Re: [ovs-discuss] Ping Drop Problem
Well, it's hard to know, since your description doesn't describe your topology, configuration, etc. That said, I guess I would start with tcpdump or flow counts to see where packets appear to be getting dropped and why. --Justin > On May 25, 2017, at 6:03 PM, Gale Price wrote: > > Where would you suggest I start looking? > > Sent from my iPhone > >> On May 25, 2017, at 8:39 PM, Justin Pettit wrote: >> >> >>> On May 25, 2017, at 11:11 AM, Gale Price wrote: >>> >>> I am using ovs on a Fedora 20 KVM Host with 6 defined vlans >>> >>> I am having a problem where when I stop any VM I lose connectivity to all >>> other VM’s for about 6-7 Pings. >>> Then everything starts working again. >>> >>> Anyone see this or know a remedy for it? >> >> That sounds odd. I think you'll need to do a bit more debugging before >> anyone can help you. >> >> --Justin >> >> ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Ping Drop Problem
Where would you suggest I start looking? Sent from my iPhone > On May 25, 2017, at 8:39 PM, Justin Pettit wrote: > > >> On May 25, 2017, at 11:11 AM, Gale Price wrote: >> >> I am using ovs on a Fedora 20 KVM Host with 6 defined vlans >> >> I am having a problem where when I stop any VM I lose connectivity to all >> other VM’s for about 6-7 Pings. >> Then everything starts working again. >> >> Anyone see this or know a remedy for it? > > That sounds odd. I think you'll need to do a bit more debugging before > anyone can help you. > > --Justin > > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Ping Drop Problem
> On May 25, 2017, at 11:11 AM, Gale Price wrote: > > I am using ovs on a Fedora 20 KVM Host with 6 defined vlans > > I am having a problem where when I stop any VM I lose connectivity to all > other VM’s for about 6-7 Pings. > Then everything starts working again. > > Anyone see this or know a remedy for it? That sounds odd. I think you'll need to do a bit more debugging before anyone can help you. --Justin ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] OVS-DPDK in OpenStack network node
> On May 25, 2017, at 2:08 PM, Пономарёв Вадим wrote: > > Hi all. > > I am setting up a network node for the OpenStack cluster (mitaka) in the > classic scenario with OpenvSwitch > (https://docs.openstack.org/liberty/networking-guide/scenario-classic-ovs.html#openstack-services-network-node). > On the network node a neutron is launched. The neutron controls the OpenFlow > and creates separate namespaces for routers and dhcp servers. The basic > scheme with standard network card drivers and OVS kernel space datapath has a > low performance (300k pps with small packets). So now I'm trying to set up a > OVS-DPDK scheme. Test network node configuration: > > ... > Questions: > 1. The reason for such packet loss is that the namespace of the router works > through kernel space and OVS copy packets? > 2. Is there support for another type of interface that can be assigned to the > router in its namespace? > 3. And the theoretical question: does such a scheme have a right to life? Or > are there better options for this task? I'm not an expert on OpenStack, but I'll throw out a couple things, and others should feel free to jump in. The "classic scenario" creates logical routers by using network namespaces in the kernel. I suspect some of the slowdown you're seeing in both OVS-kernel may be from bouncing that traffic through those namespaces. The speed benefits of OVS-DPDK comes from bypassing the kernel, but if you use the "classic scenario", those packets are probably making multiple trips to and from the kernel. There could be other issues going on, but have you looked at OVN? It programs OVS in such a way that logical routers don't go through namespaces, but instead writes very efficient OVS flows. So the performance will likely be better--both with OVS-kernel and with OVS-DPDK. OVN hasn't reach complete feature parity with the "classic scenario", but it's getting close. If it has the features you need, you may get better performance with OVS-kernel and OVS-DPDK. Hope that helps! --Justin ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Dustin's OVN primer in action
On Thu, May 25, 2017 at 01:51:36PM -0700, Kei Nohguchi wrote: > Hi team OvS and OVN! > > As a huge fan of OVN and Dustin’s blog series, I’ve just wrote Ansible > playbooks to make the Dustin’s OVN primer in action as on the github > below: > > https://github.com/keinohguchi/ovn-on-air/ > > Thank you, Dustin and team OVN, again to make this cool stuff happening > and get going! > > Cheers and happy hacking! Nice! Thanks, I sent out a tweet about this. ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] OVS-DPDK in OpenStack network node
Hi all.
