Hi Mohan, The packets are not going through the SFs after setting the chain and I think that this error is due to a misconfiguration of the pipelines in br-int. I used the flow classifier [0] but only the network address " 55.55.55.0/24" is put in pipeline flow entries see [1] [2] and not the explicit address of the source " 55.55.55.8/24" or destination " 55.55.55.7/24"
The source instance can successfully ping the destination before setting up the port chain, after building the chain the ICMP packets are leaving from the source to the destination see [3] but it seems that they are not correctly switched in br-int. Any suggestion to solve that ? [0] "neutron flow-classifier-create --ethertype IPv4 --source-ip-prefix 55.55.55.8/24 --logical-source-port 9ee874fc-aaec-477d-af41-0d0e872bb209 --destination-ip-prefix 55.55.55.7/24 --logical-destination-port d2eea910-4e6c-4f30-947a-849fba7447a4 --protocol icmp FC1" [1] sudo ovs-ofctl dump-flows br-int -O OpenFlow13 table=0 OFPST_FLOW reply (OF1.3) (xid=0x2): cookie=0x990756dc81846819, duration=1848.233s, table=0, n_packets=0, n_bytes=0, priority=10,arp,in_port=4 actions=resubmit(,24) cookie=0x990756dc81846819, duration=1833.939s, table=0, n_packets=0, n_bytes=0, priority=10,arp,in_port=6 actions=resubmit(,24) cookie=0x990756dc81846819, duration=1811.307s, table=0, n_packets=29, n_bytes=1218, priority=10,arp,in_port=8 actions=resubmit(,24) cookie=0x990756dc81846819, duration=1850.150s, table=0, n_packets=12, n_bytes=504, priority=10,arp,in_port=3 actions=resubmit(,24) cookie=0x990756dc81846819, duration=1837.405s, table=0, n_packets=11, n_bytes=462, priority=10,arp,in_port=5 actions=resubmit(,24) cookie=0x990756dc81846819, duration=1825.399s, table=0, n_packets=26, n_bytes=1092, priority=10,arp,in_port=7 actions=resubmit(,24) cookie=0x990756dc81846819, duration=4244.694s, table=0, n_packets=329, n_bytes=35178, priority=0 actions=NORMAL cookie=0x990756dc81846819, duration=4244.276s, table=0, n_packets=0, n_bytes=0, priority=20,mpls actions=resubmit(,10) cookie=0x990756dc81846819, duration=1850.182s, table=0, n_packets=21, n_bytes=2282, priority=9,in_port=3 actions=resubmit(,25) cookie=0x990756dc81846819, duration=1848.328s, table=0, n_packets=3, n_bytes=230, priority=9,in_port=4 actions=resubmit(,25) cookie=0x990756dc81846819, duration=1837.480s, table=0, n_packets=21, n_bytes=2282, priority=9,in_port=5 actions=resubmit(,25) cookie=0x990756dc81846819, duration=1834.008s, table=0, n_packets=2, n_bytes=140, priority=9,in_port=6 actions=resubmit(,25) cookie=0x990756dc81846819, duration=1825.467s, table=0, n_packets=27, n_bytes=2870, priority=9,in_port=7 actions=resubmit(,25) cookie=0x990756dc81846819, duration=1811.437s, table=0, n_packets=179, n_bytes=24558, priority=9,in_port=8 actions=resubmit(,25) cookie=0x990756dc81846819, duration=1850.166s, table=0, n_packets=0, n_bytes=0, priority=10,icmp6,in_port=3,icmp_type=136 actions=resubmit(,24) cookie=0x990756dc81846819, duration=1848.266s, table=0, n_packets=0, n_bytes=0, priority=10,icmp6,in_port=4,icmp_type=136 