[ovs-discuss] seperate flows per vm

Justin Pettit jpettit at ovn.org
Wed Nov 25 08:06:34 UTC 2015


> On Nov 19, 2015, at 6:23 AM, Anna Giannakou <anna.giannakou at inria.fr> wrote:
> 
> Hello,
> I am trying to have a seperate flow table per vm that is connected to br-int. So far to do that I insert a resubmit flow to the base table (table 0) and then a basic drop all flow to the table of the vm (table 25 in this example).
> The two flows are:
> ovs-ofctl add-flow br-int "table=0,priority=19,in_port=2, actions=resubmit(,25)" for resubmission
> ovs-ofctl add-flow br-int "table=25,priority=0,in_port=2,actions=drop" for drop all traffic.
> 
> The problem is that when i try to insert a new rule in table 25 ( to allow ssh connection from a specific host for example) the rule does not work. The flow that i am trying to insert is:
> ovs-ofctl add-flow br-int "table=25,priority=2,tcp,in_port=2,tp_dst=22,nw_src=10.1.0.2, actions=normal"
> 
> Can you please tell me if there is a problem with this particular flow or the way i am defining it?
> The complete flow table is as follows:
> NXST_FLOW reply (xid=0x4):
> cookie=0x0, duration=83007.359s, table=0, n_packets=1296, n_bytes=66540, idle_age=11, hard_age=65534, priority=19,in_port=2 actions=resubmit(,25)
> cookie=0x0, duration=83403.026s, table=0, n_packets=4, n_bytes=168, idle_age=65534, hard_age=65534, priority=10,arp,in_port=2 actions=resubmit(,24)
> cookie=0x0, duration=83402.994s, table=0, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=10,arp,in_port=11 actions=resubmit(,24)
> cookie=0x0, duration=83403.058s, table=0, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=10,arp,in_port=3 actions=resubmit(,24)
> cookie=0x0, duration=83403.759s, table=0, n_packets=71669, n_bytes=5966012, idle_age=1, hard_age=65534, priority=0 actions=NORMAL
> cookie=0x0, duration=83403.754s, table=23, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=0 actions=drop
> cookie=0x0, duration=83403.031s, table=24, n_packets=4, n_bytes=168, idle_age=65534, hard_age=65534, priority=2,arp,in_port=2,arp_spa=10.1.0.4 actions=NORMAL
> cookie=0x0, duration=83403s, table=24, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=2,arp,in_port=11,arp_spa=10.1.0.46 actions=NORMAL
> cookie=0x0, duration=83403.063s, table=24, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=2,arp,in_port=3,arp_spa=10.1.0.8 actions=NORMAL
> cookie=0x0, duration=83403.749s, table=24, n_packets=0, n_bytes=0, idle_age=65534, hard_age=65534, priority=0 actions=drop
> cookie=0x0, duration=101.509s, table=25, n_packets=0, n_bytes=0, idle_age=101, priority=2,tcp,in_port=2,nw_src=10.1.0.2,tp_dst=22 actions=NORMAL
> cookie=0x0, duration=82135.593s, table=25, n_packets=1176, n_bytes=49776, idle_age=11, hard_age=65534, priority=0,in_port=2 actions=drop
> 
> As you can see from the flow table, although the first flow is applied and the packets are redirected, no packets match the ssh flow (they all match the drop one with the latest priority)

I think this is just an old message that .  The problem was related to the missing ARP entries.

--Justin





More information about the discuss mailing list