I am setting up a network node for the OpenStack cluster (mitaka) in the
classic scenario with OpenvSwitch (
https://docs.openstack.org/liberty/networking-guide/scenario-classic-ovs.html#openstack-services-network-node).
On the network node a neutron is launched. The neutron controls the
OpenFlow and creates separate namespaces for routers and dhcp servers. The
basic scheme with standard network card drivers and OVS kernel space
datapath has a low performance (300k pps with small packets). So now I'm
trying to set up a OVS-DPDK scheme. Test network node configuration:
1. OVS 2.7
2. DPDK 16.11.1 with igb_uio, 2048 hugepages (2M), 8 CPU cores isolated
3. Ubuntu 14.04
# ovs-vsctl -V
ovs-vsctl (Open vSwitch) 2.7.0
DB Schema 7.14.0
# ovsdb-server -V
ovsdb-server (Open vSwitch) 2.7.0
# /usr/src/dpdk-stable-16.11.1/tools/dpdk-devbind.py --status
Network devices using DPDK-compatible driver
:04:00.0 '82599ES 10-Gigabit SFI/SFP+ Network Connection' drv=igb_uio
unused=
:04:00.1 '82599ES 10-Gigabit SFI/SFP+ Network Connection' drv=igb_uio
unused=
# /usr/src/dpdk-stable-16.11.1/tools/cpu_layout.py
Core and Socket Information (as reported by '/proc/cpuinfo')
cores = [0, 1, 2, 3]
sockets = [0, 1]
Socket 0Socket 1
Core 0 [0, 8] [4, 12]
Core 1 [1, 9] [5, 13]
Core 2 [2, 10] [6, 14]
Core 3 [3, 11] [7, 15]
# grep "isol" /boot/grub/grub.cfg | grep `uname -r`
linux /boot/vmlinuz-4.4.0-75-generic
root=UUID=6d19b3f6-e48d-4ba3-9585-36e534bf0568
ro isolcpus=0-7 quiet consoleblank=0 nomdmonddf nomdmonisw
linux /boot/vmlinuz-4.4.0-75-generic
root=UUID=6d19b3f6-e48d-4ba3-9585-36e534bf0568
ro isolcpus=0-7 quiet consoleblank=0 nomdmonddf nomdmonisw
linux /boot/vmlinuz-4.4.0-75-generic
root=UUID=6d19b3f6-e48d-4ba3-9585-36e534bf0568
ro recovery nomodeset isolcpus=0-7
# ovs-vsctl list Open_vSwitch
_uuid : db2fd30f-6c56-4331-adaa-20a6cac84dc1
bridges : [f5104e4a-8466-4594-8251-03e22a7e9d62]
cur_cfg : 105
datapath_types : [netdev, system]
db_version : []
external_ids: {}
iface_types : [dpdk, dpdkr, dpdkvhostuser, dpdkvhostuserclient,
geneve, gre, internal, lisp, patch, stt, system, tap, vxlan]
manager_options : []
next_cfg: 105
other_config: {dpdk-hugepage-dir="/mnt/huge", dpdk-init="true",
pmd-cpu-mask="0xff"}
ovs_version : []
ssl : []
statistics : {}
system_type : []
system_version : []
# ovs-vsctl list interface | grep -E "dpdk|affinity"
name: "dpdk-eth2"
options : {dpdk-devargs=":04:00.0", n_rxq="4"}
other_config: {pmd-rxq-affinity="0:0,1:1,2:2,3:3"}
type: dpdk
name: "dpdk-eth3"
options : {dpdk-devargs=":04:00.1", n_rxq="4"}
other_config: {pmd-rxq-affinity="0:4,1:5,2:6,3:7"}
type: dpdk
# ovs-vsctl show
db2fd30f-6c56-4331-adaa-20a6cac84dc1
Bridge br-ex
Port dpdk-bond
trunks: [462, 465]
Interface "dpdk-eth2"
type: dpdk
options: {dpdk-devargs=":04:00.0", n_rxq="4"}
Interface "dpdk-eth3"
type: dpdk
options: {dpdk-devargs=":04:00.1", n_rxq="4"}
Port br-ex
Interface br-ex
type: internal
Port qr-test
tag: 462
Interface qr-test
type: internal
Port qg-test
tag: 465
Interface qg-test
type: internal
