Hi, A few comments in-line.
On 27/11/2018 13:20, 张萌 wrote: > Hi, > > I`m using “ovs-appctl ofproto/trace “ to trace the flows in ovs-dpdk. > > When integrated with conntrack, the ovs rule ended in the > table=10, which will record the ct as the flowing flow: > > > > ------------------------------------------------------------------------------------------------------------------------------------- > > [root@zm ~]# ovs-ofctl dump-flows br0 -O openflow15 table=10 > > OFPST_FLOW reply (OF1.5) (xid=0x2): > > cookie=0x156ad2f7efd2d389, duration=15058.242s, table=10, n_packets=0, > n_bytes=0, priority=3000,ip,nw_frag=later actions=goto_table:20 > > cookie=0x156ad2f7efd2d333, duration=15058.249s, table=10, n_packets=737, > n_bytes=72226, priority=2000,icmp > actions=ct(table=15,zone=NXM_NX_REG6[0..15]) > > cookie=0x156ad2f7efd2d337, duration=15058.249s, table=10, > n_packets=4992, n_bytes=380540, priority=2000,udp > actions=ct(table=15,zone=NXM_NX_REG6[0..15]) > > cookie=0x156ad2f7efd2d367, duration=15058.245s, table=10, > n_packets=2028037440, n_bytes=183176086711, priority=2000,tcp > actions=ct(table=15,zone=NXM_NX_REG6[0..15]) > > ------------------------------------------------------------------------------------------------------------------------------------- > > > > > > > > And when I mock a packet using ofproto/trace, ovs recorded the > contrack, and prints: > > > > ------------------------------------------------------------------------------------------------------------------------------------- > > > > [root@ zm ~]# ovs-appctl ofproto/trace br0 > tcp,in_port=25,nw_dst=172.19.11.6,tp_dst=320,dl_dst=fa:16:3e:03:39:5f,dl_src=fa:16:3e:e5:cb:2c > > > > Flow: > tcp,in_port=25,vlan_tci=0x0000,dl_src=fa:16:3e:e5:cb:2c,dl_dst=fa:16:3e:03:39:5f,nw_src=0.0.0.0,nw_dst=172.19.11.6,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=0,tp_dst=320,tcp_flags=0 > > > > bridge("br0") > > ------------- > > 0. in_port=25, priority 100, cookie 0x156ad2f7efd2d4fb > > set_field:0x29->reg5 > > set_field:0x19->reg6 > > write_metadata:0x2900000001 > > goto_table:5 > > 5. ip,in_port=25,dl_src=fa:16:3e:e5:cb:2c, priority 100, cookie > 0x156ad2f7efd2d51f > > goto_table:10 > > 10. tcp, priority 2000, cookie 0x156ad2f7efd2d367 > > ct(table=15,zone=NXM_NX_REG6[0..15]) > > drop > > > > Final flow: > tcp,reg5=0x29,reg6=0x19,metadata=0x2900000001,in_port=25,vlan_tci=0x0000,dl_src=fa:16:3e:e5:cb:2c,dl_dst=fa:16:3e:03:39:5f,nw_src=0.0.0.0,nw_dst=172.19.11.6,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=0,tp_dst=320,tcp_flags=0 > > Megaflow: > recirc_id=0,tcp,in_port=25,dl_src=fa:16:3e:e5:cb:2c,nw_dst=172.0.0.0/6,nw_frag=no > > Datapath actions: ct(zone=25),recirc(0x4123) > > ------------------------------------------------------------------------------------------------------------------------------------- > > > > Bug when I set the recirc_id in the flow, ovs puts: > > ------------------------------------------------------------------------------------------------------------------------------------- > > [root@zm ~]# ovs-appctl ofproto/trace br0 > recirc_id=0x4123,ct_state=new,tcp,in_port=25,nw_dst=172.19.11.6,tp_dst=320,dl_dst=fa:16:3e:03:39:5f,dl_src=fa:16:3e:e5:cb:2c > > Flow: > recirc_id=0x4123,ct_state=new,tcp,in_port=25,vlan_tci=0x0000,dl_src=fa:16:3e:e5:cb:2c,dl_dst=fa:16:3e:03:39:5f,nw_src=0.0.0.0,nw_dst=172.19.11.6,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=0,tp_dst=320,tcp_flags=0 > > > > bridge("br0") > > ------------- > > >>>> Recirculation context not found for ID 4123 <<<< > > > > Final flow: unchanged > > Megaflow: recirc_id=0x4123,ip,in_port=25,nw_frag=no > > Datapath actions: drop > > Translation failed (No recirculation context), packet is dropped. > I believe you're getting the above message because by the time you issue the command the re-circulation context is already gone. > > > ------------------------------------------------------------------------------------------------------------------------------------- > > > > And when dump the contracks in ovs: > > ------------------------------------------------------------------------------------------------------------------------------------- > > > > [root@A04-R08-I137-204-9320C72 ~]# ovs-dpctl dump-conntrack ovs-netdev > > 2018-11-27T05:01:30Z|00001|dpif_netlink|WARN|Generic Netlink family > 'ovs_datapath' does not exist. The Open vSwitch kernel module is > probably not loaded. > > ovs-dpctl: opening datapath (No such file or directory) > Use the one below instead. That should give you more information $ovs-appctl dpctl/dump-conntrack > ------------------------------------------------------------------------------------------------------------------------------------- > > > > Can anyone tells how to mock a packet can pass the ct in dpdk-ovs > What are you trying to do? Your first mocked packet above is already passing into the ct() action and being dropped. Your flow above: > priority=2000,tcp actions=ct(table=15,zone=NXM_NX_REG6[0..15]) Is saying that the traffic, in order to be allowed in, must match the zone defined in "NXM_NX_REG6[0..15]" (according to ofproto/trace that seems to be 25). Is reg6 being set to 25 before hand? The following guide is a good one to get started on such issues: https://docs.openstack.org/neutron/pike/contributor/internals/openvswitch_firewall.html#rules-example-with-explanation Hope this helps, Tiago. _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss