[ovs-discuss] Issue while using Firewall/conntrack with OVS 2.5 + DPDK 2.2.0 in user mode

Ben Pfaff blp at ovn.org
Fri Jan 29 23:14:31 UTC 2016


On Fri, Jan 29, 2016 at 12:02:04PM +0000, sourabh.bansal at wipro.com wrote:
> Hi OVS Folk,
> 
> I checked out OVS 2.5 branch code from git hub and building ovs 2.5 with DPDK 2.2.0 on Centos OS 7, kernel 3.18.22 and its building successfully with below commands:
> 
> ./configure --with-dpdk=/home../DPDK/x86_64-ivshmem-linuxapp-gcc
> 
> But I am not able to see Firewall (conntrack) related commands support. As shown below:
> 
> [root at Potasium ovs-branch-2.5]# ./utilities/ovs-ofctl add-flow br0 table=1,in_port=2,ip,ct_state=+new,action=1
> OFPT_ERROR (xid=0x6): OFPBMC_BAD_MASK
> NXT_FLOW_MOD (xid=0x6):
> (***truncated to 64 bytes from 80***)
> 00000000  01 04 00 50 00 00 00 06-00 00 23 20 00 00 00 0d |...P......# ....|
> 00000010  00 00 00 00 00 00 00 00-01 00 00 00 00 00 80 00 |................|
> 00000020  ff ff ff ff ff ff 00 00-00 18 00 00 00 00 00 00 |................|
> 00000030  00 00 00 02 00 02 00 00-06 02 08 00 00 01 d3 08 |................|
> 
> I am getting above highlighted error and no flow is getting added. I used many options as specified in ovs-ofctl man page.
> 
> Then I found below command to configure OVS with linux.
> ./configure --with-dpdk=$DPDK_BUILD --with-linux=/lib/modules/`uname -r`/build
> 
> It's building successfully but facing same issues while adding flows with ovs-ofctl command using ct_state flags or ct.
> 
> [root at Potasium ovs-branch-2.5]# ./ovs-branch-2.5/utilities/ovs-ofctl add-flow br0 in_port=1,tcp,ct_state=+trk-new,actions=ct,output:2
> OFPT_ERROR (xid=0x4): OFPBMC_BAD_MASK
> NXT_FLOW_MOD (xid=0x4):
> (***truncated to 64 bytes from 112***)
> 00000000  01 04 00 70 00 00 00 04-00 00 23 20 00 00 00 0d |...p......# ....|
> 00000010  00 00 00 00 00 00 00 00-00 00 00 00 00 00 80 00 |................|
> 00000020  ff ff ff ff ff ff 00 00-00 1d 00 00 00 00 00 00 |................|
> 00000030  00 00 00 02 00 01 00 00-06 02 08 00 00 00 0c 01 |................|
> 
> So, my questions are:
> How to confirm whether conntrack is built and running with OVS + DPDK? I can see the netlink_conntrack.o file in /lib dir.
> Is Conntrack running in user mode with OVS and dpdk?
> Am I using the right commands of connection tracker?

The FAQ has feature support information:

### Q: Are all features available with all datapaths?

A: Open vSwitch supports different datapaths on different platforms.  Each
   datapath has a different feature set: the following tables try to summarize
   the status.

   Supported datapaths:

   * *Linux upstream*: The datapath implemented by the kernel module shipped
                       with Linux upstream.  Since features have been gradually
                       introduced into the kernel, the table mentions the first
                       Linux release whose OVS module supports the feature.

   * *Linux OVS tree*: The datapath implemented by the Linux kernel module
                       distributed with the OVS source tree. Some features of
                       this module rely on functionality not available in older
                       kernels: in this case the minumum Linux version (against
                       which the feature can be compiled) is listed.

   * *Userspace*: Also known as DPDK, dpif-netdev or dummy datapath. It is the
                  only datapath that works on NetBSD and FreeBSD.

   * *Hyper-V*: Also known as the Windows datapath.

   The following table lists the datapath supported features from
   an Open vSwitch user's perspective.

Feature               | Linux upstream | Linux OVS tree | Userspace | Hyper-V |
----------------------|:--------------:|:--------------:|:---------:|:-------:|
Connection tracking   |      4.3       |       3.10     |    NO     |   NO    |
Tunnel - LISP         |      NO        |       YES      |    NO     |   NO    |
Tunnel - STT          |      NO        |       3.5      |    NO     |   YES   |
Tunnel - GRE          |      3.11      |       YES      |    YES    |   YES   |
Tunnel - VXLAN        |      3.12      |       YES      |    YES    |   YES   |
Tunnel - Geneve       |      3.18      |       YES      |    YES    |   NO    |
QoS - Policing        |      YES       |       YES      |    NO     |   NO    |
QoS - Shaping         |      YES       |       YES      |    NO     |   NO    |
sFlow                 |      YES       |       YES      |    YES    |   NO    |
Set action            |      YES       |       YES      |    YES    | PARTIAL |
NIC Bonding           |      YES       |       YES      |    YES    |   NO    |
Multiple VTEPs        |      YES       |       YES      |    YES    |   NO    |

   **Notes:**
   * Only a limited set of flow fields is modifiable via the set action by the
     Hyper-V datapath.
   * The Hyper-V datapath only supports one physical NIC per datapath. This is
     why bonding is not supported.
   * The Hyper-V datapath can have at most one IP address configured as a
     tunnel endpoint.

   The following table lists features that do not *directly* impact an
   Open vSwitch user, e.g. because their absence can be hidden by the ofproto
   layer (usually this comes with a performance penalty).

Feature               | Linux upstream | Linux OVS tree | Userspace | Hyper-V |
----------------------|:--------------:|:--------------:|:---------:|:-------:|
SCTP flows            |      3.12      |       YES      |    YES    |   YES   |
MPLS                  |      3.19      |       YES      |    YES    |   NO    |
UFID                  |      4.0       |       YES      |    YES    |   NO    |
Megaflows             |      3.12      |       YES      |    YES    |   NO    |
Masked set action     |      4.0       |       YES      |    YES    |   NO    |
Recirculation         |      3.19      |       YES      |    YES    |   NO    |
TCP flags matching    |      3.13      |       YES      |    YES    |   NO    |
Validate flow actions |      YES       |       YES      |    N/A    |   NO    |
Multiple datapaths    |      YES       |       YES      |    YES    |   NO    |
Tunnel TSO - STT      |      N/A       |       YES      |    NO     |   YES   |



More information about the discuss mailing list