Thanks for responding Joe. > On Sep 17, 2015, at 9:18 PM, Joe Stringer <[email protected]> wrote: > > On 15 September 2015 at 23:54, Ben Warren <[email protected] > <mailto:[email protected]>> wrote: >> Hi, >> >> I’m working off Justin Pettit’s ‘conntrack’ tree @ >> https://github.com/justinpettit/ovs/tree/conntrack, and can’t seem to get >> marks to work. >> >> Here’s an example of a flow (FTP server) >> >> === >> ovs-ofctl add-flow br0 >> "table=3,cookie=0xb0b,priority=32000,ct_state=+new+trk,tcp,tp_dst=21 >> actions=ct(commit,alg=ftp,zone=2),resubmit(,4),set_field:9->ct_mark” >> === >> >> which I believe should set the conntrack mark to 9 on packets that meet the >> match criteria >> >> When I connect via FTP and use the conntrack command line, I see the flow, >> but no sign of the mark: >> >> === >> # conntrack -E | grep 237 >> [NEW] tcp 6 120 SYN_SENT src=10.99.0.17 dst=10.11.10.237 sport=54154 >> dport=21 [UNREPLIED] src=10.11.10.237 dst=10.99.0.17 sport=21 dport=54154 >> zone=2 helper=ftp >> === >> >> My kernel is pretty vanilla, but marks definitely are seen when set via >> iptables. Does it need to be patched to support marks coming from OVS? > > The "ct_mark" tests in the testsuite have some examples, perhaps they > might help? > https://github.com/justinpettit/ovs/blob/conntrack/tests/system-traffic.at#L479 > > <https://github.com/justinpettit/ovs/blob/conntrack/tests/system-traffic.at#L479> > I did use these as a guide when constructing the flow mentioned above, but will play with it some more. My understanding of CONNMARK is that the mark should get applied to all packets in related flows. In this case, I was expecting a mark of 9 to be on control and data traffic for my FTP connection, but don’t see the marks. Is this understanding correct? > Do you see anything relevant in the logs? > I haven’t looked at the logs, but will start now > Are you seeing packets hit the OpenFlow flows that you expect? > When I do an FTP transfer, I do see a flow that has matching criteria “+new+rel” increment by the right number of bytes, but if I put “ct_mark=9” in the match criteria, it is not found. > The datapath flows may also provide some insight.
I guess I’m wondering if you think the conntrack feature is completely self-contained in the OVS tree, or if I need any particular configs in the kernel proper. We’re using conntrack through Iptables and marks seem to work fine there. In case it’s useful information, the kernel is pretty old (3.10.20), because it’s cross-compiled for a MIPS processor that needs a lot of extra sauce that’s not on kernel.org <http://kernel.org/>. Thanks again - I’ll keep working at this. —Ben
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