# ip netns exec test-router0 ip a
1: lo: mtu 65536 qdisc noop state DOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
136: qg-test: mtu 1500 qdisc noqueue
state UNKNOWN group default qlen 1000
link/ether be:56:e7:26:0c:64 brd ff:ff:ff:ff:ff:ff
inet 10.10.0.1/24 scope global qg-test
valid_lft forever preferred_lft forever
inet6 fe80::bc56:e7ff:fe26:c64/64 scope link
valid_lft forever preferred_lft forever
137: qr-test: mtu 1500 qdisc noqueue
state UNKNOWN group default qlen 1000
link/ether 6e:e4:96:21:07:2d brd ff:ff:ff:ff:ff:ff
inet 192.168.0.1/24 scope global qr-test
valid_lft forever preferred_lft forever
inet6 fe80::6ce4:96ff:fe21:72d/64 scope link
valid_lft forever preferred_lft forever
# ovs-ofctl dump-flows br-ex
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=20358.846s, table=0, n_packets=137021466,
n_bytes=22735026192, idle_age=1, priority=0 actions=NORMAL
The router currently only routes the packets from Floating IP network (
10.10.0.0/24) to tenant network (192.168.0.0/24) iptables rules are not
configured. The performance of which I was able to achieve did not exceed
what was without D
Re: [ovs-discuss] DUMP-FLOWS: ofctl dump-flows vs dpctl dump-flows
On Mon, May 22, 2017 at 06:23:49AM +, Avi Cohen (A) wrote: > > > On Sun, May 21, 2017 at 12:11:19PM +, Avi Cohen (A) wrote: > > > Megaflows is a kind of 'flows/rules compression' with don't care > > > bits. (correct me if I'm wrong) But this is in a contradiction to what is > > > written > > in the manpages: " dpctl shows only exact-match flows of > > > packets that traverse the datapath lately" > > > > If a manpage says that, then it is out of date and should be updated. I > > cannot > > see what manpage contains that statement. Can you point it out, so that we > > can fix it? > [Avi Cohen (A)] > Ben - sorry - probably I made a mistake > I've quote from this : > https://airtoncs.wordpress.com/2016/04/06/differences-between-ovs-ofctl-and-ovs-dpctl/: > > "As the manpage says: > > This command is primarily useful for debugging Open vSwitch. The flow table > entries that it displays are not OpenFlow flow entries. Instead, they are > different and considerably simpler flows maintained by the Open vSwitch > kernel module. > > In a little more detail, the flows that ovs-dpctl prints are always > exact-match. They reflect packets that have actually passed through the > system in the last 5 seconds or so. " Looking at that blog post, it's quoting something from 2010. In 2010, the statement it makes about exact-match flows was correct, but the implementation has become more sophisticated since then. ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] Dustin's OVN primer in action
Hi team OvS and OVN! As a huge fan of OVN and Dustin’s blog series, I’ve just wrote Ansible playbooks to make the Dustin’s OVN primer in action as on the github below: https://github.com/keinohguchi/ovn-on-air/ Thank you, Dustin and team OVN, again to make this cool stuff happening and get going! Cheers and happy hacking! Kei ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] ovs-ofctl add-meter command limit rate can work ?
