On Feb 11, 2010, at 8:12 PM, Todd Deshane wrote: > Adding tcp and udp made the port numbers show up, which is helpful and > allowed me to debug some more. I had to allow dns over 5353, as those > flows were being deleted.
The reason the port numbers weren't showing up before was that the flows you were adding weren't fully specified. To the program, it looked like you were saying add a flow about port 22, but it doesn't know if you're talking about TCP or UDP, or even an IP-based packet. That's why you needed to specify "tcp" or "udp". That command should really print a warning when a field is specified that is just going to be ignored. We've all been burned by it (well, probably not Ben). > I can still connect out on SSH and ping, so I don't think enough is > being blocked and/or I am still allowing too much through, but I can > try to pin down the problem and debug some more tomorrow. > > Here is my current ovs-ofctl dump-flows externalbr > > duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, > arp,dl_dst=52:54:00:aa:bb:cc,tp_src=0,tp_dst=0,actions=NORMAL > duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, > arp,dl_src=52:54:00:aa:bb:cc,tp_src=0,tp_dst=0,actions=NORMAL > duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, > udp,dl_dst=52:54:00:aa:bb:cc,tp_dst=68,actions=NORMAL > duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, > udp,dl_src=52:54:00:aa:bb:cc,tp_dst=67,actions=NORMAL > duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, > udp,dl_dst=52:54:00:aa:bb:cc,tp_src=5353,actions=NORMAL > duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, > udp,dl_src=52:54:00:aa:bb:cc,tp_dst=5353,actions=NORMAL > duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, > udp,dl_dst=52:54:00:aa:bb:cc,tp_src=53,actions=NORMAL > duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, > udp,dl_src=52:54:00:aa:bb:cc,tp_dst=53,actions=NORMAL > duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, > tcp,dl_dst=52:54:00:aa:bb:cc,tp_src=80,actions=NORMAL > duration=4s, table_id=1, priority=32768, n_packets=0, n_bytes=0, > tcp,dl_src=52:54:00:aa:bb:cc,tp_dst=80,actions=NORMAL Those flow entries all look reasonable to me. I don't see anything that would allow SSH or ICMP. Are you sure that you have the correct datapath configured? I notice all those packet and byte counters are zero. Can you try running some of your traffic and then seeing which counters increment? You also may want to look at the "ovs-dpctl dump-flows" command. This will show you what traffic the kernel is actually seeing. If you're running your SSH traffic and don't see an entry from ovs-dpctl, then you're definitely looking at the wrong datapath. (Keep in mind that the datapath is just a flow cache, so if a flow is idle for five seconds, it will be evicted from the kernel.) --Justin _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss_openvswitch.org
