Re: [openflow-discuss] ACL entries flow

Wed, 08 Mar 2017 23:30:07 -0800 

> On Mar 8, 2017, at 10:00 PM, Pravin <pravi...@altencalsoftlabs.com> wrote:
> 
> Hi Team,
> I am testing acl flows in open flow.
> I have used a combination of ethertype, vlan and ingress port as qualifiers 
> to perform 'write actions'. This is successful.
> But when I tried to use DST IP instead of ethertype, I am facing the 
> following error,
> For eg,
> ovs-ofctl -O OpenFlow12 add-flow br0 
> in_port=1,dl_vlan=1,nw_dst=12.12.12.1/32,table=60,action=group:65538
> error:
> 2001-04-24T17:26:47Z|00001|ofp_util|INFO|normalization changed ofp_match, 
> details:
> 2001-04-24T17:26:47Z|00002|ofp_util|INFO| pre: 
> in_port=1,dl_vlan=1,nw_dst=12.12.12.1
> 2001-04-24T17:26:47Z|00003|ofp_util|INFO|post: in_port=1,dl_vlan=1
> 
> Do we have any document that advises valid qualifiers combinations/lists?
> I have searched the curl commands also internet for open flow acl commands, 
> but in vain.

You need to specify "ip".  It's mentioned in the FAQ:

        
https://github.com/openvswitch/ovs/blob/master/Documentation/faq/openflow.rst

-=-=-=-=-=-=-=-=-=-=-
Q: I ran ovs-ofctl add-flow br0 nw_dst=192.168.0.1,actions=drop but I got a 
funny message like this:

ofp_util|INFO|normalization changed ofp_match, details:
ofp_util|INFO| pre: nw_dst=192.168.0.1
ofp_util|INFO|post:

and when I ran ovs-ofctl dump-flows br0 I saw that my nw_dst match had 
disappeared, so that the flow ends up matching every packet.

A: The term "normalization" in the log message means that a flow cannot match 
on an L3 field without saying what L3 protocol is in use. The "ovs-ofctl" 
command above didn't specify an L3 protocol, so the L3 field match was dropped.

In this case, the L3 protocol could be IP or ARP. A correct command for each 
possibility is, respectively:

$ ovs-ofctl add-flow br0 ip,nw_dst=192.168.0.1,actions=drop

and:

$ ovs-ofctl add-flow br0 arp,nw_dst=192.168.0.1,actions=drop

Similarly, a flow cannot match on an L4 field without saying what L4 protocol 
is in use. For example, the flow match tp_src=1234 is, by itself, meaningless 
and will be ignored. Instead, to match TCP source port 1234, write 
tcp,tp_src=1234, or to match UDP source port 1234, write udp,tp_src=1234.
-=-=-=-=-=-=-=-=-=-=-

--Justin


_______________________________________________
openflow-discuss mailing list
openflow-discuss@lists.stanford.edu
https://mailman.stanford.edu/mailman/listinfo/openflow-discuss

Reply via email to