Re: [ovs-discuss] Apply some packet manipulation actions on outgoing port traffic
OVS doesn't handle this case well. I don't think it will do what you want. On Mon, Oct 09, 2017 at 11:59:13PM +0200, Juraj Markotic wrote: > yes, we are already using that one to send packet across 2 OVS connected > via GRE tunnels and when switched out, will remove GRE header. > Imagine situation where SPAN traffic from some other switch is being sent > as replica traffic to OVS inport (one can be configured as GRE port for > that matter). Packets coming to OVs inport are mostly GRE traffic with > varying src/dst ip in GRE haders since this is replica traffic from > network. This is not traffic directed to ip configured on that exact OVS > (which is receiving it). > Would OVS just drop this receiving traffic or will remove header without > checking and be switch it as configured (i.e. via openflow rule) ? > I guess we'd need to check. > > jm > > > On Mon, Oct 9, 2017 at 11:14 PM, Ben Pfaff wrote: > > > GRE and tunnels are implemented in terms of ports, so if you send a > > packet received on a GRE port to a non-tunnel port, it strips the > > header. > > > > On Mon, Oct 09, 2017 at 10:45:10PM +0200, Juraj Markotic wrote: > > > I will check on about GTP ongoing activities (I saw some actitvities on > > > providing capabilities to match on GTP-C/GTP-U packets). > > > maybe dumb question, but any pointer on how to remove GRE header (or > > VXLAN > > > for that matter) when switching packet from IN port to OUT port and > > switch > > > out only internal packet/payload ? > > > thanks, > > > jm > > > > > > > > > On Mon, Oct 9, 2017 at 10:13 PM, Ben Pfaff wrote: > > > > > > > OVS doesn't support GTP yet, but I know that there's some ongoing work > > > > on it. > > > > > > > > GRE and VXLAN should be fine. > > > > > > > > If you need GTP support, maybe the best thing to do would be to help > > out > > > > the folks who are working on it. > > > > > > > > On Mon, Oct 09, 2017 at 09:35:42PM +0200, Juraj Markotic wrote: > > > > > Hello, > > > > > thanks for feedback. > > > > > I know OVS can truncate payload and that in can modify mac/IPs in > > header > > > > > (i.e. like doing NAT). > > > > > I also know OVS can deencapsulate GRE (of VXLAN) when packet is > > arriving > > > > on > > > > > tunnel OVS interface (done automatically). > > > > > But I was not aware that OVS can remove tunnel headers when switching > > > > > incoming GTP/GRE/VXLAN header and extract inside packet (with > > totally new > > > > > src/dst ip) and send it out. > > > > > Can you share some OVS cli example for such ? > > > > > we have network packet broker (NPB) with OVS, so if NPB is delivering > > > > > tunnel packets, it would be great if we could remove tunnel headers > > > > before > > > > > delivering it to the (monitoring) tool on outgoing port. > > > > > > > > > > thanks, > > > > > jm > > > > > > > > > > On Mon, Oct 9, 2017 at 6:31 PM, Ben Pfaff wrote: > > > > > > > > > > > On Sun, Oct 08, 2017 at 11:19:17PM +0200, Juraj Markotic wrote: > > > > > > > we would need some functionality on manipulating packets when > > packet > > > > is > > > > > > > exiting outgoing OVS port. > > > > > > > I.e. some actions could be: change/anonymize mac/IPs for > > src/dst, or > > > > > > remove > > > > > > > some tunnel header (vxlan, gtp, gre), truncate the payload etc. > > > > > > > > > > > > OVS has actions for modifying headers and it can decapsulate > > tunnels > > > > and > > > > > > truncate payloads. > > > > > > > > > > > > > So, one option can be to write some code than can be attached to > > OVS > > > > to > > > > > > > packet exiting out port (i.e. some lua scripts for manipulation). > > > > > > > > > > > > Lua isn't needed. You can use OpenFlow. > > > > > > > > > > > > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Apply some packet manipulation actions on outgoing port traffic
