OK. So it seems that MAC learning entries are expiring in cases where we expect them to persist. I can look into that, if you can give me some more details; to start, the version of OVS involved. (I think that you might have already given detail to our support team in parallel; I'm trying to find out how I get direct access to that information.)
Let me reiterate that the "normal" action isn't an effective way to enforce ACLs. Nevertheless, there appears to be a bug that I should investigate here. Thanks, Ben. On Thu, Dec 22, 2011 at 06:35:50PM +0000, Mike Bursell wrote: > I believe that there is nothing else going on at all. > > The CLI tools were used to construct the rules: no DVSC in play. > > -Mike. > -- > Mike Bursell. > > > > Ben Pfaff <b...@nicira.com> wrote: > > > On Thu, Dec 22, 2011 at 04:35:45PM +0000, Mike Bursell wrote: > > We've discovered what we suspect is a bug, and are looking for > > thoughts, please! > > > > Observed behaviour: > > - Continuous pings being sent from laptop to vm1 > > - vm2 is quiescent > > - Intermittently, the response to a ping from laptop is seen on vm2 > > Is anything else going on? Certain kinds of changes to a bridge > (adding and removing ports, etc.) can cause the MAC learning table, or > particular entries in it, to be flushed. If VMs are being brought up > or down, VLANs being created or destroyed, etc., one might expect to > see a need to re-learn MAC addresses immediately after those events. > > I have not carefully looked over your flow table. Is this flow table > constructed by hand, generated by DVS, or generated by some other > controller? I ask because the "normal" action may not be an effective > way to enforce ACLs--it is an implementation of a MAC learning switch, > which is not itself an effective way to enforce ACLs--so I wonder what > assumptions lie behind this flow table construction. _______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
