[ovs-discuss] Issue while using Firewall/conntrack with OVS 2.5 + DPDK 2.2.0 in user mode
Ben Pfaff
blp at ovn.org
Fri Jan 29 23:14:31 UTC 2016
On Fri, Jan 29, 2016 at 12:02:04PM +0000, sourabh.bansal at wipro.com wrote:
> Hi OVS Folk,
>
> I checked out OVS 2.5 branch code from git hub and building ovs 2.5 with DPDK 2.2.0 on Centos OS 7, kernel 3.18.22 and its building successfully with below commands:
>
> ./configure --with-dpdk=/home../DPDK/x86_64-ivshmem-linuxapp-gcc
>
> But I am not able to see Firewall (conntrack) related commands support. As shown below:
>
> [root at Potasium ovs-branch-2.5]# ./utilities/ovs-ofctl add-flow br0 table=1,in_port=2,ip,ct_state=+new,action=1
> OFPT_ERROR (xid=0x6): OFPBMC_BAD_MASK
> NXT_FLOW_MOD (xid=0x6):
> (***truncated to 64 bytes from 80***)
> 00000000 01 04 00 50 00 00 00 06-00 00 23 20 00 00 00 0d |...P......# ....|
> 00000010 00 00 00 00 00 00 00 00-01 00 00 00 00 00 80 00 |................|
> 00000020 ff ff ff ff ff ff 00 00-00 18 00 00 00 00 00 00 |................|
> 00000030 00 00 00 02 00 02 00 00-06 02 08 00 00 01 d3 08 |................|
>
> I am getting above highlighted error and no flow is getting added. I used many options as specified in ovs-ofctl man page.
>
> Then I found below command to configure OVS with linux.
> ./configure --with-dpdk=$DPDK_BUILD --with-linux=/lib/modules/`uname -r`/build
>
> It's building successfully but facing same issues while adding flows with ovs-ofctl command using ct_state flags or ct.
>
> [root at Potasium ovs-branch-2.5]# ./ovs-branch-2.5/utilities/ovs-ofctl add-flow br0 in_port=1,tcp,ct_state=+trk-new,actions=ct,output:2
> OFPT_ERROR (xid=0x4): OFPBMC_BAD_MASK
> NXT_FLOW_MOD (xid=0x4):
> (***truncated to 64 bytes from 112***)
> 00000000 01 04 00 70 00 00 00 04-00 00 23 20 00 00 00 0d |...p......# ....|
> 00000010 00 00 00 00 00 00 00 00-00 00 00 00 00 00 80 00 |................|
> 00000020 ff ff ff ff ff ff 00 00-00 1d 00 00 00 00 00 00 |................|
> 00000030 00 00 00 02 00 01 00 00-06 02 08 00 00 00 0c 01 |................|
>
> So, my questions are:
> How to confirm whether conntrack is built and running with OVS + DPDK? I can see the netlink_conntrack.o file in /lib dir.
> Is Conntrack running in user mode with OVS and dpdk?
> Am I using the right commands of connection tracker?
The FAQ has feature support information:
### Q: Are all features available with all datapaths?
A: Open vSwitch supports different datapaths on different platforms. Each
datapath has a different feature set: the following tables try to summarize
the status.
Supported datapaths:
* *Linux upstream*: The datapath implemented by the kernel module shipped
with Linux upstream. Since features have been gradually
introduced into the kernel, the table mentions the first
Linux release whose OVS module supports the feature.
* *Linux OVS tree*: The datapath implemented by the Linux kernel module
distributed with the OVS source tree. Some features of
this module rely on functionality not available in older
kernels: in this case the minumum Linux version (against
which the feature can be compiled) is listed.
* *Userspace*: Also known as DPDK, dpif-netdev or dummy datapath. It is the
only datapath that works on NetBSD and FreeBSD.
* *Hyper-V*: Also known as the Windows datapath.
The following table lists the datapath supported features from
an Open vSwitch user's perspective.
Feature | Linux upstream | Linux OVS tree | Userspace | Hyper-V |
----------------------|:--------------:|:--------------:|:---------:|:-------:|
Connection tracking | 4.3 | 3.10 | NO | NO |
Tunnel - LISP | NO | YES | NO | NO |
Tunnel - STT | NO | 3.5 | NO | YES |
Tunnel - GRE | 3.11 | YES | YES | YES |
Tunnel - VXLAN | 3.12 | YES | YES | YES |
Tunnel - Geneve | 3.18 | YES | YES | NO |
QoS - Policing | YES | YES | NO | NO |
QoS - Shaping | YES | YES | NO | NO |
sFlow | YES | YES | YES | NO |
Set action | YES | YES | YES | PARTIAL |
NIC Bonding | YES | YES | YES | NO |
Multiple VTEPs | YES | YES | YES | NO |
**Notes:**
* Only a limited set of flow fields is modifiable via the set action by the
Hyper-V datapath.
* The Hyper-V datapath only supports one physical NIC per datapath. This is
why bonding is not supported.
* The Hyper-V datapath can have at most one IP address configured as a
tunnel endpoint.
The following table lists features that do not *directly* impact an
Open vSwitch user, e.g. because their absence can be hidden by the ofproto
layer (usually this comes with a performance penalty).
Feature | Linux upstream | Linux OVS tree | Userspace | Hyper-V |
----------------------|:--------------:|:--------------:|:---------:|:-------:|
SCTP flows | 3.12 | YES | YES | YES |
MPLS | 3.19 | YES | YES | NO |
UFID | 4.0 | YES | YES | NO |
Megaflows | 3.12 | YES | YES | NO |
Masked set action | 4.0 | YES | YES | NO |
Recirculation | 3.19 | YES | YES | NO |
TCP flags matching | 3.13 | YES | YES | NO |
Validate flow actions | YES | YES | N/A | NO |
Multiple datapaths | YES | YES | YES | NO |
Tunnel TSO - STT | N/A | YES | NO | YES |
More information about the discuss
mailing list