[ovs-discuss] Matching on tun_id in a flow rule
Jesse Gross
jesse at kernel.org
Mon Apr 18 16:46:50 UTC 2016
On Sun, Apr 17, 2016 at 9:43 AM, Keith Holleman
<keith.holleman at gmail.com> wrote:
>
> I have GRE traffic transiting an OVS switch, in other words the tunnel
> source and destination is not in this OVS instance. I had wanted to match
> on the GRE key ID in this to apply some very specific policy to it. The
> transit traffic looks like this:
>
> :~# tcpdump proto gre -ne
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
> 16:27:04.742520 dc:39:79:80:29:48 > dc:39:79:80:29:02, ethertype IPv4
> (0x0800), length 102: 10.0.12.254 > 10.0.13.1: GREv0, key=0x3f3, proto TEB
> (0x6558), length 68: 00:0c:29:45:34:a7 > dc:39:79:80:29:33, ethertype ARP
> (0x0806), length 60: Request who-has 10.11.169.25 tell 10.11.1.239, length
> 46
>
> And I created these rules:
>
> :~# ovs-ofctl dump-flows br0 table=5 | grep nw_proto=47
> cookie=0x1234, duration=90.802s, table=5, n_packets=0, n_bytes=0,
> idle_age=90,
> priority=60001,ip,tun_id=0x3f3/0xffff,nw_src=10.0.12.254,nw_dst=10.0.13.1,nw_proto=47
> actions=resubmit(,4)
> cookie=0x3ea0000000b, duration=43112.786s, table=5, n_packets=395700,
> n_bytes=60045295, idle_age=0,
> priority=30000,ip,nw_src=10.0.12.254,nw_dst=10.0.13.1,nw_proto=47
> actions=resubmit(,6)
>
> I was expecting the first flow to see all the traffic but it sees none.
> After reading more of the documentation and looking at and experimenting
> with tun_src and tun_dst usage, I think I know what the problem is. The
> tun_* fields can only be used if OVS is aware of the GRE tunnel and has
> terminated the GRE tunnel and is looking at packets after the GRE
> decapsulation has occurred. Or put another way, the GRE tunnel must be the
> incoming port to use those fields in the match criteria.
>
> I couldn't find any documentation that clearly stated that although in
> hindsight, it could be considered obvious. But I also think my usage and
> assumptions aren't completely insane either. Is my current understanding
> correct? Is there any other way to match on a GRE key for GRE traffic
> transiting an OVS switch?
I understand what you are trying to do but you are correct that this
isn't currently possible with OVS.
More information about the discuss
mailing list