[ovs-discuss] Tracing packets using ofproto/trace after integration with Conntrack-OVN

Piyush R Srivastava1 pirsriva at in.ibm.com
Fri Feb 5 08:06:59 UTC 2016


Hi Joe,

Thanks a lot. It worked for the first problem.
However problem of using ct_state still persists

>> Also, how do i explicitly mention ct_states in ofproto/trace
>> For instance-
>> # ovs-appctl ofproto/trace br-int
recirc_id=0x56,ct_state=new,ip,in_port=2,dl_src=fa:16:3e:67:8e:03,dl_dst=fa:16:3e:b6:14:52,nw_proto=1,nw_src=10.10.1.3,nw_dst=10.10.1.1

>> Works
>> But in Flows the format is like +new,-inv,-est,+trk
>> How do i supply these values to ofproto/trace


>> There are no commas. Comma separates different fields, so for the
"ct_state" field you can just squash the +new-inv+trk etc together.

#ovs-ofctl ofproto/trace br-int "ct_state=+new-est-inv+trk"
#ovs-ofctl ofproto/trace br-int "ct_state=new-est-inv+trk"
Both the above DO NOT WORK
[root at rhel7-devstack-ovn-154 ~]# ovs-appctl ofproto/trace br-int
ct_state="+new-est-inv-rpl+trk"
Bad openflow flow syntax: ct_state=+new-est-inv-rpl+trk: bad value for
ct_state (+new-est-inv-rpl+trk: wildcards not allowed here)
ovs-appctl: ovs-vswitchd: server returned an error

[root at rhel7-devstack-ovn-154 ~]# ovs-appctl ofproto/trace br-int
ct_state="new-est-inv-rpl+trk"
Bad openflow flow syntax: ct_state=new-est-inv-rpl+trk: bad value for
ct_state (new-est-inv-rpl+trk: unknown ct_state flag(s))
ovs-appctl: ovs-vswitchd: server returned an error

However, i can use | instead of +/-

[root at rhel7-devstack-ovn-154 ~]# ovs-appctl ofproto/trace br-int
ct_state="new|trk"
Bridge: br-int
Flow: ct_state=new|
trk,in_port=ANY,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=00:00:00:00:00:00,dl_type=0x0000


What i want to send out in the flow is a match for +new,-inv,-est,+trk
I doubt that  ct_tate="new|trk" is same as ct_state=+new,-est,-inv,+trk or
is it the same?

Following are the flags mention in man page of ovs-ofctl for ct_state.
However all i could achieve with it was OR ( | ) of the flags.
              The following flags describe the state of the tracking:
              0x01: new
              0x02: est
              0x04: rel
              0x08: rpl
              0x10: inv
              0x20: trk



Thanks and regards,
Piyush Raman




From:	Joe Stringer <joe at ovn.org>
To:	Piyush R Srivastava1/India/IBM at IBMIN
Cc:	Ben Pfaff <blp at ovn.org>, discuss <discuss at openvswitch.org>
Date:	02/05/2016 02:58 AM
Subject:	Re: [ovs-discuss] Tracing packets using ofproto/trace after
            integration with Conntrack-OVN





On 4 February 2016 at 10:58, Piyush R Srivastava1 <pirsriva at in.ibm.com>
wrote:
  Hi Ben,

  Thanks for the reply. My problem still remains unsolved-

  I did as you suggested-

  [root at rhel7-devstack-ovn-154 ~]# ovs-appctl ofproto/trace br-int
  ip,in_port=2,dl_src=fa:16:3e:67:8e:03,dl_dst=fa:16:3e:b6:14:52,nw_proto=1,nw_src=10.10.1.3,nw_dst=10.10.1.1

  Bridge: br-int
  Flow:
  icmp,in_port=2,vlan_tci=0x0000,dl_src=fa:16:3e:67:8e:03,dl_dst=fa:16:3e:b6:14:52,nw_src=10.10.1.3,nw_dst=10.10.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0


  Rule: table=0 cookie=0 priority=100,in_port=2
  OpenFlow actions=set_field:0x1->reg5,set_field:0x2->
  metadata,set_field:0x2->reg6,resubmit(,16)

  Resubmitted flow:
  icmp,reg5=0x1,reg6=0x2,metadata=0x2,in_port=2,vlan_tci=0x0000,dl_src=fa:16:3e:67:8e:03,dl_dst=fa:16:3e:b6:14:52,nw_src=10.10.1.3,nw_dst=10.10.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0

  Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x1
  reg6=0x2 reg7=0x0
  Resubmitted odp: drop
  Resubmitted megaflow:
  recirc_id=0,ip,reg5=0,reg6=0,metadata=0,in_port=2,vlan_tci=0x0000/0x1000,dl_src=fa:16:3e:67:8e:03,nw_frag=no

  Rule: table=16 cookie=0
  priority=50,reg6=0x2,metadata=0x2,dl_src=fa:16:3e:67:8e:03
  OpenFlow actions=resubmit(,17)

  Resubmitted flow: unchanged
  Resubmitted regs: reg0=0x0 reg1=0x0 reg2=0x0 reg3=0x0 reg4=0x0 reg5=0x1
  reg6=0x2 reg7=0x0
  Resubmitted odp: drop
  Resubmitted megaflow:
  recirc_id=0,ip,reg5=0,reg6=0,metadata=0,in_port=2,vlan_tci=0x0000/0x1000,dl_src=fa:16:3e:67:8e:03,nw_frag=no

  Rule: table=17 cookie=0 priority=100,ip,metadata=0x2
  OpenFlow actions=ct(table=18,zone=NXM_NX_REG5[0..15])

  Final flow:
  icmp,reg5=0x1,reg6=0x2,metadata=0x2,in_port=2,vlan_tci=0x0000,dl_src=fa:16:3e:67:8e:03,dl_dst=fa:16:3e:b6:14:52,nw_src=10.10.1.3,nw_dst=10.10.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0

  Megaflow:
  recirc_id=0,ip,in_port=2,vlan_tci=0x0000/0x1000,dl_src=fa:16:3e:67:8e:03,nw_frag=no

  Datapath actions: ct(zone=1),recirc(0x56)


  ADDED recirc_id=0x56

  [root at rhel7-devstack-ovn-154 ~]# ovs-appctl ofproto/trace br-int
  recirc_id=0x56,ip,in_port=2,dl_src=fa:16:3e:67:8e:03,dl_dst=fa:16:3e:b6:14:52,nw_proto=1,nw_src=10.10.1.3,nw_dst=10.10.1.1

  Bridge: br-int
  Flow:
  recirc_id=0x56,icmp,in_port=2,vlan_tci=0x0000,dl_src=fa:16:3e:67:8e:03,dl_dst=fa:16:3e:b6:14:52,nw_src=10.10.1.3,nw_dst=10.10.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0


  Final flow:
  recirc_id=0x56,icmp,in_port=2,vlan_tci=0x0000,dl_src=fa:16:3e:67:8e:03,dl_dst=fa:16:3e:b6:14:52,nw_src=10.10.1.3,nw_dst=10.10.1.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0

  Megaflow: recirc_id=0x56,ip,in_port=2,nw_frag=no
  Datapath actions: drop
  Translation failed (No recirculation context), packet is dropped.

  It says no recirculation context
  ( I tried -generate option as well BUT got the same issue )


There are some examples in the testsuite which use -generate:
https://github.com/openvswitch/ovs/blob/9d2d2b5cd2421369d08422be8a349de974b53301/tests/ofproto-dpif.at#L4168

However, it is quite timing-sensitive. Ie if you do not do it quick enough,
the recirculation context will be gone. Quick enough is most likely <1
second at this stage, though it might be closer to 500ms.

  I expected-
  1- Packet to hit the Table 18 and continue tracing
  2- Expected to see ct_state values based on already existing flows by
  conntrack module



Currently there is no way to do this, as the userspace ovs-vswitchd doesn't
know what the kernel/datapath connection tracker knows. How the pipeline
would proceed from there depends on the state held in the connection
tracker. For now, you just have to try different "ct_state" values and see
what happens in different cases.


  Also, how do i explicitly mention ct_states in ofproto/trace
  For instance-
  # ovs-appctl ofproto/trace br-int
  recirc_id=0x56,ct_state=new,ip,in_port=2,dl_src=fa:16:3e:67:8e:03,dl_dst=fa:16:3e:b6:14:52,nw_proto=1,nw_src=10.10.1.3,nw_dst=10.10.1.1

  Works
  But in Flows the format is like +new,-inv,-est,+trk
  How do i supply these values to ofproto/trace


There are no commas. Comma separates different fields, so for the
"ct_state" field you can just squash the +new-inv+trk etc together.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20160205/5cac6910/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20160205/5cac6910/attachment-0002.gif>


More information about the discuss mailing list