[ovs-discuss] Flow rules not applied on LOCAL port when rules are pushed by an OpenFlow controller

Vincent CATROS Vincent.CATROS at b-com.com
Fri May 27 07:24:24 UTC 2016 

Hello,


It seems that flow rules are not applied on LOCAL port when rules are pushed by an OpenFlow controller.


The problem is probably between my chair and my screen :) but if someone could help me to understand the situation I would greatly appreciate.


My setup is very simple


- A PC running OVS. Let call it "s1". This PC has 2 network interfaces:

        - eth0 (10.0.0.2) is used to communicate with the OF controller

        - eth1 is enslave to my OVS switch (br-test) 192.168.1.1 is configured on "br-test"

- a client PC. Let call it "c1". This PC is directly connected to eth1 on "s1". Network interface is set to 192.168.1.2

- a OF controller (ONOS in my case) at 10.0.0.3



First let me describe a test I would call "normal"


My OVS switch "s1" is not connected to any controller

ovs-vsctl show
32cdf1f6-4963-46a4-8696-0199484fe3e0
    Bridge br-test
        fail_mode: secure
        Port "eth1"
            Interface "eth1"
        Port br-test
            Interface br-test
                type: internal
    ovs_version: "2.5.0"


2 rules are added in order to count packets
ovs-ofctl add-flow br-test priority=10,actions=NORMAL
ovs-ofctl add-flow br-test arp,priority=11,actions=NORMAL


I checked those rules are actually in the switch



ovs-ofctl dump-flows br-test

NXST_FLOW reply (xid=0x4):

 cookie=0x0, duration=18.343s, table=0, n_packets=0, n_bytes=0, idle_age=18, priority=11,arp actions=NORMAL

 cookie=0x0, duration=23.321s, table=0, n_packets=0, n_bytes=0, idle_age=23, priority=10 actions=NORMAL


I send 1 ARP packet
from c1 to a non existing IP address

arping -c1 192.168.1.4
Timeout


1 packet has match the ARP rule

ovs-ofctl dump-flows br-test
NXST_FLOW reply (xid=0x4):
 cookie=0x0, duration=27.252s, table=0, n_packets=1, n_bytes=42, idle_age=3, priority=11,arp actions=NORMAL
 cookie=0x0, duration=32.230s, table=0, n_packets=0, n_bytes=0, idle_age=32, priority=10 actions=NORMAL


this is normal



If I send 1 ARP packet from "s1" (emited on the LOCAL OVS switch) to a non existing IP address



arping -c1 192.168.1.4

Timeout



1 more packet has match the ARP rule



ovs-ofctl dump-flows br-test

NXST_FLOW reply (xid=0x4):

 cookie=0x0, duration=73.074s, table=0, n_packets=2, n_bytes=102, idle_age=10, priority=11,arp actions=NORMAL

 cookie=0x0, duration=78.052s, table=0, n_packets=0, n_bytes=0, idle_age=78, priority=10 actions=NORMAL



this is also normal


Now, let me describe the "strange" behaviour


I connect "br-test" to my ONOS controller

 ovs-vsctl set-controller br-test tcp:10.0.0.3:6633


ovs-vsctl show

32cdf1f6-4963-46a4-8696-0199484fe3e0

    Bridge br-test

        Controller "tcp:10.0.0.3:6633"

            is_connected: true

        fail_mode: secure

        Port "eth1"

            Interface "eth1"

        Port br-test

            Interface br-test

                type: internal

    ovs_version: "2.5.0"


We can check that ARP rule has not been matched for the moment


ovs-ofctl dump-flows br-test
NXST_FLOW reply (xid=0x4):
 cookie=0xe00000f5ad7ff, duration=9.456s, table=0, n_packets=0, n_bytes=0, idle_age=9, priority=5,ip actions=CONTROLLER:65535
 cookie=0xe000011a55234, duration=9.456s, table=0, n_packets=0, n_bytes=0, idle_age=9, priority=40000,arp actions=CONTROLLER:65535
 cookie=0xe00001195f878, duration=9.456s, table=0, n_packets=0, n_bytes=0, idle_age=9, priority=40000,dl_type=0x8942 actions=CONTROLLER:65535
 cookie=0xe00000f5ad8b9, duration=9.456s, table=0, n_packets=0, n_bytes=0, idle_age=9, priority=5,arp actions=CONTROLLER:65535
 cookie=0xe00001195ea2e, duration=9.456s, table=0, n_packets=0, n_bytes=0, idle_age=9, priority=40000,dl_type=0x88cc actions=CONTROLLER:65535


