[ovs-discuss] ovs-conntrack action ordering?

John Hurley john.hurley at netronome.com
Wed Jun 24 16:12:08 UTC 2015


Hi,

I have been playing about with ovs-conntrack and noticed an issue that
could be a bug. Either that or my understanding is incorrect and would
appreciate clarification.

When we add a rule with a ct(recirc) action I notice that the call to
Conntrack is always the first action in the kernel rule that is created. In
ofproto-dpif-xlate.c a call to compose_conntrack_action() will append a
nl_msg for this action, then call recirculate which uses
commit_odp_actions() to add messages for previous actions before adding its
own recirc action to kernel rule action list.  However, I have also noticed
that when a push mpls action is added that this commit_odp_actions()
function is also called which can affect the tuples sent to nf_conntrack.

e.g. adding the rule:
ovs-ofctl add-flow br0
"conn_state=-trk,action=set_field:1.2.3.4->nw_dst,ct(recirc)"

will result in a kernel rule with actions of order 'ct, set dst ip, recirc'
and the sk_buff sent to nf_conntrack_in will have the source and
destination IP addresses of the matching packet.


adding the rule:
ovs-ofctl add-flow br0
"conn_state=-trk,action=set_field:1.2.3.4->nw_dst,push_mpls:0x8847,ct(recirc)"

will have actions ordered 'set dst ip, ct, push mpls, recirc' and the
destination IP sent into nf_conntrack will be 1.2.3.4

Can you clarify if this discrepancy is a bug? Also, can you clarify what is
the correct way ovs should support Conntrack in an action list? For
example, in the first rule, is it correct that Conntrack should be applied
on the input packet tuples or should the set field be applied before
Conntrack as it appears before it in the ovs-ofctl rule?

Thanks,
John
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20150624/452a270c/attachment-0002.html>


More information about the discuss mailing list