[ovs-discuss] output action into write-actions vs apply-actions instructions

bogun.dmitriy at gmail.com bogun.dmitriy at gmail.com
Tue Jul 23 10:40:49 UTC 2019


Hi.

I have a set or OF rules aimed to match double-tagged VLAN traffic, retag
it and output to some other port. Also, some subset(apr) of packets must be
redirected into the controller (meter must be used to control the number of
such packets).

I have created a test lab, consists of 2 ovs switches: A and B. Double
tagged traffic comes into port A-2. Switch "A" match it(outer VLAN is 127,
inner VLAN is 128), retag and output into port A-1 (new VLAN tag is 255).

On switch B there is no complex processing, just traffic forwarding between
ports B-1 and B-2 (this switch required to match with physical lab setup).
Port A-1 and B-1 are connected via veth-pair.

Rules set:
# A
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2140001 table=0
priority=24676,metadata=0x1000000000000/0x1000000000000
actions=write_metadata:0x2000000000000/0x2000000000000,goto_table:2'
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2140002 table=0 priority=24576,in_port="A-1"
actions=goto_table:4'
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2140001 table=0 priority=0 actions=goto_table:1'
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2150001 table=1
priority=16394,metadata=0x400000000007f/0x4000000000fff,in_port="A-2",dl_vlan=128
actions=pop_vlan
write_metadata:0x1000002150001/0x10000ffffffff,goto_table:2'
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2150001 table=1 priority=16384,in_port="A-2",dl_vlan=127
actions=pop_vlan,write_actions(TABLE),write_metadata:0x400000000007f/0x4000000000fff'
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2140001 table=1 priority=0 actions=drop'
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2150001 table=2
priority=24576,metadata=0x3000002150001/0x30000ffffffff
actions=write_actions(CONTROLLER:0)'
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2140001 table=2
priority=24566,metadata=0x2000000000000/0x2000000000000 actions=drop'
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2150001 table=2
priority=16384,arp,metadata=0x1000002150001/0x10000ffffffff
actions=TABLE,goto_table:3'
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2140001 table=2 priority=0 actions=goto_table:3'
# output with write-actions
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2150001 table=3
priority=16384,metadata=0x1000002150001/0x10000ffffffff
actions=push_vlan:0x8100,set_field:4351->vlan_vid,write_actions(output:"A-1")'
# output with apply-actions
#ovs-ofctl -OOpenFlow13 add-flow A \
#    'cookie=0x2150001 table=3
priority=16384,metadata=0x1000002150001/0x10000ffffffff
actions=push_vlan:0x8100,set_field:4351->vlan_vid,output:"A-1"'
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2140001 table=3 priority=0 actions=drop'
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2150001 table=4 priority=16384,in_port="A-1",dl_vlan=255
actions=set_field:4224->vlan_vid,push_vlan:0x8100,set_field:4223->vlan_vid,write_actions(output:"A-2")'

#
# B
ovs-ofctl -OOpenFlow13 add-flow B \
    'cookie=0x2150001 table=0 reset_counts priority=24575,in_port="B-1"
actions=output:2'
ovs-ofctl -OOpenFlow13 add-flow B \
    'cookie=0x2150001 table=0 reset_counts priority=24575,in_port=2
actions=output:"B-1"'

But it does not work. I am using regular `ping -c1 192.168.217.2` (inside
namespace) to inject traffic into A-2.

$ tshark -Ovlan -nr _dev_/multi-table/A-2.2.pcap
Frame 1: 50 bytes on wire (400 bits), 50 bytes captured (400 bits)
Ethernet II, Src: 5e:19:60:51:ec:8e, Dst: ff:ff:ff:ff:ff:ff
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 127
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 0111 1111 = ID: 127
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 128
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1000 0000 = ID: 128
    Type: ARP (0x0806)
Address Resolution Protocol (request)

Frame 2: 50 bytes on wire (400 bits), 50 bytes captured (400 bits)
Ethernet II, Src: 5e:19:60:51:ec:8e, Dst: ff:ff:ff:ff:ff:ff
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 127
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 0111 1111 = ID: 127
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 128
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1000 0000 = ID: 128
    Type: ARP (0x0806)
Address Resolution Protocol (request)

Frame 3: 50 bytes on wire (400 bits), 50 bytes captured (400 bits)
Ethernet II, Src: 5e:19:60:51:ec:8e, Dst: ff:ff:ff:ff:ff:ff
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 127
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 0111 1111 = ID: 127
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 128
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1000 0000 = ID: 128
    Type: ARP (0x0806)
Address Resolution Protocol (request)