actions=resubmit(,24) cookie=0x990756dc81846819, duration=1837.433s, table=0, n_packets=0, n_bytes=0, priority=10,icmp6,in_port=5,icmp_type=136 actions=resubmit(,24) cookie=0x990756dc81846819, duration=1825.436s, table=0, n_packets=0, n_bytes=0, priority=10,icmp6,in_port=7,icmp_type=136 actions=resubmit(,24) cookie=0x990756dc81846819, duration=1833.966s, table=0, n_packets=0, n_bytes=0, priority=10,icmp6,in_port=6,icmp_type=136 actions=resubmit(,24) cookie=0x990756dc81846819, duration=1811.353s, table=0, n_packets=0, n_bytes=0, priority=10,icmp6,in_port=8,icmp_type=136 actions=resubmit(,24) cookie=0x990756dc81846819, duration=592.988s, table=0, n_packets=305, n_bytes=29890, priority=30,icmp,in_port=8,nw_src=55.55.55.0/24,nw_dst= 55.55.55.0/24 actions=group:1 cookie=0x990756dc81846819, duration=592.835s, table=0, n_packets=0, n_bytes=0, priority=30,icmp,in_port=4,nw_src=55.55.55.0/24,nw_dst= 55.55.55.0/24 actions=group:2 cookie=0x990756dc81846819, duration=592.750s, table=0, n_packets=0, n_bytes=0, priority=30,icmp,in_port=6,nw_src=55.55.55.0/24,nw_dst= 55.55.55.0/24 actions=NORMAL [2] sudo ovs-ofctl dump-flows br-int -O OpenFlow13 table=5 OFPST_FLOW reply (OF1.3) (xid=0x2): cookie=0x990756dc81846819, duration=660.337s, table=5, n_packets=0, n_bytes=0, priority=1,ip,dl_dst=fa:16:3e:ee:ac:9a,nw_src=55.55.55.0/24 actions=push_mpls:0x8847,set_field:65791->mpls_label,set_mpls_ttl(255),push_vlan:0x8100,set_field:4097->vlan_vid,resubmit(,10) cookie=0x990756dc81846819, duration=660.104s, table=5, n_packets=0, n_bytes=0, priority=1,ip,dl_dst=fa:16:3e:9b:2b:91,nw_src=55.55.55.0/24 actions=push_mpls:0x8847,set_field:65790->mpls_label,set_mpls_ttl(254),push_vlan:0x8100,set_field:4097->vlan_vid,resubmit(,10) cookie=0x990756dc81846819, duration=660.325s, table=5, n_packets=0, n_bytes=0, priority=0,dl_dst=fa:16:3e:ee:ac:9a actions=push_mpls:0x8847,set_field:65791->mpls_label,set_mpls_ttl(255),push_vlan:0x8100,set_field:4097->vlan_vid,set_field:fa:16:3e:8f:83:a7->eth_src,resubmit(,10) cookie=0x990756dc81846819, duration=660.097s, table=5, n_packets=0, n_bytes=0, priority=0,dl_dst=fa:16:3e:9b:2b:91 actions=push_mpls:0x8847,set_field:65790->mpls_label,set_mpls_ttl(254),push_vlan:0x8100,set_field:4097->vlan_vid,set_field:fa:16:3e:8f:83:a7->eth_src,resubmit(,10) [3] sudo tcpdump -i tap9ee874fc-aa tcpdump: WARNING: tap9ee874fc-aa: no IPv4 address assigned tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on tap9ee874fc-aa, link-type EN10MB (Ethernet), capture size 65535 bytes 20:14:07.965348 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 82, length 64 20:14:08.967031 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 83, length 64 20:14:09.968351 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 84, length 64 20:14:10.969454 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 85, length 64 20:14:11.970705 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 86, length 64 20:14:12.972184 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 87, length 64 20:14:13.973142 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 88, length 64 