[ovs-discuss] Flow rule to punt packets to local host kernel/application

Ben Pfaff blp at ovn.org
Thu May 10 18:24:35 UTC 2018 

On Thu, May 10, 2018 at 11:17:38AM -0700, Harish Patil wrote:
> On Wed, May 9, 2018 at 1:21 PM, Harish Patil <patharish at gmail.com> wrote:
> 
> >
> >
> > On Wed, May 9, 2018 at 1:05 PM, Ben Pfaff <blp at ovn.org> wrote:
> >
> >> On Wed, May 09, 2018 at 11:42:19AM -0700, Harish Patil wrote:
> >> > Hi,
> >> >
> >> > We have an OVS bridge where in a physical interface and a TAP interface
> >> > (for VM connectivity) attached to OVS bridge.
> >> > Currently all packets are correctly sent to the VM based on dest ip
> >> addr.
> >> >
> >> > ovs-ofctl show br-fwd3
> >> > OFPT_FEATURES_REPLY (xid=0x2): dpid:0000000babf5d81e
> >> > n_tables:254, n_buffers:256
> >> > capabilities: FLOW_STATS TABLE_STATS PORT_STATS QUEUE_STATS ARP_MATCH_IP
> >> > actions: OUTPUT SET_VLAN_VID SET_VLAN_PCP STRIP_VLAN SET_DL_SRC
> >> SET_DL_DST
> >> > SET_NW_SRC SET_NW_DST SET_NW_TOS SET_TP_SRC SET_TP_DST ENQUEUE
> >> >  1(enp0s20f2): addr:00:0b:ab:f5:d8:1e
> >> >      config:     0
> >> >      state:      0
> >> >      current:    1GB-FD COPPER AUTO_NEG
> >> >      advertised: 10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER
> >> AUTO_NEG
> >> > AUTO_PAUSE
> >> >      supported:  10MB-HD 10MB-FD 100MB-HD 100MB-FD 1GB-FD COPPER
> >> AUTO_NEG
> >> > AUTO_PAUSE
> >> >      speed: 1000 Mbps now, 1000 Mbps max
> >> >  2(fwd3): addr:fe:bb:cc:00:00:33
> >> >      config:     0
> >> >      state:      0
> >> >      current:    10MB-FD COPPER
> >> >      speed: 10 Mbps now, 0 Mbps max
> >> >  LOCAL(br-fwd3): addr:00:0b:ab:f5:d8:1e
> >> >      config:     0
> >> >      state:      0
> >> >      speed: 0 Mbps now, 0 Mbps max
> >> > OFPT_GET_CONFIG_REPLY (xid=0x4): frags=normal miss_send_len=0
> >> >
> >> >
> >> > The requirement now is to trap certain packets with known TCP dest port
> >> > 8080 to be sent on to host kernel rather than being sent to the VM.
> >> >
> >> >
> >> > I tried adding a rule such as:
> >> > ovs-ofctl add-flow br-fwd3 in_port=1,tcp,tcp_dst=8080,act
> >> ions=output=LOCAL
> >> >
> >> > The tcpdump on br-fwd3 does shows the incoming packets, however the
> >> packets
> >> > doesn't seem to be forwarded back to the host kernel stack. I also
> >> tried to
> >> > change the dest ip to local host but still don't see packets reaching
> >> the
> >> > host application.
> >>
> >> I suggest using ofproto/trace to figure out what's going on.  See
> >> ovs-vswitchd(8) if you're not already familiar with it.
> >>
> >
> > Thanks Ben.
> > I did use tracing:
> >
> >  [root at flexbng vBras]# ovs-appctl ofproto/trace br-fwd3
> > in_port=1,tcp,tcp_dst=8080
> > Bridge: br-fwd3
> > Flow: tcp,metadata=0,in_port=1,vlan_tci=0x0000,dl_src=00:00:00:00:
> > 00:00,dl_dst=00:00:00:00:00:00,nw_src=0.0.0.0,nw_dst=0.0.
> > 0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=0,tp_dst=8080,tcp_flags=0x000
> > Rule: table=0 cookie=0 tcp,in_port=1,tp_dst=8080
> > OpenFlow actions=mod_nw_dst:127.0.0.1,LOCAL
> >
> > Final flow: tcp,metadata=0,in_port=1,vlan_tci=0x0000,dl_src=00:00:00:00:
> > 00:00,dl_dst=00:00:00:00:00:00,nw_src=0.0.0.0,nw_dst=127.
> > 0.0.1,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=0,tp_dst=8080,tcp_flags=0x000
> > Megaflow: recirc_id=0,skb_priority=0,tcp,in_port=1,nw_src=0.0.0.0,
> > nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_dst=8080
> > Datapath actions: set(ipv4(src=0.0.0.0,dst=127.0.0.1,proto=6,tos=0,ttl=0,
> > frag=no)),7
> >
> > [root at flexbng ~]# ovs-ofctl dump-flows br-fwd3
> > NXST_FLOW reply (xid=0x4):
> >  cookie=0x0, duration=325.887s, table=0, n_packets=0, n_bytes=0,
> > idle_age=325, tcp,in_port=1,tp_dst=8080 actions=mod_nw_dst:127.0.0.1,LOCAL
> >  cookie=0x0, duration=2588016.626s, table=0, n_packets=5752086,
> > n_bytes=524962949, idle_age=0, hard_age=65534, priority=0 actions=NORMAL
> >
> > Here port 7 represents br-fwd3 (internal) which is where packets are
> > coming into, but its not further punted to the localhost kernel stack where
> > an user application is waiting for port 8080 packets to arrive.
> > So what additional rules to configure such that packets are further sent
> > to host stack?
> >
> > Thanks.
> >
> >
> >
> >
> Hi Ben,
> 
> I tried few more changes like changing dest MAC address to match bridge MAC
> address and also change dest IP to localhost using ofctl add-flow.
> The packets do arrive at bridge but do not goto application nor seen in
> tcpdump of loopback interface.
> If I don't specify any action then packet will be dropped as shown in
>  ovs-appctl ofproto/trace br-fwd3.
> If I specify NORMAL then packets still goes to VM (like regular). Here we
> want to intercept packets with :8080 and hand it over to host kernel for
> regular processing.
> So I wanted to understand whether such an option to send the packets
> received on the bridge to be punted back to the regular host kernel stack
> is even feasible in the first place?
> My understanding that packets coming onto the bridge is "visible" at L3
> level and user application should have received it.
> I guess the hairpin mode may not be useful here.
> Any specific example/pointers would be great.

I'm pretty suspicious of the idea of changing the packet destination to
127.0.0.1.  I doubt that's going to work.

More information about the discuss mailing list