[ovs-discuss] Proxying using openvswitch

Ben Pfaff blp at nicira.com
Thu Mar 12 15:03:53 UTC 2015 

The FAQ says:

### Q: I added a flow to send packets out the ingress port, like this:

       ovs-ofctl add-flow br0 in_port=2,actions=2

   but OVS drops the packets instead.

A: Yes, OpenFlow requires a switch to ignore attempts to send a packet
   out its ingress port.  The rationale is that dropping these packets
   makes it harder to loop the network.  Sometimes this behavior can
   even be convenient, e.g. it is often the desired behavior in a flow
   that forwards a packet to several ports ("floods" the packet).

   Sometimes one really needs to send a packet out its ingress port
   ("hairpin"). In this case, output to OFPP_IN_PORT, which in
   ovs-ofctl syntax is expressed as just "in_port", e.g.:

       ovs-ofctl add-flow br0 in_port=2,actions=in_port

   This also works in some circumstances where the flow doesn't match
   on the input port.  For example, if you know that your switch has
   five ports numbered 2 through 6, then the following will send every
   received packet out every port, even its ingress port:

       ovs-ofctl add-flow br0 actions=2,3,4,5,6,in_port

   or, equivalently:

       ovs-ofctl add-flow br0 actions=all,in_port

   Sometimes, in complicated flow tables with multiple levels of
   "resubmit" actions, a flow needs to output to a particular port
   that may or may not be the ingress port.  It's difficult to take
   advantage of OFPP_IN_PORT in this situation.  To help, Open vSwitch
   provides, as an OpenFlow extension, the ability to modify the
   in_port field.  Whatever value is currently in the in_port field is
   the port to which outputs will be dropped, as well as the
   destination for OFPP_IN_PORT.  This means that the following will
   reliably output to port 2 or to ports 2 through 6, respectively:

       ovs-ofctl add-flow br0 in_port=2,actions=load:0->NXM_OF_IN_PORT[],2
       ovs-ofctl add-flow br0 actions=load:0->NXM_OF_IN_PORT[],2,3,4,5,6

   If the input port is important, then one may save and restore it on
   the stack:

        ovs-ofctl add-flow br0 actions=push:NXM_OF_IN_PORT[],\
                                       load:0->NXM_OF_IN_PORT[],\
                                       2,3,4,5,6,\
                                       pop:NXM_OF_IN_PORT[]

On Thu, Mar 12, 2015 at 06:21:45AM -0600, Scott Lowe wrote:
> The issue here—if I understand correctly—is that OpenFlow doesn't allow traffic to be forwarded out the same port in which it was received. To make this work, you'd have to receive traffic on eth0 and send it out eth1 (for example).
> 
> Happy to be corrected if I am mistaken.
> 
> -- 
> Scott
> 
> Sent from my mobile device
> 
> > On Mar 12, 2015, at 5:59 AM, Emma Anderson <em.anderson88 at yahoo.com> wrote:
> > 
> > Hi all,
> > 
> > Can open vswitch acts like: receive a packet from eth0, substitute IP/mac, and sends it back again on eth0?
> > 
> > I found that when a packet is received from eth0, although the flow is triggered, it looks that packet is dropped silently and there is no trace in logs (if I am looking at the right place). 
> > 
> > Flow works well when I redirect the packet to another vm on the "same" host.
> > 
> > Thanks.
> > 
> > 
> > 
> > _______________________________________________
> > discuss mailing list
> > discuss at openvswitch.org
> > http://openvswitch.org/mailman/listinfo/discuss

> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> http://openvswitch.org/mailman/listinfo/discuss

More information about the discuss mailing list