On Thu, May 25, 2017 at 2:36 AM, 爬山虎 wrote: > > hi all: > > I am going to implement the meter speed limit. I read the book of > "ovs-ofctl.pdf " about the instructions of burst. In this pdf book , the > instructions of burst is : If multiple bands' rate is exceeded,then the > band with the highest rate among the exceeded bands is selected . It's a bit > confused for me . > > I think whether this burst problem is complicated . for example, > ovs-ofctl add-meter br1 meter=1, kbps,burst, band=type=drop, rate = 3000, > burst_size=5000 . > > That's enough and also very easy to understand. if download speed is more > than 3000 kbps, then just discarding the packages. > > But the burst is hard to understand. According to my own understanding (just > think about TC) , we can see burst to be a buffer bucket. If there is nobody > use bandwidth, or bandwidth rate is less then 3000 kbps , the token will > accumulate in the bucket, but the maximum value is 5000 kbps. Next time the > user can use 5000 kbps bandwidth but only in a second. This sounds correct, only the time period may not be strictly to the second boundary. If user can use up > 3000 kbps bandwidth ,then it will be limited at 3000 kbps. > I don't follow this sentence. DId you mean to say that if a user sends constant 3000kbps traffic, then the bandwidth is limited to 3000kbps, without burst allowance? If yes, then I'd agree. If no, would please clarify? > Now ovs allow to set multiple band values , this is a little worse. > > just for example . > ovs-ofctl add-meter br1 meter=1, kbps,burst, band=type=drop, rate = 3000, > burst_size=5000 type=drop, rate = 4000, burst_size=6000 . > > I cant understand this . if according to ovs-ofctl.pdf , when rate could up > 5000, then it limit value is 4000. when rate could up 6000, then it limite > value is 3000 . This is not very reasonable, we have bein in the case of a > speed limit . Can be more than 5000 kbps , has a great deal of randomness. I think we should first determine the rate of current traffic, and use the rate to select a band. Once the band is selected, the burst_size can be used to determine the fate the packet. > > How to design the burst in here , has some suggestions ? > You may find the book of openflow specification helpful. https://www.opennetworking.org/images/stories/downloads/sdn-resources/onf-specifications/openflow/openflow-switch-v1.5.1.pdf ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] Ping Drop Problem
I am using ovs on a Fedora 20 KVM Host with 6 defined vlans I am having a problem where when I stop any VM I lose connectivity to all other VM's for about 6-7 Pings. Then everything starts working again. Anyone see this or know a remedy for it? Thanks, Dean Price ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] SYN packet mirroring
> On May 25, 2017, at 10:44 AM, Ben Pfaff wrote: > > On Thu, May 25, 2017 at 10:26:29AM -0700, Justin Pettit wrote: >> >>> On May 25, 2017, at 2:10 AM, Avi Cohen (A) wrote: >>> >>> Hi All, >>> I need to capture all received SYN packets from all interfaces and to >>> mirror/output to a specific interface in addition to the operational >>> interface that these packets should be forwarded. >>> Can I do it with a single dpctl add-flow cli command ? and not modify the >>> 'operational' flows that are used to normally connect TCP clients to TCP >>> servers ? >> >> No, if you run ovs-vswitchd, it will be confused when flows are added with >> ovs-dpctl, and delete them. Also, I don't think that would work, since the >> kernel module will only apply actions from a single flow, so you'll either >> send the SYN packet to your collector or forward it appropriately, but not >> both. >> >> You should be able to construct what you want pretty easily with ovs-ofctl >> flows, though. > > Avi might be talking about "dpctl" from the OpenFlow reference > implementation, which (confusingly) uses OpenFlow. Yeah, I wasn't sure if he was abbreviating or not. If that is what he's talking about, he's not using OVS, of course. --Justin ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] ovs-ofctl add-meter command limit rate can work ?
