On Thu, Sep 26, 2013 at 08:21:33PM +0000, Pritesh Kothari (pritkoth) wrote: > >> Sure. How about this, then. > > > > --8<--------------------------cut here-------------------------->8-- > > > > From: Ben Pfaff <b...@nicira.com> > > Date: Wed, 25 Sep 2013 15:56:21 -0700 > > Subject: [PATCH] FAQ: Explain why allowing only IP traffic breaks IP > > connectivity. > > > > Signed-off-by: Ben Pfaff <b...@nicira.com> > > --- > > FAQ | 35 +++++++++++++++++++++++++++++++++++ > > 1 file changed, 35 insertions(+) > > > > diff --git a/FAQ b/FAQ > > index 5744d5a..ae053ae 100644 > > --- a/FAQ > > +++ b/FAQ > > @@ -1299,6 +1299,41 @@ A: Yes, OpenFlow requires a switch to ignore > > attempts to send a packet > > 2,3,4,5,6,\ > > pop:NXM_OF_IN_PORT[] > > > > +Q: My bridge br0 has host 192.168.0.1 on port 1 and host 192.168.0.2 > > + on port 2. I set up flows to forward only traffic destined to the > > + other host and drop other traffic, like this: > > + > > + priority=5,in_port=1,ip,nw_dst=192.168.0.2,actions=2 > > + priority=5,in_port=2,ip,nw_dst=192.168.0.1,actions=1 > > + priority=0,actions=drop > > + > > + But it doesn't work--I don't get any connectivity when I do this. > > + Why? > > + > > +A: These flows drop the ARP packets that IP hosts use to establish IP > > + connectivity over Ethernet. To solve the problem, add flows to > > + allow ARP to pass between the hosts: > > + > > + priority=5,in_port=1,arp,actions=2 > > + priority=5,in_port=2,arp,actions=1 > > + > > + This issue can manifest other ways, too. The following flows that > > + match on Ethernet addresses instead of IP addresses will also drop > > + ARP packets, because ARP requests are broadcast instead of being > > + directed to a specific host: > > + > > + priority=5,in_port=1,dl_dst=54:00:00:00:00:02,actions=2 > > + priority=5,in_port=2,dl_dst=54:00:00:00:00:01,actions=1 > > + priority=0,actions=drop > > + > > + The solution already described above will also work in this case. > > + It may be better to add flows to allow all multicast and broadcast > > + traffic: > > + > > + > > priority=5,in_port=1,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00,actions=2 > > + > > priority=5,in_port=2,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00,actions=1 > > + > > + This > > except the last one line, which have extra spurious word "This",
Oops. Fixed. > ack for the rest. > > Acked-by: pritesh <pritesh.koth...@cisco.com> Thanks, applied. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
