On Nov 11, 2013, at 10:33 PM, durga <[email protected]> wrote:
> Hello All, > > Just a small question. Incase I run the a firewall application in conjecture > to a l2 learning switch application , how does the controller work on the > connectionup event? > > for example I run the command : > mininet@mininet-vm:~/pox$ pox.py log.level -DEBUG l2_switching_v5 > l2_switching_firewall_v3 & > > I want firewall to take precedence over the l2 switch and have introduced > priority as msg.priority = 65535 (highest priority), but what I am trying to > understand is - its a single connection from the OVS switch to the pox > controller and controller is running 2 applications - firewall and switch, so > how do these 2 applications work on the same connection? > > Currently, my program sends 2 flow mod messages - > 1.from firewall app with priority of 65535 for matching flows > 2. from the switch for all other flows > and the ovs installs flow with max priority. Is this the right way of doing?? > As of now, I am stuck with an error - OFPBRC_BUFFER_EMPTY = 7 - which as per > openflow doc is error when a buffer is already in use.. POX doesn't do any magic arbitration for you. If two components listen to the same event -- both of them get it. Which one gets it first is technically undefined *unless* the listeners have priorities set. I think revent priorities aren't really documented on the wiki yet... you'll have to read the docs/code in pox/lib/revent. If it wants to, the one that fires first can then cancel the event so that the second one doesn't get it. Again, you probably need to read the docstrings or code for this. Alternatively... read the code for the mac_blocker component (in misc) or the port blocker in the FAQ. These are examples of very simple firewalls. mac_blocker definitely uses both event priorities and event canceling. The problem you're having with BUFFER_EMPTY is probably because... I am guessing your firewall is "reactive" and both the firewall and the forwarding component are handling the PacketIn event. You probably want the firewall at a high priority, and when it wants to block, it should install the "block" table entry and cancel the event so that the forwarding component doesn't try to install an entry too. This is exactly what mac_blocker does. -- Murphy