On Thu, May 25, 2017 at 10:54 AM, Ben Pfaff wrote: > On Wed, May 24, 2017 at 12:05:55AM -0700, Andy Zhou wrote: >> On Tue, May 23, 2017 at 10:59 PM, Ali Volkan Atli >> wrote: >> > >> > I think OVS FAQ is wrong. >> >> Can you be more specific on which parts are wrong? >> >> I see that the section "Does Open vSwitch support OpenFlow meters" >> needs update w.r.t master, >> but it should be accurate w.r.t. ovs-2.3. >> >> There is a patch about "Simple DROP meter implementation". It seems >> accepted and I can see it in master right now. >> >> Yes, the user space datapath drop meter implementation is now part of mater. > > Andy, should we update the FAQ, then, to mention the userspace datapath > drop meter implementation? Sure. I will post a patch that update the FAQ. ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] ovs-ofctl add-meter command limit rate can work ?
On Wed, May 24, 2017 at 12:05:55AM -0700, Andy Zhou wrote: > On Tue, May 23, 2017 at 10:59 PM, Ali Volkan Atli > wrote: > > > > I think OVS FAQ is wrong. > > Can you be more specific on which parts are wrong? > > I see that the section "Does Open vSwitch support OpenFlow meters" > needs update w.r.t master, > but it should be accurate w.r.t. ovs-2.3. > > There is a patch about "Simple DROP meter implementation". It seems > accepted and I can see it in master right now. > > Yes, the user space datapath drop meter implementation is now part of mater. Andy, should we update the FAQ, then, to mention the userspace datapath drop meter implementation? ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Isn't there any way to use RSS hash instead of jhash in flow_hash()
On Wed, May 24, 2017 at 04:01:28PM +0900, Heung Sik Choi wrote: > Thank you for replying > > Are you saying that you want to add RSS to the datapath to > move packets to different queues? Which queues? Or do you just want to > create a Toeplitz hashing algorithm function that will return a hash > value and it doesn't really have anything to do with RSS? > > Sorry to confuse you. specifically, I think a design where skb structure > has 'rss hash value' and ovs' datapath use this value when it lookup flow > table. the rss hash value can get in NIC driver(ex. ixgbe), and can be > inserted in skb structure. Also If I replace the jhash2 in flow_hash() > with Toeplitz hash, the 'rss hash' can be used to hash in ovs. How do you > think about it? please let me know if you have any insights. If flow_hash() just returns a fixed hash value, then it won't hash the right parts of the packet. It takes a key range argument for a reason. ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] SYN packet mirroring
On Thu, May 25, 2017 at 10:26:29AM -0700, Justin Pettit wrote: > > > On May 25, 2017, at 2:10 AM, Avi Cohen (A) wrote: > > > > Hi All, > > I need to capture all received SYN packets from all interfaces and to > > mirror/output to a specific interface in addition to the operational > > interface that these packets should be forwarded. > > Can I do it with a single dpctl add-flow cli command ? and not modify the > > 'operational' flows that are used to normally connect TCP clients to TCP > > servers ? > > No, if you run ovs-vswitchd, it will be confused when flows are added with > ovs-dpctl, and delete them. Also, I don't think that would work, since the > kernel module will only apply actions from a single flow, so you'll either > send the SYN packet to your collector or forward it appropriately, but not > both. > > You should be able to construct what you want pretty easily with ovs-ofctl > flows, though. Avi might be talking about "dpctl" from the OpenFlow reference implementation, which (confusingly) uses OpenFlow. ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] SYN packet mirroring