I send 1 ARP request from "c1" to an unknown IP address


arping -c 1 192.168.1.4

Timeout


Then we can check that ARP rule has been matched


ovs-ofctl dump-flows br-test
NXST_FLOW reply (xid=0x4):
 cookie=0xe00000f5ad7ff, duration=28.298s, table=0, n_packets=0, n_bytes=0, idle_age=28, priority=5,ip actions=CONTROLLER:65535
 cookie=0xe000011a55234, duration=28.298s, table=0, n_packets=1, n_bytes=60, idle_age=4, priority=40000,arp actions=CONTROLLER:65535
 cookie=0xe00001195f878, duration=28.298s, table=0, n_packets=0, n_bytes=0, idle_age=28, priority=40000,dl_type=0x8942 actions=CONTROLLER:65535
 cookie=0xe00000f5ad8b9, duration=28.298s, table=0, n_packets=0, n_bytes=0, idle_age=28, priority=5,arp actions=CONTROLLER:65535
 cookie=0xe00001195ea2e, duration=28.298s, table=0, n_packets=0, n_bytes=0, idle_age=28, priority=40000,dl_type=0x88cc actions=CONTROLLER:65535


So far everything is normal


Now, I will send 1 ARP packet from "s1" (on the LOCAL OVS port) to an unknown IP address


arping -c 1 192.168.1.4

Timeout


If we check rules matching.


 ovs-ofctl dump-flows br-test
NXST_FLOW reply (xid=0x4):
 cookie=0xe00000f5ad7ff, duration=38.774s, table=0, n_packets=0, n_bytes=0, idle_age=38, priority=5,ip actions=CONTROLLER:65535
 cookie=0xe000011a55234, duration=38.774s, table=0, n_packets=1, n_bytes=60, idle_age=15, priority=40000,arp actions=CONTROLLER:65535
 cookie=0xe00001195f878, duration=38.774s, table=0, n_packets=0, n_bytes=0, idle_age=38, priority=40000,dl_type=0x8942 actions=CONTROLLER:65535
 cookie=0xe00000f5ad8b9, duration=38.774s, table=0, n_packets=0, n_bytes=0, idle_age=38, priority=5,arp actions=CONTROLLER:65535
 cookie=0xe00001195ea2e, duration=38.774s, table=0, n_packets=0, n_bytes=0, idle_age=38, priority=40000,dl_type=0x88cc actions=CONTROLLER:65535


We see that ARP rule has not been matched


This is weird.


And more....


If I send an ARP from "s1" LOCAL port to "c1"

arping -c 1 192.168.1.2

ARPING 192.168.1.2

60 bytes from 08:00:27:f0:80:4e (192.168.1.2): index=0 time=9.662 msec


It works request and reply ... but no matching is signaled...


ovs-ofctl dump-flows br-test
NXST_FLOW reply (xid=0x4):
 cookie=0xe00000f5ad7ff, duration=49.278s, table=0, n_packets=0, n_bytes=0, idle_age=49, priority=5,ip actions=CONTROLLER:65535
 cookie=0xe000011a55234, duration=49.278s, table=0, n_packets=1, n_bytes=60, idle_age=25, priority=40000,arp actions=CONTROLLER:65535
 cookie=0xe00001195f878, duration=49.278s, table=0, n_packets=0, n_bytes=0, idle_age=49, priority=40000,dl_type=0x8942 actions=CONTROLLER:65535
 cookie=0xe00000f5ad8b9, duration=49.278s, table=0, n_packets=0, n_bytes=0, idle_age=49, priority=5,arp actions=CONTROLLER:65535
 cookie=0xe00001195ea2e, duration=49.278s, table=0, n_packets=0, n_bytes=0, idle_age=49, priority=40000,dl_type=0x88cc actions=CONTROLLER:65535


This is really weird... it seems that packets are going through the datapath without activating OF rules.


I even checked OF connection between OVS and ONOS... no PACKET_IN issued.


Any idea?


Regards

Vincent
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20160527/e6f21546/attachment-0002.html>

More information about the discuss mailing list