yes, we are already using that one to send packet across 2 OVS connected via GRE tunnels and when switched out, will remove GRE header. Imagine situation where SPAN traffic from some other switch is being sent as replica traffic to OVS inport (one can be configured as GRE port for that matter). Packets coming to OVs inport are mostly GRE traffic with varying src/dst ip in GRE haders since this is replica traffic from network. This is not traffic directed to ip configured on that exact OVS (which is receiving it). Would OVS just drop this receiving traffic or will remove header without checking and be switch it as configured (i.e. via openflow rule) ? I guess we'd need to check. jm On Mon, Oct 9, 2017 at 11:14 PM, Ben Pfaff wrote: > GRE and tunnels are implemented in terms of ports, so if you send a > packet received on a GRE port to a non-tunnel port, it strips the > header. > > On Mon, Oct 09, 2017 at 10:45:10PM +0200, Juraj Markotic wrote: > > I will check on about GTP ongoing activities (I saw some actitvities on > > providing capabilities to match on GTP-C/GTP-U packets). > > maybe dumb question, but any pointer on how to remove GRE header (or > VXLAN > > for that matter) when switching packet from IN port to OUT port and > switch > > out only internal packet/payload ? > > thanks, > > jm > > > > > > On Mon, Oct 9, 2017 at 10:13 PM, Ben Pfaff wrote: > > > > > OVS doesn't support GTP yet, but I know that there's some ongoing work > > > on it. > > > > > > GRE and VXLAN should be fine. > > > > > > If you need GTP support, maybe the best thing to do would be to help > out > > > the folks who are working on it. > > > > > > On Mon, Oct 09, 2017 at 09:35:42PM +0200, Juraj Markotic wrote: > > > > Hello, > > > > thanks for feedback. > > > > I know OVS can truncate payload and that in can modify mac/IPs in > header > > > > (i.e. like doing NAT). > > > > I also know OVS can deencapsulate GRE (of VXLAN) when packet is > arriving > > > on > > > > tunnel OVS interface (done automatically). > > > > But I was not aware that OVS can remove tunnel headers when switching > > > > incoming GTP/GRE/VXLAN header and extract inside packet (with > totally new > > > > src/dst ip) and send it out. > > > > Can you share some OVS cli example for such ? > > > > we have network packet broker (NPB) with OVS, so if NPB is delivering > > > > tunnel packets, it would be great if we could remove tunnel headers > > > before > > > > delivering it to the (monitoring) tool on outgoing port. > > > > > > > > thanks, > > > > jm > > > > > > > > On Mon, Oct 9, 2017 at 6:31 PM, Ben Pfaff wrote: > > > > > > > > > On Sun, Oct 08, 2017 at 11:19:17PM +0200, Juraj Markotic wrote: > > > > > > we would need some functionality on manipulating packets when > packet > > > is > > > > > > exiting outgoing OVS port. > > > > > > I.e. some actions could be: change/anonymize mac/IPs for > src/dst, or > > > > > remove > > > > > > some tunnel header (vxlan, gtp, gre), truncate the payload etc. > > > > > > > > > > OVS has actions for modifying headers and it can decapsulate > tunnels > > > and > > > > > truncate payloads. > > > > > > > > > > > So, one option can be to write some code than can be attached to > OVS > > > to > > > > > > packet exiting out port (i.e. some lua scripts for manipulation). > > > > > > > > > > Lua isn't needed. You can use OpenFlow. > > > > > > > > > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Apply some packet manipulation actions on outgoing port traffic
GRE and tunnels are implemented in terms of ports, so if you send a packet received on a GRE port to a non-tunnel port, it strips the header. On Mon, Oct 09, 2017 at 10:45:10PM +0200, Juraj Markotic wrote: > I will check on about GTP ongoing activities (I saw some actitvities on > providing capabilities to match on GTP-C/GTP-U packets). > maybe dumb question, but any pointer on how to remove GRE header (or VXLAN > for that matter) when switching packet from IN port to OUT port and switch > out only internal packet/payload ? > thanks, > jm > > > On Mon, Oct 9, 2017 at 10:13 PM, Ben Pfaff wrote: > > > OVS doesn't support GTP yet, but I know that there's some ongoing work > > on it. > > > > GRE and VXLAN should be fine. > > > > If you need GTP support, maybe the best thing to do would be to help out > > the folks who are working on it. > > > > On Mon, Oct 09, 2017 at 09:35:42PM +0200, Juraj Markotic wrote: > > > Hello, > > > thanks for feedback. > > > I know OVS can truncate payload and that in can modify mac/IPs in header > > > (i.e. like