On 23 October 2015 at 12:24, Ashwin Paranjpe <ashwin1...@gmail.com> wrote: > Trying to execute the following commands (source: ovs-ofctl man page, > utilities/ovs-ofctl.8.in): > > The following flows provide an example of how to implement a simple >>> firewall that allows new connections from port 1 to port 2, and only allows >>> established connections to send traffic from port 2 to port 1: >> >> table=0,priority=1,action=drop >> >> table=0,priority=10,arp,action=normal >> >> >>> table=0,priority=100,ip,ct_state=-trk,action=ct(table=1) >> >> >>> table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2 >> >> table=1,in_port=1,ip,ct_state=+trk+est,action=2 >> >> table=1,in_port=2,ip,ct_state=+trk+new,action=drop >> >> table=1,in_port=2,ip,ct_state=+trk+est,action=1 >> >> > However, I see the following errors: > > [root@PC ~]# ovs-ofctl del-flows br-int > > [root@PC ~]# ovs-ofctl dump-flows br-int > > NXST_FLOW reply (xid=0x4): > > [root@PC ~]# ovs-ofctl add-flow br-int "table=0,priority=1,action=drop" > > [root@PC ~]# ovs-ofctl add-flow br-int >> "table=0,priority=10,arp,action=normal" > > [root@PC ~]# ovs-ofctl add-flow br-int >> "table=0,priority=100,ip,ct_state=-trk,action=ct(table=1)" > > [root@PC ~]# *ovs-ofctl add-flow br-int >> "table=1,in_port=1,ip,ct_state=+trk+new,action=ct(commit),2"* > > *OFPT_ERROR (xid=0x6): OFPBMC_BAD_FIELD* > > NXT_FLOW_MOD (xid=0x6): > > (***truncated to 64 bytes from 104***) > > 00000000 01 04 00 68 00 00 00 06-00 00 23 20 00 00 00 0d |...h......# ....| > > 00000010 00 00 00 00 00 00 00 00-01 00 00 00 00 00 80 00 |................| > > 00000020 ff ff ff ff ff ff 00 00-00 18 00 00 00 00 00 00 |................| > > 00000030 00 00 00 02 00 01 00 00-06 02 08 00 00 01 d3 08 |................| > > [root@PC ~]# > > > > > Note that the nf_conntrack_* modules are loaded: > >> [root@PC ~]# lsmod | grep "^nf_conn*" >> >> ... snip ... >> >> nf_conntrack_ipv4 10289 4 >> >> nf_conntrack_ipv6 10595 3 >> >> > Version Info: > >> [root@PC ~]# ovs-ofctl --version > > ovs-ofctl (Open vSwitch) 2.4.90 > > Compiled Oct 21 2015 13:30:44 > > OpenFlow versions 0x1:0x4 > > [root@PC ~]# > > > > > It appears that any ct_state flag with a '+' prepended to it doesn't work. > Is this a known issue? Are there any workarounds at the moment?
It looks like your OVS kernel module doesn't support connection tracking. In this case, ovs-ofctl reports back a BAD_FIELD error. If you want to use this feature at the moment, you need to get the latest "net" development kernel and use the OVS kernel module from there. _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
