Hi John, Yes, the port security should be off, otherwise no packet will go through the ports. I double checked my setup, no port security is set to any ports, I also checked the code of ovn-docker-overlay-driver, there is no "lsp-set-port-security" used either in version 2.6.1 or master branch.
Basically what I want to achieve is that: Initially message is from node A to node C, but I want the message to be processed by node B then sent to C. For example: a message "1234" is sent from A to C, C receives "1234". But I want the message pass to B first, B adds "56-edited by B" to the message, then C will receive the message "123456-edited by B". Regards, Jason On 7 February 2017 at 21:27, John McDowall <jmcdow...@paloaltonetworks.com> wrote: > Jason, > > > > It is usually set by default so it should return something – it has to be > off for VNF ports though. What are you using for a VNF? > > > > I have used the docker-overlay driver and it did work – but not recently. > > > > Regards > > > > John > > > > *From: *Shuaijun Zhang <szh...@research.ait.ie> > *Date: *Tuesday, February 7, 2017 at 1:22 PM > *To: *John McDowall <jmcdow...@paloaltonetworks.com> > *Cc: *"fla...@flaviof.com" <fla...@flaviof.com>, "ovs-dev@openvswitch.org" > <ovs-dev@openvswitch.org> > > *Subject: *Re: [ovs-dev] SFC patches for OVN > > > > Hi John, > > > > port-security isn't set for any port, "ovn-nbctl lsp-get-port-security > PORTS" returns nothing. > > Do I need to turn it on for all the VNF ports? > > > > Thanks, > > Jason > > > > On 7 February 2017 at 20:51, John McDowall <jmcdow...@paloaltonetworks.com> > wrote: > > Jason, > > > > Did you turn off port-security for the VNF ports? > > > > Regards > > > > John > > > > *From: *Shuaijun Zhang <szh...@research.ait.ie> > *Date: *Tuesday, February 7, 2017 at 12:48 PM > *To: *John McDowall <jmcdow...@paloaltonetworks.com>, "fla...@flaviof.com" > <fla...@flaviof.com> > *Cc: *"ovs-dev@openvswitch.org" <ovs-dev@openvswitch.org> > *Subject: *Re: [ovs-dev] SFC patches for OVN > > > > Hi John, Flavio, > > > > I have applied the patches and tried it by following the demo (by > Flavio) in the video below: > > https://www.youtube.com/watch?v=PUZzhRxc6iA > <https://urldefense.proofpoint.com/v2/url?u=https-3A__www.youtube.com_watch-3Fv-3DPUZzhRxc6iA&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=s87TOhGERTLi6KqWA4YqAE0g7VZUixH4B_iVh737Yxw&s=TAphJtiHLTXpDwCm-ZslrqDvvkGydXkW39KBGGVJWKo&e=> > > > > There is a problem is in my test: the ping message doesn't get replied. > > > > In the demo, I see that when computer_1 ping computer_2, > > you can see the message reaches the ports in the computer_3 > > and computer_1 can receive the reply. > > But in my test, message can reach to the ports (port pairs) in computer_3 > too, > > but computer_1 *doesn't *receive the reply. > > > > The difference between my setup and the demo is that > > I used ovn-docker-overlay-driver to create/bind the ports, > > and the demo may use script (vagrant) to create/bind ports > > > > Steps in my setup: > > 1. setup the ovn+docker environment by https://github.com/ > openvswitch/ovs/blob/master/Documentation/howto/docker.rst > <https://urldefense.proofpoint.com/v2/url?u=https-3A__github.com_openvswitch_ovs_blob_master_Documentation_howto_docker.rst&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=s87TOhGERTLi6KqWA4YqAE0g7VZUixH4B_iVh737Yxw&s=SHGJ0-5GFfl0GzF8Q_F4SxKpkC7FEwWadV24v_K1wdk&e=> > > 2. create 7 containers on 4 hosts (c1 on host1, c2 on host2, c3 on > host3, > > c4/c5/c6/c7 on host4), each container has one port bound. e.g. p1 on c1, > p2 on c2 ... > > 3. Then I create pair ports, port groups, etc. same as in the demo. > (p4 is the vnfa in the demo, > > p5 & p6 are the vnfb in the demo, p7 is vnfc). I can see that the *"ovn-sbctl > dump-flows" gives * > > *same rules as in the demo, ovn-trace results same as in the demo* > > 4. Then ping from c1 to c2, the message shows in c4 (port pair > "vnfa"), *but c2 * > > *doesn't receive the ping msg, and c1 doesn't receive the reply*. (I used > "tcpdump" > > to monitor the eth interfaces) > > > > Do you have any idea about this problem? > > > > @Flavio, There may be something missing in my setup. So can I have the > script you used in the demo to repeat your setup, if appropriate. Please. > > > > Thank you, > > Jason > > > > > > On 3 February 2017 at 20:58, John McDowall <jmcdow...@paloaltonetworks.com> > wrote: > > Jason, > > I checked it against top of the git tree. So just download the patch and > clone the lastest and then > > $ git apply –directory=ovn <patch> > > If you have any questions/feedback let me know. > > Regards > > John > > _______________________________________________ > dev mailing list > d...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > <https://urldefense.proofpoint.com/v2/url?u=https-3A__mail.openvswitch.org_mailman_listinfo_ovs-2Ddev&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=s87TOhGERTLi6KqWA4YqAE0g7VZUixH4B_iVh737Yxw&s=Fq8yDdsY-uYJ5RNltm7eW3zcgU5lQnukR-xj5WRVHJI&e=> > > > > > > -- > > Shuaijun (Jason) Zhang > Senior Research Engineer > Software Research Institute, > Athlone Institute of Technology, IE > Tel: +353 90 646 8196 <+353%2090%20646%208196> > http://www.ait.ie/sri/ > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ait.ie_sri_&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=s87TOhGERTLi6KqWA4YqAE0g7VZUixH4B_iVh737Yxw&s=wXWts8zZeenowDVki0tfL2yzp_sNh9a_bWXWWNrXWCk&e=> > > > > > > -- > > Shuaijun (Jason) Zhang > Senior Research Engineer > Software Research Institute, > Athlone Institute of Technology, IE > Tel: +353 90 646 8196 <+353%2090%20646%208196> > http://www.ait.ie/sri/ > <https://urldefense.proofpoint.com/v2/url?u=http-3A__www.ait.ie_sri_&d=DwMFaQ&c=V9IgWpI5PvzTw83UyHGVSoW3Uc1MFWe5J8PTfkrzVSo&r=vZ6VUDaavDpfOdPQrz1ED54jEjvAE36A8TVJroVlrOQ&m=viM00_PyzWfWc96-9VS83JWmc96UPh0Ed1m__tV1M_E&s=d8Rp7TNzzDB9uDPHQ6seDgPiBgoK6ruuFAHcLTaQaoA&e=> > -- Shuaijun (Jason) Zhang Senior Research Engineer Software Research Institute, Athlone Institute of Technology, IE Tel: +353 90 646 8196 http://www.ait.ie/sri/ _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev