[ovs-discuss] Is conntrack support working?

Joe Stringer joestringer at nicira.com
Fri Oct 23 00:51:52 UTC 2015


On 22 October 2015 at 17:21, Seth Robertson
<srobertson+ovs at appcomsci.com> wrote:
>
> I see openvswitch conntrack support in the source code (master branch)
> and discussed in various presentations, but any simple test I attempt
> fails utterly as do the test cases in the openvswitch code.
>
> I specifically just installed Fedora 23 in a VM and updated to the
> latest RPMs which gave me a 4.3 kernel.  I then compiled openvswitch.
> The `make check` tests passed, but `make check-system-userspace`
> skipped the conntrack tests (perhaps as expected?) and `make
> check-kernel` failed those tests.

For what it's worth, Linux-4.3 isn't released yet and some things have
changed in the ABI recently, so without knowing exactly which upstream
commit the fedora-provided kernel comes from, I couldn't tell you if
it works. The most reliable way to test today would be to grab the
linux "net" tree and compile yourself. Alternatively you could wait
for the actual Linux-4.3 release and grab a fresh kernel then (it
should be in the next couple of weeks).

Userspace conntrack support is missing at the moment, so skipping
those tests is to be expected.

> ----------------------------------------------------------------------
> ./system-traffic.at:162: ovs-ofctl add-flows br0 flows.txt
> --- /dev/null   2015-10-22 15:04:00.905000000 -0400
> +++ /home/s/ovs/tests/system-kmod-testsuite.dir/at-groups/6/stderr   2015-10-22 16:07:56.517203730 -0400
> @@ -0,0 +1,7 @@
> +OFPT_ERROR (xid=0xc): OFPBMC_BAD_FIELD
> +NXT_FLOW_MOD (xid=0xc):
> +(***truncated to 64 bytes from 88***)
> +00000000  01 04 00 58 00 00 00 0c-00 00 23 20 00 00 00 0d |...X......# ....|
> +00000010  00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 64 |...............d|
> +00000020  ff ff ff ff ff ff 00 00-00 1d 00 00 00 00 00 00 |................|
> +00000030  00 00 00 02 00 02 00 00-06 02 08 00 00 00 0c 01 |................|
> ./system-traffic.at:162: exit code was 1, expected 0
> ----------------------------------------------------------------------

When the kernel doesn't support connection tracking, then an OpenFlow
controller tries to install flows which match on connection tracking
state, OVS will reject those flows with this kind of "bad field"
error. If you go to the top of the ovs-vswitchd log, I suspect that
you'll see a few messages along the lines of "datapath does not
support ct_state". The kernel may also print some relevant logs to
dmesg.

> This is using today's (2015-10-22) openvswitch git repo.  I would be
> perfectly happy to try another version.
>
> But perhaps this is all a blind alley for me.  My real goal is for
> conntrack and the ftp helper (alg=) to help with NAT to translate the
> payload PORT and PASV data containing NAT'd IP addresses.  It isn't
> clear whether this functionality is supported.

There is no NAT support in OVS tree at the moment; Jarno posted an RFC
patch series recently and that's the bleeding edge.



More information about the discuss mailing list