[ovs-discuss] OVS: not able to add conntack flow rules

Joe Stringer joestringer at nicira.com
Wed Oct 28 17:50:56 UTC 2015


I just looked back across the validation and there's two particular
cases that we don't validate on current master code:

- If the ct_state matches on 0-bits. For instance, flows matching
"ct_state=-trk", OVS accepts that even if there is no support for
conntrack.
- If flows specify the ct action, we allow it without checking for
datapath support.

These will need to be fixed.

I think that in your case, there are two possibilities: Either your
OVS kernel module doesn't support connection tracking at all (make
sure you're running the version you think you're running), or perhaps
connlabel support is not enabled on your kernel.

You can check for kernel support by looking at the OVS logs:

# grep "Datapath" /path/to/ovs-vswitchd.log
2015-10-26T17:28:26.801Z|00018|ofproto_dpif|INFO|netdev at ovs-netdev:
Datapath supports recirculation
2015-10-26T17:28:26.802Z|00020|ofproto_dpif|INFO|netdev at ovs-netdev:
Datapath supports unique flow ids
2015-10-26T17:28:26.802Z|00021|ofproto_dpif|INFO|netdev at ovs-netdev:
Datapath does not support ct_state
2015-10-26T17:28:26.802Z|00022|ofproto_dpif|INFO|netdev at ovs-netdev:
Datapath does not support ct_zone
2015-10-26T17:28:26.802Z|00023|ofproto_dpif|INFO|netdev at ovs-netdev:
Datapath does not support ct_mark
2015-10-26T17:28:26.802Z|00024|ofproto_dpif|INFO|netdev at ovs-netdev:
Datapath does not support ct_label

In this example, there is no kernel support for connection tracking.