20:14:14.974222 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 89, length 64 20:14:15.975291 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 90, length 64 20:14:16.976012 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 91, length 64 20:14:17.977478 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 92, length 64 20:14:18.978457 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 93, length 64 20:14:19.979777 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 94, length 64 20:14:20.980652 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 95, length 64 20:14:21.982147 IP 55.55.55.8 > 55.55.55.7: ICMP echo request, id 22017, seq 96, length 64 On 18 August 2016 at 08:46, Mohan Kumar <nmohankumar1...@gmail.com> wrote: > Hi Alioune, > > You can remove security - groups after launching VM too . If you still > facing issues in sfc setup please ping me over IRC ( channel : > *#openstack-neutron > *name:* mohankumar **). * I believe that is the fastest way to sync-up. > > > Thanks., > Mohankumar.N > > On Wed, Aug 17, 2016 at 7:28 PM, Alioune <baliou...@gmail.com> wrote: > >> Hi Muhata, >> Should I do these before launching the SFs or they could be done afer ? >> I run these command on all ports from p1 to p4 and neutron port-show pi >> for each pi port show : port_security_enabled : False and >> security_groups : ' ' . >> But I still can not snif packets >> >> On 17 August 2016 at 15:30, Mohan Kumar <nmohankumar1...@gmail.com> >> wrote: >> >>> Alioune, >>> >>> tcpdump in SF ingress / egress tap interfaces will show packets flows . >>> I guess the packet not going through SFs . >>> >>> You may check flow_rules packet counter and actions >>> field (actions=drop) on br_int to find where the packet actually get >>> dropping . >>> >>> Please make sure you disabled security groups on SF attached ports : >>> >>> neutron port-update <port-name/id> --no-security-groups >>> neutron port-update <port-name/id> --port-security-enabled=False >>> >>> Thanks., >>> Mohankumar.N >>> >>> On Wed, Aug 17, 2016 at 6:01 PM, Alioune <baliou...@gmail.com> wrote: >>> >>>> Hi all, >>>> I've solved the error. >>>> In fact I did not create a router attached to the tenant subnet and >>>> according to neutron logs that was the first exception raised while >>>> creating port-chain. >>>> Now the port-chain has been created and some flows entries have been >>>> pushed in br-int. I think I could be interesting to update the wiki. >>>> >>>> When running a ping from the source to the dst, I can see ICMP (request >>>> and reply) packets from the Tap interface of the source but I can not see >>>> them in the Taps of SFs. >>>> Is there a way to display packets (with wireshark or tcpdump ) going >>>> inbout and outbount of the SFs ? >>>> >>>> Regards, >>>> >>>> On 16 August 2016 at 16:06, Mohan Kumar <nmohankumar1...@gmail.com> >>>> wrote: >>>> >>>>> Hi Alioune, >>>>> >>>>> Could you share neutron log as well ? also let us know your sfc code >>>>> base., If possible shall we have quick chat on this in neutron IRC >>>>> channel ? >>>>> >>>>> Thanks., >>>>> Mohankumar.N >>>>> >>>>> On Mon, Aug 15, 2016 at 5:09 PM, Alioune <baliou...