> On May 25, 2017, at 2:10 AM, Avi Cohen (A) wrote: > > Hi All, > I need to capture all received SYN packets from all interfaces and to > mirror/output to a specific interface in addition to the operational > interface that these packets should be forwarded. > Can I do it with a single dpctl add-flow cli command ? and not modify the > 'operational' flows that are used to normally connect TCP clients to TCP > servers ? No, if you run ovs-vswitchd, it will be confused when flows are added with ovs-dpctl, and delete them. Also, I don't think that would work, since the kernel module will only apply actions from a single flow, so you'll either send the SYN packet to your collector or forward it appropriately, but not both. You should be able to construct what you want pretty easily with ovs-ofctl flows, though. --Justin ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Openvswitch linux nat issue (ver 2.7.0 and linux 4.9.x)
Hi Aaron Thanks I see there are 2 approaches as mentioned by you 1. Regarding the first I assume u mean creating another netns and creating peers between ethwan1 and veth1 Say we have another netns lying outside ovs whose one interface (say veth1 lying inside netns test) is linked to ovs internal wan interface(say ethwan1) ip link add ethwan1 type veth peer name veth1 ip link set veth1 netns test And I assume in this test netns, I need to add my physical wan interface say eth2 too ip link set eth2 netns test So we have 2 interfaces present in netns *test* , one of which (veth1) is connected to ovs ethwan1. And then I need to apply iptables between veth1 and eth2 using #sudo ip netns exec myns1 iptables ... Correct? Please explain this part even if it is complicated .Also I assume veth1 and ethwan1 should be on same subnet 2. Regarding the second approach , I am not able to find proper ovs natting commands/docs for the same except some explanation http://openvswitch.org/support/ovscon2014/17/1030-conntrack_nat.pdf In my scenario I want to achieve natting using ovs having lan interface as 10.10.10.0/24 ( and one virtual lan interface as ethlan) and single wan interface as 11.11.11.11/32.( and single wan virtual interface as ethwan1) Both of the interfaces lie on ovs and traffic from host pc( multiple machines) needs to be natted via ovs Can you let me know the specific command . In a way ,my objective is to achieve Dynamic NAT/PAT using ovs openflow commands? Thanks On Thu, May 25, 2017 at 8:33 PM, Aaron Conole wrote: > akshay6 agarwal writes: > > > Hi All > > > > My objective is to use fast failover using linux nat in OVS but before > implementing that I am stuck in NAT > > (ip tables) issue. > > > > I have one ovs bridge with 2 lan interface ( 1 virtual interface > (ethlan)and one physical interface(eth1.4)) > > Also added 2 wan virtual interfaces to ovs bridge(ethwan1 and ethwan2) > > > > Below is the bridge configuration: > > > > LAN SIDE: > > ovs-vsctl add-port base ethlan tag=10 -- set interface ethlan > type=internal > > ovs-vsctl add-port base eth1.4 tag=10 (Actual physical lan interface) > > > > WAN1 SIDE: > > > > ovs-vsctl add-port base ethwan1 tag=20 -- set interface ethwan1 > type=internal > > > > WAN2 SIDE: > > > > ovs-vsctl add-port base ethwan2 tag=30 -- set interface ethwan2 > type=internal > > > > IP addresss: > > ethlan -> 192.168.10.2 > > ethwan1 -> 192.168.10.4 > > eth2->10.1.10.2/24 > > eth3->10.1.20.2/24 > > > > I have 2 wan physical interfaces i.e. eth2 and eth3. Both of these > interfaces are lying outside the ovs > > > > My linux nat iptables from ethwan1 to eth2 are not working .I am able to > receive the packet from eth1.4 > > to ethwan1 but not further. > > While Open vSwitch plugs into the netfilter framework, it does NOT plug > into xtables. This means that the iptables commands are not (as a rule) > executed as part of the datapath. You *can* create a hybrid setup where > you have a virtual port (tap/tun devices or veth pairs connected to > separate bridge or netns) which can be used to attach xtables > processing. IMO, that is significantly more complication than you want > in your life. > > Using just openvswitch, you can setup the requisite conntrack actions to > commit and add any additional nat actions you would desire. Open > vSwitch *is* integrated with generic netfilter, so all of the classic > netfilter helpers are accessible, and conntrack tools will work just > fine. > > > I am using below iptables: > > > > # /sbin/iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE > > # /sbin/iptables -A FORWARD -i eth2 -o ethwan1 -m state --state > RELATED,ESTABLISHED -j ACCEPT > > # /sbin/iptables -A FORWARD -i ethwan1 -o eth2 -j ACCEPT > > > > I am using below openflows: > > > > 1. ovs-ofctl -O OpenFlow13 add-flow base cookie=5,priority=5, > actions=NORMAL > > > > ->To forward traffic from ethlan to ethwan1 > > 2.ovs-ofctl -O OpenFlow13 add-flow base cookie=50001,priority=50001, > ip,in_port=1,actions=output:2 > > > > Please advise > > Your normal flow processing won't work here. > > Please refer to the Open vSwitch conntrack and nat documentation. > > > Thanks > > Akshay > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Openvswitch linux nat issue (ver 2.7.0 and linux 4.9.x)
akshay6 agarwal writes: > Hi All > > My objective is to use fast failover using linux nat in OVS but before > implementing that I am stuck in NAT > (ip tables) issue. > > I have one ovs bridge with 2 lan interface ( 1 virtual interface (ethlan)and > one physical interface(eth1.4)) > Also added 2 wan virtual interfaces to ovs bridge(ethwan1 and ethwan2) > > Below is the bridge configuration: > > LAN SIDE: > ovs-vsctl add-port base ethlan tag=10 -- set interface ethlan type=internal > ovs-vsctl add-port base eth1.4 tag=10 (Actual physical lan interface) > > WAN1 SIDE: > > ovs-vsctl add-port base ethwan1 tag=20 -- set interface ethwan1 type=internal > > WAN2 SIDE: > > ovs-vsctl add-port base ethwan2 tag=30 -- set interface ethwan2 type=internal > > IP addresss: > ethlan -> 192.168.10.2 > ethwan1 -> 192.168.10.4 > eth2->10.1.10.2/24 > eth3->10.1.20.2/24 > > I have 2 wan physical interfaces i.e. eth2 and eth3. Both of these interfaces > are lying outside the ovs > > My linux nat iptables from ethwan1 to eth2 are not working .I am able to > receive the packet from eth1.4 > to ethwan1 but not further. While Open vSwitch plugs into the netfilter framework, it does NOT plug into xtables. This means that the iptables commands are not (as a rule) executed as part of the datapath. You *can* create a hybrid setup where you have a virtual port (tap/tun devices or veth pairs connected to separate bridge or netns) which can be used to attach xtables processing. IMO, that is significantly more complication than you want in your life. Using just openvswitch, you can setup the requisite conntrack actions to commit and add any additional nat actions you would desire. Open vSwitch *is* integrated with generic netfilter, so all of the classic netfilter helpers are accessible, and conntrack tools will work just fine. > I am using below iptables: > > # /sbin/iptables -t nat -A POSTROUTING -o eth2 -j MASQUERADE > # /sbin/iptables -A FORWARD -i eth2 -o ethwan1 -m state --state > RELATED,ESTABLISHED -j ACCEPT > # /sbin/iptables -A FORWARD -i ethwan1 -o eth2 -j ACCEPT > > I am using below openflows: > > 1. ovs-ofctl -O OpenFlow13 add-flow base > cookie=5,priority=5,actions=NORMAL > > ->To forward traffic from ethlan to ethwan1 > 2.ovs-ofctl -O OpenFlow13 add-flow base > cookie=50001,priority=50001,ip,in_port=1,actions=output:2 > > Please advise Your normal flow processing won't work here. Please refer to the Open vSwitch conntrack and nat documentation. > Thanks > Akshay ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] re?? ovs-ofctl add-meter command limit rate can work ?
