[ovs-discuss] seperate flows per vm
Anna Giannakou
anna.giannakou at inria.fr
Thu Nov 19 17:04:55 UTC 2015
Thank you so much
it works after adding a rule for outgoing traffic as well.
----- Original Message -----
> From: "Justin Pettit" <jpettit at ovn.org>
> To: "Anna Giannakou" <anna.giannakou at inria.fr>
> Cc: discuss at openvswitch.org
> Sent: Thursday, 19 November, 2015 5:24:17 PM
> Subject: Re: [ovs-discuss] seperate flows per vm
>
>
> > On Nov 19, 2015, at 6:38 AM, Anna Giannakou <anna.giannakou at inria.fr>
> > wrote:
> >
> >
> > Hello,
> > I am trying to have a seperate flow table per vm that is connected to
> > br-int. So far to do that I insert a resubmit flow to the base table
> > (table 0) and then a basic drop all flow to the table of the vm (table 25
> > in this example).
> > The two flows are:
> > ovs-ofctl add-flow br-int "table=0,priority=19,in_port=2,
> > actions=resubmit(,25)" for resubmission
> > ovs-ofctl add-flow br-int "table=25,priority=0,in_port=2,actions=drop" for
> > drop all traffic.
> >
> > The problem is that when i try to insert a new rule in table 25 ( to allow
> > ssh connection from a specific host for example) the rule does not work.
> > The flow that i am trying to insert is:
> > ovs-ofctl add-flow br-int
> > "table=25,priority=2,tcp,in_port=2,tp_dst=22,nw_src=10.1.0.2,
> > actions=normal"
> >
> > Can you please tell me if there is a problem with this particular flow or
> > the way i am defining it?
> > The complete flow table is as follows:
> > NXST_FLOW reply (xid=0x4):
> > cookie=0x0, duration=83007.359s, table=0, n_packets=1296, n_bytes=66540,
> > idle_age=11, hard_age=65534, priority=19,in_port=2 actions=resubmit(,25)
> > cookie=0x0, duration=83403.026s, table=0, n_packets=4, n_bytes=168,
> > idle_age=65534, hard_age=65534, priority=10,arp,in_port=2
> > actions=resubmit(,24)
> > cookie=0x0, duration=83402.994s, table=0, n_packets=0, n_bytes=0,
> > idle_age=65534, hard_age=65534, priority=10,arp,in_port=11
> > actions=resubmit(,24)
> > cookie=0x0, duration=83403.058s, table=0, n_packets=0, n_bytes=0,
> > idle_age=65534, hard_age=65534, priority=10,arp,in_port=3
> > actions=resubmit(,24)
> > cookie=0x0, duration=83403.759s, table=0, n_packets=71669, n_bytes=5966012,
> > idle_age=1, hard_age=65534, priority=0 actions=NORMAL
> > cookie=0x0, duration=83403.754s, table=23, n_packets=0, n_bytes=0,
> > idle_age=65534, hard_age=65534, priority=0 actions=drop
> > cookie=0x0, duration=83403.031s, table=24, n_packets=4, n_bytes=168,
> > idle_age=65534, hard_age=65534, priority=2,arp,in_port=2,arp_spa=10.1.0.4
> > actions=NORMAL
> > cookie=0x0, duration=83403s, table=24, n_packets=0, n_bytes=0,
> > idle_age=65534, hard_age=65534,
> > priority=2,arp,in_port=11,arp_spa=10.1.0.46 actions=NORMAL
> > cookie=0x0, duration=83403.063s, table=24, n_packets=0, n_bytes=0,
> > idle_age=65534, hard_age=65534, priority=2,arp,in_port=3,arp_spa=10.1.0.8
> > actions=NORMAL
> > cookie=0x0, duration=83403.749s, table=24, n_packets=0, n_bytes=0,
> > idle_age=65534, hard_age=65534, priority=0 actions=drop
> > cookie=0x0, duration=101.509s, table=25, n_packets=0, n_bytes=0,
> > idle_age=101, priority=2,tcp,in_port=2,nw_src=10.1.0.2,tp_dst=22
> > actions=NORMAL
> > cookie=0x0, duration=82135.593s, table=25, n_packets=1176, n_bytes=49776,
> > idle_age=11, hard_age=65534, priority=0,in_port=2 actions=drop
> >
> > As you can see from the flow table, although the first flow is applied and
> > the packets are redirected, no packets match the ssh flow (they all match
> > the drop one with the latest priority)
>
> It doesn't look like you allowed arp, so unless you are using static entries,
> there's probably not even any IP traffic flowing yet. Try adding a flow
> like this:
>
> ovs-ofctl add-flow br-int
> "table=25,priority=1,in_port=2,arp,actions=normal"
>
> Don't forget that you'll need to set up flows for the return traffic to make
> this work after you get past this issue.
>
> --Justin
>
>
>
More information about the discuss
mailing list