I just looked back across the validation and there's two particular cases that we don't validate on current master code:
- If the ct_state matches on 0-bits. For instance, flows matching "ct_state=-trk", OVS accepts that even if there is no support for conntrack. - If flows specify the ct action, we allow it without checking for datapath support. These will need to be fixed. I think that in your case, there are two possibilities: Either your OVS kernel module doesn't support connection tracking at all (make sure you're running the version you think you're running), or perhaps connlabel support is not enabled on your kernel. You can check for kernel support by looking at the OVS logs: # grep "Datapath" /path/to/ovs-vswitchd.log 2015-10-26T17:28:26.801Z|00018|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports recirculation 2015-10-26T17:28:26.802Z|00020|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath supports unique flow ids 2015-10-26T17:28:26.802Z|00021|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath does not support ct_state 2015-10-26T17:28:26.802Z|00022|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath does not support ct_zone 2015-10-26T17:28:26.802Z|00023|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath does not support ct_mark 2015-10-26T17:28:26.802Z|00024|ofproto_dpif|INFO|netdev@ovs-netdev: Datapath does not support ct_label In this example, there is no kernel support for connection tracking. On 28 October 2015 at 03:31, Kenchappa, Ravindra <[email protected]> wrote: > Hi, > > The two threads : > > http://openvswitch.org/pipermail/discuss/2015-October/019201.html > http://openvswitch.org/pipermail/dev/2015-October/061629.html > > discuss about kernel not supporting connection tracking and OVS rejecting > conntrack flows with "bad field" error. > > But in my case I was able to added the following flows with ct-state in the > match filed: > > table=0,in_port=1,tcp,action=ct(commit,exec(set_field:1->ct_label)),2 > table=0,in_port=2,ct_state=-trk,tcp,action=ct(table=1) > > but the flow below is not accepted by OVS and returns bad field error: > > table=1,in_port=2,ct_state=+trk,ct_label=1,tcp,action=1 > > Thanks, > Ravi > > -----Original Message----- > From: Joe Stringer [mailto:[email protected]] > Sent: Monday, October 26, 2015 10:22 PM > To: Kenchappa, Ravindra > Cc: [email protected] > Subject: Re: [ovs-discuss] OVS: not able to add conntack flow rules > > On 25 October 2015 at 21:45, Kenchappa, Ravindra <[email protected]> > wrote: >> Hi, >> >> I have downloaded and installed OVS 2.4.90 >> (https://github.com/justinpettit/ovs/tree/conntrack) and trying to add >> conntrack flows via ovs-ofctl. I am able to add few sample flows and I >> am getting errors when tried to added the following flow: >> >> raveek:~/devstack$ sudo ovs-ofctl add-flow br-int >> table=1,in_port=2,ct_state=+est,tcp,action=1 >> OFPT_ERROR (xid=0x6): OFPBMC_BAD_FIELD NXT_FLOW_MOD (xid=0x6): >> (truncated to 64 bytes from 88) >> 00000000 01 04 00 58 00 00 00 06-00 00 23 20 00 00 00 0d |...X......# >> ....| >> 00000010 00 00 00 00 00 00 00 00-01 00 00 00 00 00 80 00 >> |................| >> 00000020 ff ff ff ff ff ff 00 00-00 1d 00 00 00 00 00 00 >> |................| >> 00000030 00 00 00 02 00 02 00 00-06 02 08 00 00 00 0c 01 >> |................| >> >> raveek:~/devstack$ sudo ovs-ofctl add-flow br-int >> table=20,in_port=2,ct_state=+trk+new,tcp,action=drop >> OFPT_ERROR (xid=0x6): OFPBMC_BAD_FIELD NXT_FLOW_MOD (xid=0x6): >> (truncated to 64 bytes from 80) >> 00000000 01 04 00 50 00 00 00 06-00 00 23 20 00 00 00 0d |...P......# >> ....| >> 00000010 00 00 00 00 00 00 00 00-14 00 00 00 00 00 80 00 >> |................| >> 00000020 ff ff ff ff ff ff 00 00-00 1d 00 00 00 00 00 00 >> |................| >> 00000030 00 00 00 02 00 02 00 00-06 02 08 00 00 00 0c 01 >> |................| raveek::~/devstack$ >> >> Here is the flow table looks like. >> >> raveek:~/devstack$ sudo ovs-ofctl dump-flows br-int -Oopenflow13 >> OFPST_FLOW reply (OF1.3) (xid=0x2): >> cookie=0x0, duration=98.291s, table=0, n_packets=0, n_bytes=0, >> dl_type=0x88cc actions=CONTROLLER:65535 cookie=0x0, duration=28.391s, >> table=0, n_packets=0, n_bytes=0, arp actions=NORMAL cookie=0x0, >> duration=28.368s, table=0, n_packets=0, n_bytes=0, >> ct_state=-trk,tcp,in_port=1 actions=ct(commit,zone=9),output:2 >> cookie=0x0, duration=28.346s, table=0, n_packets=0, n_bytes=0, >> ct_state=-trk,tcp,in_port=2 actions=ct(table=1,zone=9) cookie=0x0, >> duration=98.291s, table=0, n_packets=0, n_bytes=0, priority=0 >> actions=goto_table:20 >> cookie=0x0, duration=28.410s, table=0, n_packets=0, n_bytes=0, >> priority=1 actions=drop cookie=0x0, duration=98.288s, table=20, >> n_packets=0, n_bytes=0, priority=0 >> actions=goto_table:30 >> cookie=0x0, duration=98.288s, table=30, n_packets=0, n_bytes=0, >> priority=0 >> actions=goto_table:40 >> cookie=0x0, duration=98.288s, table=40, n_packets=0, n_bytes=0, >> priority=0 >> actions=goto_table:50 >> cookie=0x0, duration=98.291s, table=50, n_packets=0, n_bytes=0, >> priority=0 >> actions=goto_table:60 >> cookie=0x0, duration=98.288s, table=60, n_packets=0, n_bytes=0, >> priority=0 >> actions=goto_table:70 >> cookie=0x0, duration=98.288s, table=70, n_packets=0, n_bytes=0, >> priority=0 >> actions=goto_table:80 >> cookie=0x0, duration=98.289s, table=80, n_packets=0, n_bytes=0, >> priority=0 >> actions=goto_table:90 >> cookie=0x0, duration=98.288s, table=90, n_packets=0, n_bytes=0, >> priority=0 >> actions=goto_table:100 >> cookie=0x0, duration=98.288s, table=100, n_packets=0, n_bytes=0, >> priority=0 >> actions=goto_table:110 >> cookie=0x0, duration=98.291s, table=110, n_packets=0, n_bytes=0, >> priority=0 actions=drop >> >> raveek::~/devstack$ >> >> Could you please help me in identifying the problem? > > There have been multiple questions like this recently on this mailinglist, > see those threads: > > http://openvswitch.org/pipermail/discuss/2015-October/019201.html > http://openvswitch.org/pipermail/dev/2015-October/061629.html _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