On 28 October 2015 at 03:31, Kenchappa, Ravindra
<ravindra.kenchappa at hpe.com> wrote:
> Hi,
>
> The two threads :
>
> http://openvswitch.org/pipermail/discuss/2015-October/019201.html
> http://openvswitch.org/pipermail/dev/2015-October/061629.html
>
> discuss about kernel not  supporting  connection tracking and OVS rejecting conntrack  flows with  "bad field" error.
>
> But in my case I was able to added the following flows with ct-state in the match filed:
>
>     table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_label)),2
>     table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1)
>
> but the flow below is not accepted by OVS and returns bad field error:
>
>     table=1,in_port=2,ct_state=+trk,ct_label=1,tcp,action=1
>
> Thanks,
> Ravi
>
> -----Original Message-----
> From: Joe Stringer [mailto:joestringer at nicira.com]
> Sent: Monday, October 26, 2015 10:22 PM
> To: Kenchappa, Ravindra
> Cc: discuss at openvswitch.org
> Subject: Re: [ovs-discuss] OVS: not able to add conntack flow rules
>
> On 25 October 2015 at 21:45, Kenchappa, Ravindra <ravindra.kenchappa at hpe.com> wrote:
>> Hi,
>>
>> I have downloaded and installed OVS 2.4.90
>> (https://github.com/justinpettit/ovs/tree/conntrack) and trying to add
>> conntrack flows via ovs-ofctl. I am able to add few sample flows and I
>> am getting errors when tried to added the following flow:
>>
>> raveek:~/devstack$ sudo ovs-ofctl add-flow br-int
>> table=1,in_port=2,ct_state=+est,tcp,action=1
>> OFPT_ERROR (xid=0x6): OFPBMC_BAD_FIELD NXT_FLOW_MOD (xid=0x6):
>> (truncated to 64 bytes from 88)
>> 00000000 01 04 00 58 00 00 00 06-00 00 23 20 00 00 00 0d |...X......#
>> ....|
>> 00000010 00 00 00 00 00 00 00 00-01 00 00 00 00 00 80 00
>> |................|
>> 00000020 ff ff ff ff ff ff 00 00-00 1d 00 00 00 00 00 00
>> |................|
>> 00000030 00 00 00 02 00 02 00 00-06 02 08 00 00 00 0c 01
>> |................|
>>
>> raveek:~/devstack$ sudo ovs-ofctl add-flow br-int
>> table=20,in_port=2,ct_state=+trk+new,tcp,action=drop
>> OFPT_ERROR (xid=0x6): OFPBMC_BAD_FIELD NXT_FLOW_MOD (xid=0x6):
>> (truncated to 64 bytes from 80)
>> 00000000 01 04 00 50 00 00 00 06-00 00 23 20 00 00 00 0d |...P......#
>> ....|
>> 00000010 00 00 00 00 00 00 00 00-14 00 00 00 00 00 80 00
>> |................|
>> 00000020 ff ff ff ff ff ff 00 00-00 1d 00 00 00 00 00 00
>> |................|
>> 00000030 00 00 00 02 00 02 00 00-06 02 08 00 00 00 0c 01
>> |................| raveek::~/devstack$
>>
>> Here is the flow table looks like.
>>
>> raveek:~/devstack$ sudo ovs-ofctl dump-flows br-int -Oopenflow13
>> OFPST_FLOW reply (OF1.3) (xid=0x2):
>> cookie=0x0, duration=98.291s, table=0, n_packets=0, n_bytes=0,
>> dl_type=0x88cc actions=CONTROLLER:65535 cookie=0x0, duration=28.391s,
>> table=0, n_packets=0, n_bytes=0, arp actions=NORMAL cookie=0x0,
>> duration=28.368s, table=0, n_packets=0, n_bytes=0,
>> ct_state=-trk,tcp,in_port=1 actions=ct(commit,zone=9),output:2
>> cookie=0x0, duration=28.346s, table=0, n_packets=0, n_bytes=0,
>> ct_state=-trk,tcp,in_port=2 actions=ct(table=1,zone=9) cookie=0x0,
>> duration=98.291s, table=0, n_packets=0, n_bytes=0, priority=0
>> actions=goto_table:20
>> cookie=0x0, duration=28.410s, table=0, n_packets=0, n_bytes=0,
>> priority=1 actions=drop cookie=0x0, duration=98.288s, table=20,
>> n_packets=0, n_bytes=0, priority=0
>> actions=goto_table:30
>> cookie=0x0, duration=98.288s, table=30, n_packets=0, n_bytes=0,
>> priority=0
>> actions=goto_table:40
>> cookie=0x0, duration=98.288s, table=40, n_packets=0, n_bytes=0,
>> priority=0
>> actions=goto_table:50
>> cookie=0x0, duration=98.291s, table=50, n_packets=0, n_bytes=0,
>> priority=0
>> actions=goto_table:60
>> cookie=0x0, duration=98.288s, table=60, n_packets=0, n_bytes=0,
>> priority=0
>> actions=goto_table:70
>> cookie=0x0, duration=98.288s, table=70, n_packets=0, n_bytes=0,
>> priority=0
>> actions=goto_table:80
>> cookie=0x0, duration=98.289s, table=80, n_packets=0, n_bytes=0,
>> priority=0
>> actions=goto_table:90
>> cookie=0x0, duration=98.288s, table=90, n_packets=0, n_bytes=0,
>> priority=0
>> actions=goto_table:100
>> cookie=0x0, duration=98.288s, table=100, n_packets=0, n_bytes=0,
>> priority=0
>> actions=goto_table:110
>> cookie=0x0, duration=98.291s, table=110, n_packets=0, n_bytes=0,
>> priority=0 actions=drop
>>
>> raveek::~/devstack$
>>
>> Could you please help me in identifying the problem?
>
> There have been multiple questions like this recently on this mailinglist, see those threads:
>
> http://openvswitch.org/pipermail/discuss/2015-October/019201.html
> http://openvswitch.org/pipermail/dev/2015-October/061629.html



More information about the discuss mailing list