First time user trying to setup a flow rule to drop ping packets
77 views
Skip to first unread message
Dominic Curran
Jan 30, 2013, 10:49:18 PM1/30/13
to openflo...@googlegroups.com
Hi
My network setup is:
XenServer(openvswitch)-->VM
|
T----Floodlight<--->Avior
|
MachineB
I am just trying out Floodlight/Avior for the first time.
I am pinging from MachineB to a VM on XenServer.
I'd like to use Avior to setup a flow rule to 'drop' the pings to the VM.
MachineB:
$ ping 10.80.239.117
I setup the rule and 'Pushed' it.
Avior replied back saying the rule have been rejected.
Avior splat out the rule on the console:
{"switch":"00:00:76:a1:83:05:f8:df", "name":"abc", "active":"true", "priority":"1", "actions":"enqueue=-2:,output=44","ingress-port":"1","dst-ip":"10.80.239.117","src-ip":"10.216.132.50"}
I wasnt really sure what rule I should chose to drop the packet. 'enqueue' was just one of my tries.
Floodlight is spitting out debug so quickly on the console I can't tell what it thinks is going on.
Any help ?
In general I think the documentation could do with an example like this just to kick-start potential users.
Thanks
dom
My network setup is:
XenServer(openvswitch)-->VM
|
T----Floodlight<--->Avior
|
MachineB
I am just trying out Floodlight/Avior for the first time.
I am pinging from MachineB to a VM on XenServer.
I'd like to use Avior to setup a flow rule to 'drop' the pings to the VM.
MachineB:
$ ping 10.80.239.117
I setup the rule and 'Pushed' it.
Avior replied back saying the rule have been rejected.
Avior splat out the rule on the console:
{"switch":"00:00:76:a1:83:05:f8:df", "name":"abc", "active":"true", "priority":"1", "actions":"enqueue=-2:,output=44","ingress-port":"1","dst-ip":"10.80.239.117","src-ip":"10.216.132.50"}
I wasnt really sure what rule I should chose to drop the packet. 'enqueue' was just one of my tries.
Floodlight is spitting out debug so quickly on the console I can't tell what it thinks is going on.
Any help ?
In general I think the documentation could do with an example like this just to kick-start potential users.
Thanks
dom
Jason Parraga
Jan 30, 2013, 10:53:00 PM1/30/13
to openflo...@googlegroups.com
Well first of all, to drop a packet you want to set no action at all. I also think the version of Avior you're using could be bugged (and the flow could not have been rejected). What OS are you on? I will send you a pre released version of 1.3 which fixes many issues.
Dominic Curran
Feb 1, 2013, 2:19:22 PM2/1/13
to openflo...@googlegroups.com
Sorry I'm confused.
So my understanding was that:
1) A packet comes into openvswitch (ovs)
2) ovs looks for a rule in its kernel modules lookup table
3) if no rule is found the the packet is pushed up to the ovs user-space module and a lookup for a rule is again done
4) if no rule is found (and a controller is connected) then the packet is pushed to the Controller (using a OPFT_PACKET_IN msg)
5) At this point a decision is made about what to do with the packet and flow will (depending on the decision) be setup
So if pings are getting though then a flow is being created for that (actually 2 flows, one for receive & one for the Reply)...so who is creating those flows ?
I'm guessing its a rule on the openvswitch that is creating those flows (b/c if Floodlight is disconnected and I ping again then it still works).
So I assume openvswitch starts out with a flowtable which lets all/most packets through
Can I use Avior to see that flow table ?
I am using: avior-1.24-linux_32.jar (downloaded from your website).
thanks & please correct me
dom
So my understanding was that:
1) A packet comes into openvswitch (ovs)
2) ovs looks for a rule in its kernel modules lookup table
3) if no rule is found the the packet is pushed up to the ovs user-space module and a lookup for a rule is again done
4) if no rule is found (and a controller is connected) then the packet is pushed to the Controller (using a OPFT_PACKET_IN msg)
5) At this point a decision is made about what to do with the packet and flow will (depending on the decision) be setup
So if pings are getting though then a flow is being created for that (actually 2 flows, one for receive & one for the Reply)...so who is creating those flows ?
I'm guessing its a rule on the openvswitch that is creating those flows (b/c if Floodlight is disconnected and I ping again then it still works).
So I assume openvswitch starts out with a flowtable which lets all/most packets through
Can I use Avior to see that flow table ?
I am using: avior-1.24-linux_32.jar (downloaded from your website).
thanks & please correct me
dom
Reply all
Reply to author
Forward
0 new messages