[ovs-discuss] seperate flows per vm
Anna Giannakou
anna.giannakou at inria.fr
Thu Nov 19 14:38:52 UTC 2015
Hello,
I am trying to have a seperate flow table per vm that is connected to br-int. So far to do that I insert a resubmit flow to the base table (table 0) and then a basic drop all flow to the table of the vm (table 25 in this example).
The two flows are:
ovs-ofctl add-flow br-int "table=0,priority=19,in_port=2, actions=resubmit(,25)" for resubmission
ovs-ofctl add-flow br-int "table=25,priority=0,in_port=2,actions=drop" for drop all traffic.
The problem is that when i try to insert a new rule in table 25 ( to allow ssh connection from a specific host for example) the rule does not work. The flow that i am trying to insert is:
ovs-ofctl add-flow br-int "table=25,priority=2,tcp,in_port=2,tp_dst=22,nw_src=10.1.0.2, actions=normal"
Can you please tell me if there is a problem with this particular flow or the way i am defining it?
The complete flow table is as follows:
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=83007.359s, table=0, n_packets=1296, n_bytes=66540, idle_age=11, hard_age=65534, priority=19,in_port=2 actions=resubmit(,25)
cookie=0x0, duration=83403.026s, table=0, n_packets=4, n_bytes=168, idle_age=65534, hard_age=65534, priority=10,arp,in_port=2 actions=resubmit(,24)
cookie=0x0, duration=83402.994s, table=0, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=10,arp,in_port=11 actions=resubmit(,24)
cookie=0x0, duration=83403.058s, table=0, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=10,arp,in_port=3 actions=resubmit(,24)
cookie=0x0, duration=83403.759s, table=0, n_packets=71669, n_bytes=5966012, idle_age=1, hard_age=65534, priority=0 actions=NORMAL
cookie=0x0, duration=83403.754s, table=23, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=0 actions=drop
cookie=0x0, duration=83403.031s, table=24, n_packets=4, n_bytes=168, idle_age=65534, hard_age=65534, priority=2,arp,in_port=2,arp_spa=10.1.0.4 actions=NORMAL
cookie=0x0, duration=83403s, table=24, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=2,arp,in_port=11,arp_spa=10.1.0.46 actions=NORMAL
cookie=0x0, duration=83403.063s, table=24, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=2,arp,in_port=3,arp_spa=10.1.0.8 actions=NORMAL
cookie=0x0, duration=83403.749s, table=24, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=0 actions=drop
cookie=0x0, duration=101.509s, table=25, n_packets=0, n_bytes=0, idle_age=101, priority=2,tcp,in_port=2,nw_src=10.1.0.2,tp_dst=22 actions=NORMAL
cookie=0x0, duration=82135.593s, table=25, n_packets=1176, n_bytes=49776, idle_age=11, hard_age=65534, priority=0,in_port=2 actions=drop
As you can see from the flow table, although the first flow is applied and the packets are redirected, no packets match the ssh flow (they all match the drop one with the latest priority)
Thanks
Anna
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20151119/f54ec9cd/attachment-0002.html>
More information about the discuss
mailing list