Re: [ovs-discuss] Can we add a wifi network interface to an OVS bridge?
On 21/08/2020 15:38, Jordan Sandri wrote: > Hello, > I would like to know if it is possible to add a wifi network interface > to an OVS bridge? Let me explain first what I achieved. > As you can see in the first diagram I have 2 raspberry pis with an OVS > bridge and each of them is connected to ONOS. Using Docker on each pi > I have 2 containers and there are linked to my bridge thanks to > ovs-docker (int stands for interface). Then, the network interface > eth0 from each pi is added to the bridge and raspberry pis are linked > with an ethernet cable through eth0 of course. Finally, CTN1 is able > to ping CTN3 for example. > > Now, I would like to replace eth0 by a wifi network interface wlan1 as > you can see in the second diagram. I was thinking maybe using iptables > to forward flow to the second pi or adding virtual interfaces included > to the bridge as in the diagram3. Then I could use iptables to forward > flow from vport to wlan and from wlan to wlan of the second pi. What > will be the best way to carry out this? > > Thank you for you help > > > ___ > discuss mailing list > disc...@openvswitch.org > https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-discuss__;!!I9LPvj3b!RF9BA_PTQU6arYvfVXNLhqpoTQwpUJTV3FZwhxwk4N_gR40NBeJHeHK6aX_u_AEy3g$ > Hi For "normal" wifi you can't simply bridge the wlan interface of the client. You can bridge it on the AP. This is, because in wifi you don't have a source-MAC and a destination-MAC, but also a transmitter-MAC and a receiver-MAC. As an optimisation, in ap2sta direction the destination and the receiver are a single field. In sta2ap direction, the source and the transmitter are a single field Take a look at 4addr mode which solves the issue by having actually all 4 fields. This is a linux specific implementation and may not be available on all types of cards. An alternative would be to have a routed connection between the two devices and bridge your ovs-instances via GRETAP. BR Matthias ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] QoS Queues on wireless interfaces
On 18/09/2019 16:41, calvin.schm...@web.de wrote: > Hi all, > > I tried configuring queues with OpenFlow on ethernet interfaces and it worked > just fine. > However if I set a specific queue on a flow with the set_queue action that > outputs the packet to a wireless interface, it somehow is ignored and the > default queue 0 is taken. I can set a certain bandwith on queue 0 and therby > limit the bandwith however this is not sufficient for my use case. > > I've run the following commands: > > 1. Create the QoS and Queues on wireless interface wlan0 > ovs-vsctl -- set port wlan0 qos=@newqos -- --id=@newqos create qos > type=linux-htb queues:1=@newqueue queues:2=@newqueue2 -- --id=@newqueue > create queue other-config:min-rate=300 other-config:max-rate=300 -- > --id=@newqueue2 create queue other-config:min-rate=800 > other-config:max-rate=800 > > 2. Check the Queues have been created > > ovs-ofctl queue-get-config ovsbr wlan0 -O OpenFlow13 > > 3. Create a flow that uses Queue 1 for HTTPS traffic > > ovs-ofctl add-flow ovsbr > priority=1,dl_type=0x800,nw_proto=6,tp_src=443,in_port="eth0.2",actions=set_queue:1,output:"wlan0" > -O OpenFlow13 > > 4. Check the flow has been created and packets are processed by it > > ovs-ofctl dump-flows ovsbr -O OpenFlow13 > > 5. Check if traffic is going through Queue 1 (unfortunately not) > > ovs-ofctl queue-stats ovsbr -O OpenFlow13 > > > > So my questions are: > > 1. Is it possible to have multiple queues on a wireless interface that are > managed by a set of flows? > 2. What do I have to do to make it work? > > I found this thread which seems to be related to the issue as well however I > do not quite get it: > https://mail.openvswitch.org/pipermail/ovs-discuss/2013-August/030714.html > > Any help is highly appreciated. > Thanks and kind regards, > Calvin > ___ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > Hi I observed the same. See the thread at https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/334866.html At least in ath9k the idea is to map the skb-priority directly to the queues according to 802.1d. Since ovs does this strange/undocumented offset of 0x1 I ended up going a different path. I ended up using something along the line of actions=load:1->NXM_NX_PKT_MARK[31],move:nw_tos[5..7]->NXM_NX_PKT_MARK[0..2] And patching ath9k to map these skb-marks to the queues according to my needs. BR Matthias ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] How to filter tagged frames in bridge?
