[ovs-discuss] Firewall questions

Maurice Qureshi (maquresh) maquresh at cisco.com
Thu Dec 18 01:43:56 UTC 2014 

Hi Ashoka,

Have worked on OF1.0, so can tell you from OF1.0 perspective.

(https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-spec-v1.0.0.pdf)

If an OF switch wants to sends a packet to the controller, it uses PACKET_IN message type.

Thanks
Maurice

From: Ashok Chippa <a.n.chippa at gmail.com<mailto:a.n.chippa at gmail.com>>
Date: Wednesday, December 17, 2014 5:36 PM
To: "discuss at openvswitch.org<mailto:discuss at openvswitch.org>" <discuss at openvswitch.org<mailto:discuss at openvswitch.org>>
Subject: Re: [ovs-discuss] Firewall questions

Including my previous questions:

>
> I am trying to takeover Table0 for Firewall function. Have couple of questions:
>
> 1) On a table-miss in Table0, I would like to punt the packet to user space, for DPI/FW processing.
>     There must be a way to punt the packet to user space? However, I do not see an action like      PUNT_TO_CPU (or some such) in the
>     documentation (on a cursory review). How do I punt the packet to user space?
>
> 2) The Firewall installs a new flow (with action=drop or permit (go to the next table)). However,
>     I would like to re-inject the packet (the one that caused the table miss) back at the beginning of the pipeline. Is there a way to do this?
>     (RECIRC?)
>
> Appreciate your help.
[https://ssl.gstatic.com/ui/v1/icons/mail/images/cleardot.gif]
Any responses are appreciated. Checked the spec, and I do not see an action to punt the packet to controller. In section 5.12 of openflow-spec 1.3, I see the following actions: output, set-queue, drop, group, push-tag/pop-tag, set-field, change-ttl. I see no send-to-controller or some such to punt the packet to the controller. Is this not supported?!!! Please advice.

Also, are there any plans to support command completion in ovs-vsctl, ovs-ofctl, ovs-appctl etc. ctl commands?

Thanks,
Ashok





On Tue, Dec 16, 2014 at 4:43 PM, Ashok Chippa <a.n.chippa at gmail.com<mailto:a.n.chippa at gmail.com>> wrote:
Hi,

I am trying to takeover Table0 for Firewall function. Have couple of questions:

1) On a table-miss in Table0, I would like to punt the packet to user space, for DPI/FW processing.
    There must be a way to punt the packet to user space? However, I do not see an action like      PUNT_TO_CPU (or some such) in the documentation (on a cursory review). How do I punt the packet to user space?

2) The Firewall installs a new flow (with action=drop or permit (go to the next table)). However,
    I would like to re-inject the packet (the one that caused the table miss) back at the beginning of the pipeline. Is there a way to do this? (RECIRC?)

Appreciate your help.

Ashok
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20141218/3d8a2160/attachment-0002.html>

More information about the discuss mailing list