[ovs-discuss] Apply some packet manipulation actions on outgoing port traffic

Ben Pfaff blp at ovn.org
Mon Oct 9 23:27:50 UTC 2017


OVS doesn't handle this case well.  I don't think it will do what you
want.

On Mon, Oct 09, 2017 at 11:59:13PM +0200, Juraj Markotic wrote:
> yes, we are already using that one to send packet across 2 OVS connected
> via GRE tunnels and when switched out, will remove GRE header.
> Imagine situation where SPAN traffic from some other switch is being sent
> as replica traffic to OVS inport (one can be configured as GRE port for
> that matter). Packets coming to OVs inport are mostly GRE traffic with
> varying src/dst ip in GRE haders  since this is replica traffic from
> network. This is not  traffic directed to ip configured on that exact OVS
> (which is receiving it).
> Would OVS just drop this receiving traffic or will remove header without
> checking and be switch it as configured (i.e. via openflow rule) ?
> I guess we'd need to check.
> 
> jm
> 
> 
> On Mon, Oct 9, 2017 at 11:14 PM, Ben Pfaff <blp at ovn.org> wrote:
> 
> > GRE and tunnels are implemented in terms of ports, so if you send a
> > packet received on a GRE port to a non-tunnel port, it strips the
> > header.
> >
> > On Mon, Oct 09, 2017 at 10:45:10PM +0200, Juraj Markotic wrote:
> > > I will check on about GTP ongoing activities (I saw some actitvities on
> > > providing capabilities to match on GTP-C/GTP-U packets).
> > > maybe dumb question, but any pointer on how to remove GRE header (or
> > VXLAN
> > > for that matter) when switching packet from IN port to OUT port and
> > switch
> > > out only internal packet/payload ?
> > > thanks,
> > > jm
> > >
> > >
> > > On Mon, Oct 9, 2017 at 10:13 PM, Ben Pfaff <blp at ovn.org> wrote:
> > >
> > > > OVS doesn't support GTP yet, but I know that there's some ongoing work
> > > > on it.
> > > >
> > > > GRE and VXLAN should be fine.
> > > >
> > > > If you need GTP support, maybe the best thing to do would be to help
> > out
> > > > the folks who are working on it.
> > > >
> > > > On Mon, Oct 09, 2017 at 09:35:42PM +0200, Juraj Markotic wrote:
> > > > > Hello,
> > > > > thanks for feedback.
> > > > > I know OVS can truncate payload and that in can modify mac/IPs in
> > header
> > > > > (i.e. like doing NAT).
> > > > > I also know OVS can deencapsulate GRE (of VXLAN) when packet is
> > arriving
> > > > on
> > > > > tunnel OVS interface (done automatically).
> > > > > But I was not aware that OVS can remove tunnel headers when switching
> > > > > incoming GTP/GRE/VXLAN header and extract inside packet (with
> > totally new
> > > > > src/dst ip) and send it out.
> > > > > Can you share some OVS cli example for such ?
> > > > > we have network packet broker (NPB) with OVS, so if NPB is delivering
> > > > > tunnel packets, it would be great if we could remove tunnel headers
> > > > before
> > > > > delivering it to the (monitoring) tool on outgoing port.
> > > > >
> > > > > thanks,
> > > > > jm
> > > > >
> > > > > On Mon, Oct 9, 2017 at 6:31 PM, Ben Pfaff <blp at ovn.org> wrote:
> > > > >
> > > > > > On Sun, Oct 08, 2017 at 11:19:17PM +0200, Juraj Markotic wrote:
> > > > > > > we would need some functionality on manipulating packets when
> > packet
> > > > is
> > > > > > > exiting outgoing OVS port.
> > > > > > > I.e. some actions could be: change/anonymize mac/IPs for
> > src/dst, or
> > > > > > remove
> > > > > > > some tunnel header (vxlan, gtp, gre), truncate the payload etc.
> > > > > >
> > > > > > OVS has actions for modifying headers and it can decapsulate
> > tunnels
> > > > and
> > > > > > truncate payloads.
> > > > > >
> > > > > > > So, one option can be to write some code than can be attached to
> > OVS
> > > > to
> > > > > > > packet exiting out port (i.e. some lua scripts for manipulation).
> > > > > >
> > > > > > Lua isn't needed.  You can use OpenFlow.
> > > > > >
> > > >
> >


More information about the discuss mailing list