hi all: I am going to implement the meter speed limit. I read the book of "ovs-ofctl.pdf " about the instructions of burst. In this pdf book , the instructions of burst is : If multiple bands' rate is exceeded,then the band with the highest rate among the exceeded bands is selected . It's a bit confused for me . I think whether this burst problem is complicated . for example, ovs-ofctl add-meter br1 meter=1, kbps,burst, band=type=drop, rate = 3000, burst_size=5000 . That's enough and also very easy to understand. if download speed is more than 3000 kbps, then just discarding the packages. But the burst is hard to understand. According to my own understanding (just think about TC) , we can see burst to be a buffer bucket. If there is nobody use bandwidth, or bandwidth rate is less then 3000 kbps , the token will accumulate in the bucket, but the maximum value is 5000 kbps. Next time the user can use 5000 kbps bandwidth but only in a second. If user can use up 3000 kbps bandwidth ,then it will be limited at 3000 kbps. Now ovs allow to set multiple band values , this is a little worse. just for example . ovs-ofctl add-meter br1 meter=1, kbps,burst, band=type=drop, rate = 3000, burst_size=5000 type=drop, rate = 4000, burst_size=6000 . I cant understand this . if according to ovs-ofctl.pdf , when rate could up 5000, then it limit value is 4000. when rate could up 6000, then it limite value is 3000 . This is not very reasonable, we have bein in the case of a speed limit . Can be more than 5000 kbps , has a great deal of randomness. How to design the burst in here , has some suggestions ?___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] SYN packet mirroring
Hi All, I need to capture all received SYN packets from all interfaces and to mirror/output to a specific interface in addition to the operational interface that these packets should be forwarded. Can I do it with a single dpctl add-flow cli command ? and not modify the 'operational' flows that are used to normally connect TCP clients to TCP servers ? Best Regards avi ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] OVS vs OVS-DPDK
I found this article very relevant to this issue: http://porto.polito.it/2616822/1/2015_Chain_performance.pdf especially it says that for the vhost-net interface used for standard OVS: "the transmission of a batch of packets from a VM causes a VM exit; this means that the CPU stops to execute the guest (i.e., the vCPU thread), and run a piece of code in the hypervisor, which performs the I/O operation on behalf of the guest. The same happens when an interrupt has to be "inserted" in the VM, e.g., because vhost has to inform the guest that there are packets to be received. These VM exits (and the subsequent VM entries) are one of the main causes of overhead in network I/O of VMs" this is not the case with the vhost-user interface - allows direct access between VM and ovs-dpdk and minimizes context-switches. Best Regards avi > -Original Message- > From: Avi Cohen (A) > Sent: Wednesday, 24 May, 2017 3:53 PM > To: 'Bodireddy, Bhanuprakash'; ovs-discuss@openvswitch.org > Subject: RE: OVS vs OVS-DPDK > > Thanks you Bhanuprakash for your reply. > > I indeed use vhost-user interface for OVS-DPDK and vhost-net for standard > OVS. > Also saw this article in the link you've sent. > But still try to find out the reasons for the boost performance with OVS-DPDK > (note that VMs on both setup are unaware to OVS/OVS-DPDK which is running > in the host) Also I found out that the bottleneck are the VMs and not the > vswitch > running in the host. > > These reasons for poor performance can be for example: > > 1. number of packet copies in the path NIC - OVS - OS-guest-virtio - > Application on guest > > 2. interrupt upon receiving a packet > > 3. # of context-switch / VM-exit > etc.. > > I didn't see any info regarding these potential reasons on the docs. > > Best Regards > avi > > > -Original Message- > > From: Bodireddy, Bhanuprakash > > [mailto:bhanuprakash.bodire...@intel.com] > > Sent: Wednesday, 24 May, 2017 3:43 PM > > To: Avi Cohen (A); ovs-discuss@openvswitch.org > > Subject: RE: OVS vs OVS-DPDK > > > > >Question: what are the additional overhead in the standard OVS that > > >cause > > >to poor performance related to the OVS-DPDK setup ? > > >I'm not talking about the PMD improvements (OVS-DPDK) running on > > >the host - but on overhead in the VM context in the standard OVS > > >setup > > > > When running guest instances on OvS, vhost-net driver modules shall be used. > > In case of OvS-DPDK, vhost-user library is used and runs entirely in > > user space and is the reason for higher performance in VM context > > Refer to this document on some internals of vhost-library: > > http://dpdk.readthedocs.io/en/v16.07/sample_app_ug/vhost.html > > > > - Bhanuprakash. ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