doing NAT). > > > I also know OVS can deencapsulate GRE (of VXLAN) when packet is arriving > > on > > > tunnel OVS interface (done automatically). > > > But I was not aware that OVS can remove tunnel headers when switching > > > incoming GTP/GRE/VXLAN header and extract inside packet (with totally new > > > src/dst ip) and send it out. > > > Can you share some OVS cli example for such ? > > > we have network packet broker (NPB) with OVS, so if NPB is delivering > > > tunnel packets, it would be great if we could remove tunnel headers > > before > > > delivering it to the (monitoring) tool on outgoing port. > > > > > > thanks, > > > jm > > > > > > On Mon, Oct 9, 2017 at 6:31 PM, Ben Pfaff wrote: > > > > > > > On Sun, Oct 08, 2017 at 11:19:17PM +0200, Juraj Markotic wrote: > > > > > we would need some functionality on manipulating packets when packet > > is > > > > > exiting outgoing OVS port. > > > > > I.e. some actions could be: change/anonymize mac/IPs for src/dst, or > > > > remove > > > > > some tunnel header (vxlan, gtp, gre), truncate the payload etc. > > > > > > > > OVS has actions for modifying headers and it can decapsulate tunnels > > and > > > > truncate payloads. > > > > > > > > > So, one option can be to write some code than can be attached to OVS > > to > > > > > packet exiting out port (i.e. some lua scripts for manipulation). > > > > > > > > Lua isn't needed. You can use OpenFlow. > > > > > > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Apply some packet manipulation actions on outgoing port traffic
I will check on about GTP ongoing activities (I saw some actitvities on providing capabilities to match on GTP-C/GTP-U packets). maybe dumb question, but any pointer on how to remove GRE header (or VXLAN for that matter) when switching packet from IN port to OUT port and switch out only internal packet/payload ? thanks, jm On Mon, Oct 9, 2017 at 10:13 PM, Ben Pfaff wrote: > OVS doesn't support GTP yet, but I know that there's some ongoing work > on it. > > GRE and VXLAN should be fine. > > If you need GTP support, maybe the best thing to do would be to help out > the folks who are working on it. > > On Mon, Oct 09, 2017 at 09:35:42PM +0200, Juraj Markotic wrote: > > Hello, > > thanks for feedback. > > I know OVS can truncate payload and that in can modify mac/IPs in header > > (i.e. like doing NAT). > > I also know OVS can deencapsulate GRE (of VXLAN) when packet is arriving > on > > tunnel OVS interface (done automatically). > > But I was not aware that OVS can remove tunnel headers when switching > > incoming GTP/GRE/VXLAN header and extract inside packet (with totally new > > src/dst ip) and send it out. > > Can you share some OVS cli example for such ? > > we have network packet broker (NPB) with OVS, so if NPB is delivering > > tunnel packets, it would be great if we could remove tunnel headers > before > > delivering it to the (monitoring) tool on outgoing port. > > > > thanks, > > jm > > > > On Mon, Oct 9, 2017 at 6:31 PM, Ben Pfaff wrote: > > > > > On Sun, Oct 08, 2017 at 11:19:17PM +0200, Juraj Markotic wrote: > > > > we would need some functionality on manipulating packets when packet > is > > > > exiting outgoing OVS port. > > > > I.e. some actions could be: change/anonymize mac/IPs for src/dst, or > > > remove > > > > some tunnel header (vxlan, gtp, gre), truncate the payload etc. > > > > > > OVS has actions for modifying headers and it can decapsulate tunnels > and > > > truncate payloads. > > > > > > > So, one option can be to write some code than can be attached to OVS > to > > > > packet exiting out port (i.e. some lua scripts for manipulation). > > > > > > Lua isn't needed. You can use OpenFlow. > > > > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Apply some packet manipulation actions on outgoing port traffic
