Thank you so much it works after adding a rule for outgoing traffic as well.
----- Original Message ----- > From: "Justin Pettit" <[email protected]> > To: "Anna Giannakou" <[email protected]> > Cc: [email protected] > Sent: Thursday, 19 November, 2015 5:24:17 PM > Subject: Re: [ovs-discuss] seperate flows per vm > > > > On Nov 19, 2015, at 6:38 AM, Anna Giannakou <[email protected]> > > wrote: > > > > > > Hello, > > I am trying to have a seperate flow table per vm that is connected to > > br-int. So far to do that I insert a resubmit flow to the base table > > (table 0) and then a basic drop all flow to the table of the vm (table 25 > > in this example). > > The two flows are: > > ovs-ofctl add-flow br-int "table=0,priority=19,in_port=2, > > actions=resubmit(,25)" for resubmission > > ovs-ofctl add-flow br-int "table=25,priority=0,in_port=2,actions=drop" for > > drop all traffic. > > > > The problem is that when i try to insert a new rule in table 25 ( to allow > > ssh connection from a specific host for example) the rule does not work. > > The flow that i am trying to insert is: > > ovs-ofctl add-flow br-int > > "table=25,priority=2,tcp,in_port=2,tp_dst=22,nw_src=10.1.0.2, > > actions=normal" > > > > Can you please tell me if there is a problem with this particular flow or > > the way i am defining it? > > The complete flow table is as follows: > > NXST_FLOW reply (xid=0x4): > > cookie=0x0, duration=83007.359s, table=0, n_packets=1296, n_bytes=66540, > > idle_age=11, hard_age=65534, priority=19,in_port=2 actions=resubmit(,25) > > cookie=0x0, duration=83403.026s, table=0, n_packets=4, n_bytes=168, > > idle_age=65534, hard_age=65534, priority=10,arp,in_port=2 > > actions=resubmit(,24) > > cookie=0x0, duration=83402.994s, table=0, n_packets=0, n_bytes=0, > > idle_age=65534, hard_age=65534, priority=10,arp,in_port=11 > > actions=resubmit(,24) > > cookie=0x0, duration=83403.058s, table=0, n_packets=0, n_bytes=0, > > idle_age=65534, hard_age=65534, priority=10,arp,in_port=3 > > actions=resubmit(,24) > > cookie=0x0, duration=83403.759s, table=0, n_packets=71669, n_bytes=5966012, > > idle_age=1, hard_age=65534, priority=0 actions=NORMAL > > cookie=0x0, duration=83403.754s, table=23, n_packets=0, n_bytes=0, > > idle_age=65534, hard_age=65534, priority=0 actions=drop > > cookie=0x0, duration=83403.031s, table=24, n_packets=4, n_bytes=168, > > idle_age=65534, hard_age=65534, priority=2,arp,in_port=2,arp_spa=10.1.0.4 > > actions=NORMAL > > cookie=0x0, duration=83403s, table=24, n_packets=0, n_bytes=0, > > idle_age=65534, hard_age=65534, > > priority=2,arp,in_port=11,arp_spa=10.1.0.46 actions=NORMAL > > cookie=0x0, duration=83403.063s, table=24, n_packets=0, n_bytes=0, > > idle_age=65534, hard_age=65534, priority=2,arp,in_port=3,arp_spa=10.1.0.8 > > actions=NORMAL > > cookie=0x0, duration=83403.749s, table=24, n_packets=0, n_bytes=0, > > idle_age=65534, hard_age=65534, priority=0 actions=drop > > cookie=0x0, duration=101.509s, table=25, n_packets=0, n_bytes=0, > > idle_age=101, priority=2,tcp,in_port=2,nw_src=10.1.0.2,tp_dst=22 > > actions=NORMAL > > cookie=0x0, duration=82135.593s, table=25, n_packets=1176, n_bytes=49776, > > idle_age=11, hard_age=65534, priority=0,in_port=2 actions=drop > > > > As you can see from the flow table, although the first flow is applied and > > the packets are redirected, no packets match the ssh flow (they all match > > the drop one with the latest priority) > > It doesn't look like you allowed arp, so unless you are using static entries, > there's probably not even any IP traffic flowing yet. Try adding a flow > like this: > > ovs-ofctl add-flow br-int > "table=25,priority=1,in_port=2,arp,actions=normal" > > Don't forget that you'll need to set up flows for the return traffic to make > this work after you get past this issue. > > --Justin > > > _______________________________________________ discuss mailing list [email protected] http://openvswitch.org/mailman/listinfo/discuss
