[ovs-discuss] MAC-learning action

[Ben Pfaff]

On Wed, Aug 17, 2016 at 10:31:34PM +0200, Bolesław Tokarski wrote:
> Hello,
> 
> I have a couple of physical machines on the Internet, connected together
> with IPsec-GRE tunnels. The tunnels are executed from my OpenVSwitch bridge
> 'tunnels', on which I have a dedicated port '1' that connects local
> machines (VMs sitting on another ovs bridge actually, but it's out of scope
> of the problem).
> 
> The bridge configuration looks like this:
>     Bridge tunnels
>         Port "patch0"
>             Interface "patch0"
>                 type: patch
>                 options: {peer="patch1"}
>         Port "gre6"
>             Interface "gre6"
>                 type: ipsec_gre
>                 options: {psk="secret", remote_ip="1.1.1.1"}
>         Port "gre4"
>             Interface "gre4"
>                 type: ipsec_gre
>                 options: {psk="secret", remote_ip="2.2.2.2"}
>         Port tunnels
>             Interface tunnels
>                 type: internal
> 
> As each of the tunnels link to the other physical machine "directly"
> through the Internet, forming a full-mesh logical topology, I have no use
> of Spanning-Tree - this would make all traffic pass through a single
> physical machine elected as the root bridge. So, what I did was:
> 
> ovs-ofctl del-flows tunnels
> ovs-ofctl add-flow tunnels "in_port=1 actions=normal"
> ovs-ofctl add-flow tunnels "actions=output:1"
> 
> In my view this was supposed to handle my specific use case - when traffic
> comes from my local network, it is passed along normal MAC-learning port,
> so flooding the tunnels with ARP request, response would get through one of
> the tunnel-ports, and would be directed to the local network (port 1).
> Traffic following it would be directed to the appropriate port, since the
> bridge would learn on which port the MAC address sits.
> 
> However, it seems that when actions=output:1 is specified, the bridge does
> not learn the MAC address of the incoming frame, and all the traffic from
> port 1 is always flooding all the tunnels.
> 
> I found the very good set of examples in the provided "Tutorial.md" file,
> which seems to cover this case, but it seems to require very complex rule
> definition for something that seems pretty easy - just tell the switch to
> learn the MAC before putting it through.
> 
> Is it possible to make NORMAL action learn source MAC addresses and tell it
> which port to direct the traffic at the same time? Something like:
> 
> ovs-ofctl add-flow tunnels "actions=learn(src_mac),1"
> 
> If this setup does require re-writing the NORMAL action, is it possible to
> display the flow rules that govern the NORMAL action internally?

OVS doesn't have that kind of a feature yet.  It's been suggested once
or twice but no one has come forward with an implementation.