Our support team suggested out-of-band that you were using OVS 1.0.99. I set up OVS 1.0.99 (the tip of the "vlan-maint" branch) and experimented briefly with a setup similar to the one that you provided. I did not set up a restrictive flow table or configure a controller; that is unlikely to be key to the problem. I did set up just a single continuous "ping" between two VMs that otherwise had idle networks, with nothing else going on.
The behavior I see so far is that the MAC learning table is doing what I expect: the age of each entry never goes beyond 1 second, so the MAC learning entries should not expire, and I don't see them expiring. So I am not yet able to reproduce the problem. Here is an experiment that you can conduct in your setup: run "watch ovs-appctl fdb/show <bridge>" in the Dom0 and observe the changes in the MAC learning table. As is my setup, you should not see the entries for the laptop and vm1 age beyond 1 second or so, certainly not enough to expire. What do you actually see? Thanks, Ben. On Thu, Dec 22, 2011 at 10:45:37AM -0800, Ben Pfaff wrote: > OK. So it seems that MAC learning entries are expiring in cases where > we expect them to persist. I can look into that, if you can give me > some more details; to start, the version of OVS involved. (I think > that you might have already given detail to our support team in > parallel; I'm trying to find out how I get direct access to that > information.) > > Let me reiterate that the "normal" action isn't an effective way to > enforce ACLs. Nevertheless, there appears to be a bug that I should > investigate here. > > Thanks, > > Ben. > > On Thu, Dec 22, 2011 at 06:35:50PM +0000, Mike Bursell wrote: > > I believe that there is nothing else going on at all. > > > > The CLI tools were used to construct the rules: no DVSC in play. > > > > -Mike. > > -- > > Mike Bursell. > > > > > > > > Ben Pfaff <[email protected]> wrote: > > > > > > On Thu, Dec 22, 2011 at 04:35:45PM +0000, Mike Bursell wrote: > > > We've discovered what we suspect is a bug, and are looking for > > > thoughts, please! > > > > > > Observed behaviour: > > > - Continuous pings being sent from laptop to vm1 > > > - vm2 is quiescent > > > - Intermittently, the response to a ping from laptop is seen on vm2 > > > > Is anything else going on? Certain kinds of changes to a bridge > > (adding and removing ports, etc.) can cause the MAC learning table, or > > particular entries in it, to be flushed. If VMs are being brought up > > or down, VLANs being created or destroyed, etc., one might expect to > > see a need to re-learn MAC addresses immediately after those events. > > > > I have not carefully looked over your flow table. Is this flow table > > constructed by hand, generated by DVS, or generated by some other > > controller? I ask because the "normal" action may not be an effective > > way to enforce ACLs--it is an implementation of a MAC learning switch, > > which is not itself an effective way to enforce ACLs--so I wonder what > > assumptions lie behind this flow table construction. _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