And there is nothing on A-1
tshark -Ovlan -nr _dev_/multi-table/A-1.2.pcap

Rules stats:
root at d3b4dc1301dc:/app/lab# ovs-ofctl -OOpenFlow13 dump-flows A
 cookie=0x2140001, duration=74.897s, table=0, n_packets=3, n_bytes=150,
priority=24676,metadata=0x1000000000000/0x1000000000000
actions=write_metadata:0x2000000000000/0x2000000000000,goto_table:2
 cookie=0x2140002, duration=74.880s, table=0, n_packets=0, n_bytes=0,
priority=24576,in_port="A-1" actions=goto_table:4
 cookie=0x2140001, duration=74.862s, table=0, n_packets=6, n_bytes=300,
priority=0 actions=goto_table:1
 cookie=0x2150001, duration=74.845s, table=1, n_packets=3, n_bytes=150,
priority=16394,metadata=0x400000000007f/0x4000000000fff,in_port="A-2",dl_vlan=128
actions=pop_vlan,write_metadata:0x1000002150001/0x10000ffffffff,goto_table:2
 cookie=0x2150001, duration=74.828s, table=1, n_packets=3, n_bytes=150,
priority=16384,in_port="A-2",dl_vlan=127
actions=pop_vlan,write_actions(TABLE),write_metadata:0x400000000007f/0x4000000000fff
 cookie=0x2140001, duration=74.812s, table=1, n_packets=0, n_bytes=0,
priority=0 actions=drop
 cookie=0x2150001, duration=74.795s, table=2, n_packets=3, n_bytes=150,
priority=24576,metadata=0x3000002150001/0x30000ffffffff
actions=write_actions(CONTROLLER:0)
 cookie=0x2140001, duration=74.778s, table=2, n_packets=0, n_bytes=0,
priority=24566,metadata=0x2000000000000/0x2000000000000 actions=drop
 cookie=0x2150001, duration=74.761s, table=2, n_packets=3, n_bytes=150,
priority=16384,arp,metadata=0x1000002150001/0x10000ffffffff
actions=TABLE,goto_table:3
 cookie=0x2140001, duration=74.744s, table=2, n_packets=0, n_bytes=0,
priority=0 actions=goto_table:3
 cookie=0x2150001, duration=74.726s, table=3, n_packets=3, n_bytes=150,
priority=16384,metadata=0x1000002150001/0x10000ffffffff
actions=push_vlan:0x8100,set_field:4351->vlan_vid,write_actions(output:"A-1")
 cookie=0x2140001, duration=74.709s, table=3, n_packets=0, n_bytes=0,
priority=0 actions=drop
 cookie=0x2150001, duration=74.692s, table=4, n_packets=0, n_bytes=0,
priority=16384,in_port="A-1",dl_vlan=255
actions=set_field:4224->vlan_vid,push_vlan:0x8100,set_field:4223->vlan_vid,write_actions(output:"A-2")

"Output" rule have 3 matched packets: `cookie=0x2150001, duration=74.726s,
table=3, n_packets=3, n_bytes=150,
priority=16384,metadata=0x1000002150001/0x10000ffffffff
actions=push_vlan:0x8100,set_field:4351->vlan_vid,write_actions(output:"A-1")
`

If I use apply-action to define an output port in this rule, i.e.
ovs-ofctl -OOpenFlow13 add-flow A \
    'cookie=0x2150001 table=3
priority=16384,metadata=0x1000002150001/0x10000ffffffff
actions=push_vlan:0x8100,set_field:4351->vlan_vid,output:"A-1"'

