>>> ovs-controller --noflow --pidfile --detach
>>>> punix:/usr/local/var/run/openvswitch/controller.sock
>>> This tells ovs-controller to listen on
>>> /usr/local/var/run/openvswitch/controller.sock.
>>>
>>>> ovs-vsctl set-controller br0
>>>> punix:/usr/local/var/run/openvswitch/controller.sock
>>> This also tells ovs-vswitchd to listen on
>>> /usr/local/var/run/openvswitch/controller.sock.  Not good: you need it
>>> to connect to that socket.  So that's "unix:" instead of "punix:".  (If
>>> you'd read the ovs-vswitchd log messages you'd have seen the problem.)
It is not possible to create my own socket. I got error message below:
Nov 02 17:23:36|00012|bridge|ERR|bridge br0: Not adding Unix domain
socket controller "unix:/usr/local/var/run/openvswitch/controller.sock"
due to possibility for remote exploit.  Instead, specify whitelisted
"unix:/usr/local/var/run/openvswitch/br0.controller" or connect to
"unix:/usr/local/var/run/openvswitch/br0.mgmt" (which is always
available without special configuration).

So, I tried to use the whitelisted socket by running the two commands below:
ovs-controller --noflow --pidfile --detach
punix:/usr/local/var/run/openvswitch/br0.controller
ovs-vsctl set-controller br0
unix:/usr/local/var/run/openvswitch/br0.controller

It seems like I can connect to but it is unable to find the controller.
I don't know why it uses this IP address (96.0.0.0) though.
This time it find no match in the lookup table but the switch still
forward incoming packet from port1 out on port 2.
Another thing I noticed is that this time "ovs-dpctl dump-flows br0"
showed no entry.

from ovs-vswitchd.log
Nov 02
19:14:07|00012|rconn|INFO|br0<->unix:/usr/local/var/run/openvswitch/br0.controller:
connecting...
Nov 02 19:14:07|00013|in_band|WARN|cannot find route for controller
(96.0.0.0): No such device or address
Nov 02
19:14:07|00014|rconn|INFO|br0<->unix:/usr/local/var/run/openvswitch/br0.controller:
connected
Nov 02 19:14:08|00015|in_band|WARN|cannot find route for controller
(96.0.0.0): No such device or address
Nov 02 19:14:09|00016|in_band|WARN|cannot find route for controller
(96.0.0.0): No such device or address
Nov 02 19:14:10|00017|in_band|WARN|cannot find route for controller
(96.0.0.0): No such device or address

host1:/home/voravit/openvswitch# ovs-vsctl show   
32472842-2bd8-492c-9f1f-4a616b6238a8
    Bridge "br0"
        Controller "unix:/usr/local/var/run/openvswitch/br0.controller"
            is_connected: true
        Port "br0"
            Interface "br0"
                type: internal
        Port "eth4"
            Interface "eth4"
        Port "eth5"
            Interface "eth5"

host1:/home/voravit/openvswitch# ovs-ofctl dump-flows br0
NXST_FLOW reply (xid=0x4):

host1:/home/voravit/openvswitch# ovs-dpctl show br0
system at br0:
    lookups: hit:0 missed:1 lost:0
    flows: 0
    port 0: br0 (internal)
    port 1: eth4
    port 2: eth5
host1:/home/voravit/openvswitch# ovs-ofctl dump-tables br0|more
OFPST_TABLE reply (xid=0x1): 255 tables
  0: classifier: wild=0x3fffff, max=1000000, active=7
               lookup=1, matched=0

I also tried it with tcp socket to 127.0.0.1 using these two command line:
ovs-controller --noflow --pidfile --detach ptcp:6633:127.0.0.1
ovs-vsctl set-controller br0 tcp:127.0.0.1:6633
I got pretty much the same result with the error cannot find route for
controller (127.0.0.1).

By the way, in my setup, I use Bifrost Linux running on a USB flash. It
does not write any log files locally.
I did add --log-file options when I ran ovs-vswitchd and ovs-controller.
But I don't know if I miss any messages or not.
I'll try to get a syslog server setup on another machine to relay log
messages later.

>> My /usr/local/var/run/openvswitch/log folder is empty. I suppose I need
>> to give explicit logging options to get a log file then.
> You can use --log-file to enable logging to a file.  Logs are also sent
> by default to syslog.



More information about the discuss mailing list