On 08/08/2019 13:43, Felipe Arturo Polanco wrote: > The hypervisor is the one that adds the ports to the switch I specify. > > Is there a way to limit vlan tags being delivered to a fake bridge perhaps? I > only want untagged traffic in the fake > bridge. > > > On Wed, Aug 7, 2019, 2:52 AM Matthias May via discuss > mailto:ovs-discuss@openvswitch.org>> > wrote: > > On 06/08/2019 17:12, Felipe Arturo Polanco wrote: > > Hello, > > > > This is for a hosting environment where we are using OVS bridges with > KVM. > > > > I have two interfaces bonded together with LACP and allowing two vlans. > > VLAN 500 public and vlan 400 private. > > The native vlan for this trunk port is Vlan 500* > > > > I need to find a way to limit trunk access on the VMs when they are > > connected to my bridge. > > If I add a tap0 interface to ovsbr0, I can see tagged traffic which is > not good. > > > > I was thinking about adding a second bridge and connect both of them > > using a patch port but I still need to find a way to filter tagged > > frames and only allow untagged traffic on the second bridge. > > > > Any ideas how can this be done? > > > > Thanks, > > ___ > > discuss mailing list > > disc...@openvswitch.org <mailto:disc...@openvswitch.org> > > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > > > > When you add the port, set > vlan_mode=access > tag=500 > > BR > Matthias > ___ > discuss mailing list > disc...@openvswitch.org <mailto:disc...@openvswitch.org> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > I highly suggest you read the documentation regarding vlan_mode, tag and trunk. My answer is still to set the vlan_mode to access and set the tag. It doesn't matter if the hypervisor adds the port or someone else. You can set a config for a port even if it is not yet part of a bridge. BR Matthias ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] How to filter tagged frames in bridge?
On 06/08/2019 17:12, Felipe Arturo Polanco wrote: > Hello, > > This is for a hosting environment where we are using OVS bridges with KVM. > > I have two interfaces bonded together with LACP and allowing two vlans. > VLAN 500 public and vlan 400 private. > The native vlan for this trunk port is Vlan 500* > > I need to find a way to limit trunk access on the VMs when they are > connected to my bridge. > If I add a tap0 interface to ovsbr0, I can see tagged traffic which is not > good. > > I was thinking about adding a second bridge and connect both of them > using a patch port but I still need to find a way to filter tagged > frames and only allow untagged traffic on the second bridge. > > Any ideas how can this be done? > > Thanks, > ___ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > When you add the port, set vlan_mode=access tag=500 BR Matthias ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Only allow traffic between the bridge port and OVS (not other ports)
On 14/05/2019 07:26, Kevin Olbrich wrote: > Hi! > > I've got an OVS that has a bridge "br0" and has about 100x L2TP tunnels. > These tunnels run batman-adv, a mesh protocol for L2 routing over L3. > > For efficient routing, only nodes that are in the same building are allowed > to see each other. > To filter out traffic between the ports, I used ebtables: ebtables -A > FORWARD --logical-in br0 -j DROP > > This allows traffic from the node to the server hosting the bridge and > reverse but not between the ports. > As OVS does not work with ebtables, all nodes now see each other over L2TP, > resulting in all nodes meshing with each other (without any benefit). > > How can I implement something like "ebtables -A FORWARD --logical-in br0 -j > DROP" with OVS? > I tried "ovs-ofctl mod-port ovsbr-de01-mesh "$INTERFACE" no-forward" but > that also stopped traffic to the host port (by host port, I mean an IP > directly on br0). > > How can I do it correctly? > The client ports of br0 never must communicate with each other, just the > server hosting the bridge. > > Thank you! > > Kind regards > Kevin > > > ___ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > You could: * Delete the default NORMAL action (del-flows br0) * Create a rule with priority=1 action= action=NORMAL This should allow frames from the server to be forwarded as usual, and frames for all other ports only to the server. BR Matthias ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] RSTP in VLAN
On 14/02/2019 16:48, Ben Pfaff wrote: > On Wed, Feb 13, 2019 at 08:43:56AM +0100, Matthias May via discuss wrote: >> Hi >> I've run into the situation where I need to receive/transmit VLAN-tagged >> RSTP frames. >> >> I can not find any information on anyone ever doing that with OVS. >> Any pointers on how to do that? >> >> What I've tried so far: >> A rule on the bridge in question: >> ovs-ofctl add-flow br0 "table=0 priority=2000 >> dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff actions=strip_vlan,NORMAL" >> I expected at least the receive path to work with this. >> However in syslog I still get >> daemon.debug ovs-vswitchd: ovs|00010|rstp_sm(handler20)|DBG|br0, port 1: Bad >> STP or RSTP BPDU received >> When a vlan tagged BPDU is received. > > It looks to me like this can only happen if the port has OVS's RSTP > support enabled on it. Did you enable RSTP support on the port in > question? > Hi Ben Yes RSTP is enabled on the port in question. I added some debug traces and it seems that the VLAN header is used as part of the payload. --> The checks on a valid RSTP/STP frame always fail because the part where protocol-identifier, version and message type are supposed to be it's just statically 0x8100. I'm not sure why it's happening the way it's happening, but it seems the frame is consumed by the bridge before any rules are applied to it (slow path?). I suggest to move this discussion to the thread on the dev-list next to the proposed patch. BR Matthias ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] RSTP in VLAN
Hi I've run into the situation where I need to receive/transmit VLAN-tagged RSTP frames. I can not find any information on anyone ever doing that with OVS. Any pointers on how to do that? What I've tried so far: A rule on the bridge in question: ovs-ofctl add-flow br0 "table=0 priority=2000 dl_dst=01:80:c2:00:00:00/ff:ff:ff:ff:ff:ff actions=strip_vlan,NORMAL" I expected at least the receive path to work with this. However in syslog I still get daemon.debug ovs-vswitchd: ovs|00010|rstp_sm(handler20)|DBG|br0, port 1: Bad STP or RSTP BPDU received When a vlan tagged BPDU is received. BR Matthias ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