It starts working... in this case we will have the following rules stats:
root at d3b4dc1301dc:/app/lab# ovs-ofctl -OOpenFlow13 dump-flows A
 cookie=0x2140001, duration=60.881s, table=0, n_packets=2, n_bytes=100,
priority=24676,metadata=0x1000000000000/0x1000000000000
actions=write_metadata:0x2000000000000/0x2000000000000,goto_table:2
 cookie=0x2140002, duration=60.864s, table=0, n_packets=3, n_bytes=194,
priority=24576,in_port="A-1" actions=goto_table:4
 cookie=0x2140001, duration=60.848s, table=0, n_packets=6, n_bytes=412,
priority=0 actions=goto_table:1
 cookie=0x2150001, duration=60.831s, table=1, n_packets=3, n_bytes=206,
priority=16394,metadata=0x400000000007f/0x4000000000fff,in_port="A-2",dl_vlan=128
actions=pop_vlan,write_metadata:0x1000002150001/0x10000ffffffff,goto_table:2
 cookie=0x2150001, duration=60.814s, table=1, n_packets=3, n_bytes=206,
priority=16384,in_port="A-2",dl_vlan=127
actions=pop_vlan,write_actions(TABLE),write_metadata:0x400000000007f/0x4000000000fff
 cookie=0x2140001, duration=60.798s, table=1, n_packets=0, n_bytes=0,
priority=0 actions=drop
 cookie=0x2150001, duration=60.781s, table=2, n_packets=2, n_bytes=100,
priority=24576,metadata=0x3000002150001/0x30000ffffffff
actions=write_actions(CONTROLLER:0)
 cookie=0x2140001, duration=60.764s, table=2, n_packets=0, n_bytes=0,
priority=24566,metadata=0x2000000000000/0x2000000000000 actions=drop
 cookie=0x2150001, duration=60.748s, table=2, n_packets=2, n_bytes=100,
priority=16384,arp,metadata=0x1000002150001/0x10000ffffffff
actions=TABLE,goto_table:3
 cookie=0x2140001, duration=60.731s, table=2, n_packets=1, n_bytes=106,
priority=0 actions=goto_table:3
 cookie=0x2150001, duration=60.714s, table=3, n_packets=3, n_bytes=206,
priority=16384,metadata=0x1000002150001/0x10000ffffffff
actions=push_vlan:0x8100,set_field:4351->vlan_vid,output:"A-1"
 cookie=0x2140001, duration=60.697s, table=3, n_packets=0, n_bytes=0,
priority=0 actions=drop
 cookie=0x2150001, duration=60.680s, table=4, n_packets=3, n_bytes=194,
priority=16384,in_port="A-1",dl_vlan=255
actions=set_field:4224->vlan_vid,push_vlan:0x8100,set_field:4223->vlan_vid,write_actions(output:"A-2")

*Traffic on A-2:*
Frame 1: 50 bytes on wire (400 bits), 50 bytes captured (400 bits)
Ethernet II, Src: 5e:19:60:51:ec:8e, Dst: ff:ff:ff:ff:ff:ff
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 127
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 0111 1111 = ID: 127
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 128
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1000 0000 = ID: 128
    Type: ARP (0x0806)
Address Resolution Protocol (request)

Frame 2: 50 bytes on wire (400 bits), 50 bytes captured (400 bits)
Ethernet II, Src: 66:e6:ed:78:52:27, Dst: 5e:19:60:51:ec:8e
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 127
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 0111 1111 = ID: 127
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 128
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1000 0000 = ID: 128
    Type: ARP (0x0806)
Address Resolution Protocol (reply)

Frame 3: 106 bytes on wire (848 bits), 106 bytes captured (848 bits)
Ethernet II, Src: 5e:19:60:51:ec:8e, Dst: 66:e6:ed:78:52:27
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 127
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 0111 1111 = ID: 127
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 128
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1000 0000 = ID: 128
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.217.1, Dst: 192.168.217.2
Internet Control Message Protocol

Frame 4: 106 bytes on wire (848 bits), 106 bytes captured (848 bits)
Ethernet II, Src: 66:e6:ed:78:52:27, Dst: 5e:19:60:51:ec:8e
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 127
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 0111 1111 = ID: 127
    Type: 802.1Q Virtual LAN (0x8100)
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 128
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1000 0000 = ID: 128
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.217.2, Dst: 192.168.217.1
Internet Control Message Protocol

*Traffic on A-1:*
Frame 1: 46 bytes on wire (368 bits), 46 bytes captured (368 bits)
Ethernet II, Src: 5e:19:60:51:ec:8e, Dst: ff:ff:ff:ff:ff:ff
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 255
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1111 1111 = ID: 255
    Type: ARP (0x0806)
Address Resolution Protocol (request)

Frame 2: 46 bytes on wire (368 bits), 46 bytes captured (368 bits)
Ethernet II, Src: 66:e6:ed:78:52:27, Dst: 5e:19:60:51:ec:8e
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 255
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1111 1111 = ID: 255
    Type: ARP (0x0806)
Address Resolution Protocol (reply)

Frame 3: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
Ethernet II, Src: 5e:19:60:51:ec:8e, Dst: 66:e6:ed:78:52:27
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 255
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1111 1111 = ID: 255
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.217.1, Dst: 192.168.217.2
Internet Control Message Protocol

Frame 4: 102 bytes on wire (816 bits), 102 bytes captured (816 bits)
Ethernet II, Src: 66:e6:ed:78:52:27, Dst: 5e:19:60:51:ec:8e
802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 255
    000. .... .... .... = Priority: Best Effort (default) (0)
    ...0 .... .... .... = DEI: Ineligible
    .... 0000 1111 1111 = ID: 255
    Type: IPv4 (0x0800)
Internet Protocol Version 4, Src: 192.168.217.2, Dst: 192.168.217.1
Internet Control Message Protocol

My question is - why traffic does not forward on A-1 despite action
"output:A-1" into write-actions set into last matched rule?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20190723/599efae9/attachment-0001.html>


More information about the discuss mailing list