OVS doesn't support GTP yet, but I know that there's some ongoing work on it. GRE and VXLAN should be fine. If you need GTP support, maybe the best thing to do would be to help out the folks who are working on it. On Mon, Oct 09, 2017 at 09:35:42PM +0200, Juraj Markotic wrote: > Hello, > thanks for feedback. > I know OVS can truncate payload and that in can modify mac/IPs in header > (i.e. like doing NAT). > I also know OVS can deencapsulate GRE (of VXLAN) when packet is arriving on > tunnel OVS interface (done automatically). > But I was not aware that OVS can remove tunnel headers when switching > incoming GTP/GRE/VXLAN header and extract inside packet (with totally new > src/dst ip) and send it out. > Can you share some OVS cli example for such ? > we have network packet broker (NPB) with OVS, so if NPB is delivering > tunnel packets, it would be great if we could remove tunnel headers before > delivering it to the (monitoring) tool on outgoing port. > > thanks, > jm > > On Mon, Oct 9, 2017 at 6:31 PM, Ben Pfaff wrote: > > > On Sun, Oct 08, 2017 at 11:19:17PM +0200, Juraj Markotic wrote: > > > we would need some functionality on manipulating packets when packet is > > > exiting outgoing OVS port. > > > I.e. some actions could be: change/anonymize mac/IPs for src/dst, or > > remove > > > some tunnel header (vxlan, gtp, gre), truncate the payload etc. > > > > OVS has actions for modifying headers and it can decapsulate tunnels and > > truncate payloads. > > > > > So, one option can be to write some code than can be attached to OVS to > > > packet exiting out port (i.e. some lua scripts for manipulation). > > > > Lua isn't needed. You can use OpenFlow. > > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Apply some packet manipulation actions on outgoing port traffic
Hello, thanks for feedback. I know OVS can truncate payload and that in can modify mac/IPs in header (i.e. like doing NAT). I also know OVS can deencapsulate GRE (of VXLAN) when packet is arriving on tunnel OVS interface (done automatically). But I was not aware that OVS can remove tunnel headers when switching incoming GTP/GRE/VXLAN header and extract inside packet (with totally new src/dst ip) and send it out. Can you share some OVS cli example for such ? we have network packet broker (NPB) with OVS, so if NPB is delivering tunnel packets, it would be great if we could remove tunnel headers before delivering it to the (monitoring) tool on outgoing port. thanks, jm On Mon, Oct 9, 2017 at 6:31 PM, Ben Pfaff wrote: > On Sun, Oct 08, 2017 at 11:19:17PM +0200, Juraj Markotic wrote: > > we would need some functionality on manipulating packets when packet is > > exiting outgoing OVS port. > > I.e. some actions could be: change/anonymize mac/IPs for src/dst, or > remove > > some tunnel header (vxlan, gtp, gre), truncate the payload etc. > > OVS has actions for modifying headers and it can decapsulate tunnels and > truncate payloads. > > > So, one option can be to write some code than can be attached to OVS to > > packet exiting out port (i.e. some lua scripts for manipulation). > > Lua isn't needed. You can use OpenFlow. > ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
Re: [ovs-discuss] Apply some packet manipulation actions on outgoing port traffic
On Sun, Oct 08, 2017 at 11:19:17PM +0200, Juraj Markotic wrote: > we would need some functionality on manipulating packets when packet is > exiting outgoing OVS port. > I.e. some actions could be: change/anonymize mac/IPs for src/dst, or remove > some tunnel header (vxlan, gtp, gre), truncate the payload etc. OVS has actions for modifying headers and it can decapsulate tunnels and truncate payloads. > So, one option can be to write some code than can be attached to OVS to > packet exiting out port (i.e. some lua scripts for manipulation). Lua isn't needed. You can use OpenFlow. ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
[ovs-discuss] Apply some packet manipulation actions on outgoing port traffic
Hello, we would need some functionality on manipulating packets when packet is exiting outgoing OVS port. I.e. some actions could be: change/anonymize mac/IPs for src/dst, or remove some tunnel header (vxlan, gtp, gre), truncate the payload etc. So, one option can be to write some code than can be attached to OVS to packet exiting out port (i.e. some lua scripts for manipulation). The other option can be to direct this packet to some other sw that could receive/manipulate/send traffic to the network ? Not sure how to do that really. Any idea ? br, juraj ___ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
