[ovs-discuss] ovs-conntrack helper functions
John Hurley
john.hurley at netronome.com
Thu Jul 9 11:59:31 UTC 2015
Hi,
I have a few queries about the use of helper functions in ovs-conntrack.
I've tried multiple tests and cannot get the ftp expected flows to work
correctly.
As an example, take the following rules:
ovs-ofctl add-flow br0 "tcp,conn_state=-trk,action=ct(recirc)"
ovs-ofctl add-flow br0
"priority=11,tcp,conn_state=+trk+new,action=ct(alg=ftp,commit),2"
ovs-ofctl add-flow br0
"priority=12,tcp,conn_state=+trk+new+rel,action=ct(commit),2"
ovs-ofctl add-flow br0 "priority=11,tcp,conn_state=+trk-new+rel,action=2"
ovs-ofctl add-flow br0 "priority=10,tcp,conn_state=+trk-new,action=2"
For an ftp session I would expect all packets to hit the top rule, new
flows to recirculate and be committed to the Conntrack tables with the ftp
helper assigned (nf_conntrack_ftp is running). Then the following packets
in that flow should have the helper function applied to them. New or
realated flows spawned from the controol channel should be picked up by the
3rd and 4th rule. In my tests only the 1st, 2nd and last rule are hit. Is
my interpretation correct?
>From tracing some of the code I can see that the helper is assigned
correctly on the first packet of a flow but this is not maintained across
following packets. These all fail to implement the helper function due to
the call of nfct_help(ct) returning NULL. The help function will be
correctly applied to each packet if a 'commit' is not used to in the 2nd
rule as all packets are assumed new and assigned the helper in the
nf_conntrack_in function. But doing this means that the state information
is incorrect for the packet and it will fail to match in nf_conntrack_ftp.
I would also like to understand more about the use of a nf_conntrack
template. It seems that the use of 'alg=ftp' is only for copying the
correct helper to a template that is set up with a new rule - the ftp
helper module will be added automatically based on port number in
nf_conntrack_in? The helper seems to be added to the template correctly but
is never used again from what I can see.
Can you clear up some of my misunderstandings here? An example ruleset that
is known to work would also be helpful.
Thanks,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20150709/e0549af5/attachment-0002.html>
More information about the discuss
mailing list