@gmail.com> wrote: >>>>> >>>>>> Hi all, >>>>>> I'm trying to launch Openstack SFC as explained in[1] by creating 2 >>>>>> SFs, 1 Web Server (DST) and the DHCP namespace as the SRC. >>>>>> I've installed OVS (Open vSwitch) 2.3.90 with Linux kernel 3.13.0-62 >>>>>> and the neutron L2-agent runs correctly. >>>>>> I followed the process by creating classifier, port pairs and >>>>>> port_group but I got a wrong message "delete_port_chain failed." when >>>>>> creating port_chain [2] >>>>>> I tried to create the neutron ports with and without the option >>>>>> "--no-security-groups" then tcpdpump on SFs tap interfaces but the ICMP >>>>>> packets don't go through the SFs. >>>>>> >>>>>> Can anyone advice to fix? that ? >>>>>> What's your channel on IRC ? >>>>>> >>>>>> Regards, >>>>>> >>>>>> >>>>>> [1] https://wiki.openstack.org/wiki/Neutron/ServiceInsertionAndC >>>>>> haining >>>>>> [2] >>>>>> vagrant@ubuntu:~/openstack_sfc$ ./08-os_create_port_chain.sh >>>>>> delete_port_chain failed. >>>>>> vagrant@ubuntu:~/openstack_sfc$ cat 08-os_create_port_chain.sh >>>>>> #!/bin/bash >>>>>> >>>>>> neutron port-chain-create --port-pair-group PG1 --port-pair-group PG2 >>>>>> --flow-classifier FC1 PC1 >>>>>> >>>>>> [3] Output OVS Flows >>>>>> >>>>>> vagrant@ubuntu:~$ sudo ovs-ofctl dump-flows br-tun -O OpenFlow13 >>>>>> OFPST_FLOW reply (OF1.3) (xid=0x2): >>>>>> cookie=0xbc2e9105125301dc, duration=9615.385s, table=0, >>>>>> n_packets=146, n_bytes=11534, priority=1,in_port=1 actions=resubmit(,2) >>>>>> cookie=0xbc2e9105125301dc, duration=9615.382s, table=0, n_packets=0, >>>>>> n_bytes=0, priority=0 actions=drop >>>>>> cookie=0xbc2e9105125301dc, duration=9615.382s, table=2, n_packets=5, >>>>>> n_bytes=490, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 >>>>>> actions=resubmit(,20) >>>>>> cookie=0xbc2e9105125301dc, duration=9615.381s, table=2, >>>>>> n_packets=141, n_bytes=11044, >>>>>> priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 >>>>>> actions=resubmit(,22) >>>>>> cookie=0xbc2e9105125301dc, duration=9615.380s, table=3, n_packets=0, >>>>>> n_bytes=0, priority=0 actions=drop >>>>>> cookie=0xbc2e9105125301dc, duration=9615.380s, table=4, n_packets=0, >>>>>> n_bytes=0, priority=0 actions=drop >>>>>> cookie=0xbc2e9105125301dc, duration=8617.106s, table=4, n_packets=0, >>>>>> n_bytes=0, priority=1,tun_id=0x40e actions=push_vlan:0x8100,set_f >>>>>> ield:4097->vlan_vid,resubmit(,10) >>>>>> cookie=0xbc2e9105125301dc, duration=9615.379s, table=6, n_packets=0, >>>>>> n_bytes=0, priority=0 actions=drop >>>>>> cookie=0xbc2e9105125301dc, duration=9615.379s, table=10, >>>>>> n_packets=0, n_bytes=0, priority=1 actions=learn(table=20,hard_ti >>>>>> meout=300,priority=1,cookie=0xbc2e9105125301dc,NXM_OF_VLAN_T >>>>>> CI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_V >>>>>> LAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_O >>>>>> F_IN_PORT[]),output:1 >>>>>> cookie=0xbc2e9105125301dc, duration=9615.378s, table=20, >>>>>> n_packets=5, n_bytes=490, priority=0 