Hi, I have been playing about with ovs-conntrack and noticed an issue that could be a bug. Either that or my understanding is incorrect and would appreciate clarification.
When we add a rule with a ct(recirc) action I notice that the call to Conntrack is always the first action in the kernel rule that is created. In ofproto-dpif-xlate.c a call to compose_conntrack_action() will append a nl_msg for this action, then call recirculate which uses commit_odp_actions() to add messages for previous actions before adding its own recirc action to kernel rule action list. However, I have also noticed that when a push mpls action is added that this commit_odp_actions() function is also called which can affect the tuples sent to nf_conntrack. e.g. adding the rule: ovs-ofctl add-flow br0 "conn_state=-trk,action=set_field:1.2.3.4->nw_dst,ct(recirc)" will result in a kernel rule with actions of order 'ct, set dst ip, recirc' and the sk_buff sent to nf_conntrack_in will have the source and destination IP addresses of the matching packet. adding the rule: ovs-ofctl add-flow br0 "conn_state=-trk,action=set_field:1.2.3.4->nw_dst,push_mpls:0x8847,ct(recirc)" will have actions ordered 'set dst ip, ct, push mpls, recirc' and the destination IP sent into nf_conntrack will be 1.2.3.4 Can you clarify if this discrepancy is a bug? Also, can you clarify what is the correct way ovs should support Conntrack in an action list? For example, in the first rule, is it correct that Conntrack should be applied on the input packet tuples or should the set field be applied before Conntrack as it appears before it in the ovs-ofctl rule? Thanks, John
_______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
