Re: [openflow-discuss] ACL entries flow

Thu, 09 Mar 2017 00:53:10 -0800 

On 09-03-2017 12:59, jpet...@cs.stanford.edu wrote:

On Mar 8, 2017, at 10:00 PM, Pravin <pravi...@altencalsoftlabs.com> wrote:

Hi Team,
I am testing acl flows in open flow.
I have used a combination of ethertype, vlan and ingress port as qualifiers to 
perform 'write actions'. This is successful.
But when I tried to use DST IP instead of ethertype, I am facing the following 
error,
For eg,
ovs-ofctl -O OpenFlow12 add-flow br0 
in_port=1,dl_vlan=1,nw_dst=12.12.12.1/32,table=60,action=group:65538
error:
2001-04-24T17:26:47Z|00001|ofp_util|INFO|normalization changed ofp_match, 
details:
2001-04-24T17:26:47Z|00002|ofp_util|INFO| pre: 
in_port=1,dl_vlan=1,nw_dst=12.12.12.1
2001-04-24T17:26:47Z|00003|ofp_util|INFO|post: in_port=1,dl_vlan=1

Do we have any document that advises valid qualifiers combinations/lists?
I have searched the curl commands also internet for open flow acl commands, but 
in vain.

You need to specify "ip".  It's mentioned in the FAQ:

        
https://github.com/openvswitch/ovs/blob/master/Documentation/faq/openflow.rst

-=-=-=-=-=-=-=-=-=-=-
Q: I ran ovs-ofctl add-flow br0 nw_dst=192.168.0.1,actions=drop but I got a 
funny message like this:

ofp_util|INFO|normalization changed ofp_match, details:
ofp_util|INFO| pre: nw_dst=192.168.0.1
ofp_util|INFO|post:

and when I ran ovs-ofctl dump-flows br0 I saw that my nw_dst match had 
disappeared, so that the flow ends up matching every packet.

A: The term "normalization" in the log message means that a flow cannot match on an L3 
field without saying what L3 protocol is in use. The "ovs-ofctl" command above didn't 
specify an L3 protocol, so the L3 field match was dropped.

In this case, the L3 protocol could be IP or ARP. A correct command for each 
possibility is, respectively:

$ ovs-ofctl add-flow br0 ip,nw_dst=192.168.0.1,actions=drop

and:

$ ovs-ofctl add-flow br0 arp,nw_dst=192.168.0.1,actions=drop

Similarly, a flow cannot match on an L4 field without saying what L4 protocol 
is in use. For example, the flow match tp_src=1234 is, by itself, meaningless 
and will be ignored. Instead, to match TCP source port 1234, write 
tcp,tp_src=1234, or to match UDP source port 1234, write udp,tp_src=1234.
-=-=-=-=-=-=-=-=-=-=-

--Justin





Hi Justin,

Thank you very much for your prompt response. That helps.
Also thank you for the FAQ link.

Regards,
Pravin P
_______________________________________________
openflow-discuss mailing list
openflow-discuss@lists.stanford.edu
https://mailman.stanford.edu/mailman/listinfo/openflow-discuss

Reply via email to