actions=resubmit(,22) >>>>>> cookie=0xbc2e9105125301dc, duration=9615.342s, table=22, >>>>>> n_packets=146, n_bytes=11534, priority=0 actions=drop >>>>>> vagrant@ubuntu:~$ sudo ovs-ofctl dump-flows br-int -O OpenFlow13 >>>>>> OFPST_FLOW reply (OF1.3) (xid=0x2): >>>>>> cookie=0xbc2e9105125301dc, duration=6712.090s, table=0, n_packets=0, >>>>>> n_bytes=0, priority=10,icmp6,in_port=7,icmp_type=136 >>>>>> actions=resubmit(,24) >>>>>> cookie=0xbc2e9105125301dc, duration=6709.623s, table=0, n_packets=0, >>>>>> n_bytes=0, priority=10,icmp6,in_port=8,icmp_type=136 >>>>>> actions=resubmit(,24) >>>>>> cookie=0xbc2e9105125301dc, duration=6555.755s, table=0, n_packets=0, >>>>>> n_bytes=0, priority=10,icmp6,in_port=10,icmp_type=136 >>>>>> actions=resubmit(,24) >>>>>> cookie=0xbc2e9105125301dc, duration=6559.596s, table=0, n_packets=0, >>>>>> n_bytes=0, priority=10,icmp6,in_port=9,icmp_type=136 >>>>>> actions=resubmit(,24) >>>>>> cookie=0xbc2e9105125301dc, duration=6461.028s, table=0, n_packets=0, >>>>>> n_bytes=0, priority=10,icmp6,in_port=11,icmp_type=136 >>>>>> actions=resubmit(,24) >>>>>> cookie=0xbc2e9105125301dc, duration=6712.071s, table=0, >>>>>> n_packets=13, n_bytes=546, priority=10,arp,in_port=7 >>>>>> actions=resubmit(,24) >>>>>> cookie=0xbc2e9105125301dc, duration=6709.602s, table=0, n_packets=0, >>>>>> n_bytes=0, priority=10,arp,in_port=8 actions=resubmit(,24) >>>>>> cookie=0xbc2e9105125301dc, duration=6555.727s, table=0, n_packets=0, >>>>>> n_bytes=0, priority=10,arp,in_port=10 actions=resubmit(,24) >>>>>> cookie=0xbc2e9105125301dc, duration=6559.574s, table=0, >>>>>> n_packets=12, n_bytes=504, priority=10,arp,in_port=9 >>>>>> actions=resubmit(,24) >>>>>> cookie=0xbc2e9105125301dc, duration=6461.005s, table=0, >>>>>> n_packets=15, n_bytes=630, priority=10,arp,in_port=11 >>>>>> actions=resubmit(,24) >>>>>> cookie=0xbc2e9105125301dc, duration=9620.388s, table=0, >>>>>> n_packets=514, n_bytes=49656, priority=0 actions=NORMAL >>>>>> cookie=0xbc2e9105125301dc, duration=9619.277s, table=0, n_packets=0, >>>>>> n_bytes=0, priority=20,mpls actions=resubmit(,10) >>>>>> cookie=0xbc2e9105125301dc, duration=6712.111s, table=0, >>>>>> n_packets=25, n_bytes=2674, priority=9,in_port=7 actions=resubmit(,25) >>>>>> cookie=0xbc2e9105125301dc, duration=6559.621s, table=0, >>>>>> n_packets=24, n_bytes=2576, priority=9,in_port=9 actions=resubmit(,25) >>>>>> cookie=0xbc2e9105125301dc, duration=6555.777s, table=0, n_packets=2, >>>>>> n_bytes=140, priority=9,in_port=10 actions=resubmit(,25) >>>>>> cookie=0xbc2e9105125301dc, duration=6461.082s, table=0, >>>>>> n_packets=47, n_bytes=4830, priority=9,in_port=11 actions=resubmit(,25) >>>>>> cookie=0xbc2e9105125301dc, duration=6709.646s, table=0, n_packets=3, >>>>>> n_bytes=230, priority=9,in_port=8 actions=resubmit(,25) >>>>>> cookie=0xbc2e9105125301dc, duration=9619.265s, table=10, >>>>>> n_packets=0, n_bytes=0, priority=0 actions=drop >>>>>> cookie=0xbc2e9105125301dc, duration=9620.378s, table=23, >>>>>> n_packets=0, n_bytes=0, priority=0 actions=drop >>>>>> cookie=0xbc2e9105125301dc, duration=9620.368s, table=24, >>>>>> n_packets=0, n_bytes=0, priority=0 actions=drop >>>>>> cookie=0xbc2e9105125301dc, duration=6709.633s, table=24, >>>>>> n_packets=0, n_bytes=0, priority=2,icmp6,in_port=8,icm >>>>>> p_type=136,nd_target=fe80::f816:3eff:fe2a:fe actions=NORMAL >>>>>> cookie=0xbc2e9105125301dc, duration=6712.101s, table=24, >>>>>> n_packets=0, n_bytes=0, priority=2,icmp6,in_port=7,icm >>>>>> p_type=136,nd_target=fe80::f816:3eff:fee7:1362 actions=NORMAL >>>>>> cookie=0xbc2e9105125301dc, duration=6559.607s, table=24, >>>>>> n_packets=0, n_bytes=0, priority=2,icmp6,in_port=9,icm >>>>>> p_type=136,nd_target=fe80::f816:3eff:fe91:95ee actions=NORMAL >>>>>> cookie=0xbc2e9105125301dc, duration=6555.766s, table=24, >>>>>> n_packets=0, n_bytes=0, priority=2,icmp6,in_port=10,ic >>>>>> mp_type=136,nd_target=fe80::f816:3eff:fe76:d998 actions=NORMAL >>>>>> cookie=0xbc2e9105125301dc, duration=6461.055s, table=24, >>>>>> n_packets=0, n_bytes=0, priority=2,icmp6,in_port=11,ic >>>>>> mp_type=136,nd_target=fe80::f816:3eff:fe5e:ed96 actions=NORMAL >>>>>> cookie=0xbc2e9105125301dc, duration=6709.611s, table=24, >>>>>> n_packets=0, n_bytes=0, priority=2,arp,in_port=8,arp_spa=55.55.55.12 >>>>>> actions=resubmit(,25) >>>>>> cookie=0xbc2e9105125301dc, duration=6555.741s, table=24, >>>>>> n_packets=0, n_bytes=0, priority=2,arp,in_port=10,arp_spa=55.55.55.14 >>>>>> actions=resubmit(,25) >>>>>> cookie=0xbc2e9105125301dc, duration=6712.080s, table=24, >>>>>> n_packets=13, n_bytes=546, priority=2,arp,in_port=7,arp_spa=55.55.55.11 >>>>>> actions=resubmit(,25) >>>>>> cookie=0xbc2e9105125301dc, duration=6559.584s, table=24, >>>>>> n_packets=12, n_bytes=504, priority=2,arp,in_port=9,arp_spa=55.55.55.13 >>>>>> actions=resubmit(,25) >>>>>> cookie=0xbc2e9105125301dc, duration=6461.015s, table=24, >>>>>> n_packets=15, n_bytes=630, priority=2,arp,in_port=11,arp_spa=55.55.55.15 >>>>>> actions=resubmit(,25) >>>>>> cookie=0xbc2e9105125301dc, duration=6709.714s, table=25, >>>>>> n_packets=0, n_bytes=0, priority=2,in_port=8,dl_src=fa:16:3e:2a:00:fe >>>>>> actions=NORMAL >>>>>> cookie=0xbc2e9105125301dc, duration=6559.641s, table=25, >>>>>> n_packets=34, n_bytes=2940, priority=2,in_port=9,dl_src=fa:16:3e:91:95:ee >>>>>> actions=NORMAL >>>>>> cookie=0xbc2e9105125301dc, duration=6461.117s, table=25, >>>>>> n_packets=60, n_bytes=5320, >>>>>> priority=2,in_port=11,dl_src=fa:16:3e:5e:ed:96 >>>>>> actions=NORMAL >>>>>> cookie=0xbc2e9105125301dc, duration=6712.130s, table=25, >>>>>> n_packets=36, n_bytes=3080, priority=2,in_port=7,dl_src=fa:16:3e:e7:13:62 >>>>>> actions=NORMAL >>>>>> cookie=0xbc2e9105125301dc, duration=6555.801s, table=25, >>>>>> n_packets=0, n_bytes=0, priority=2,in_port=10,dl_src=fa:16:3e:76:d9:98 >>>>>> actions=NORMAL >>>>>> >>>>>> >>>>> >>>> >>> >> >
__________________________________________________________________________ OpenStack Development Mailing List (not for usage questions) Unsubscribe: openstack-dev-requ...@lists.openstack.org?subject:unsubscribe http://lists.openstack.org/cgi-bin/mailman/listinfo/openstack-dev