Re: [Ryu-devel] Rule to drop traffic between hosts in mininet doesn'twork

Wed, 29 Aug 2018 02:11:09 -0700 

Hi Quoc, Suresh
The problem is that these flows are automatically generated during the host discovery process to allow the hosts to be reachable. Right now, the only viable solution that I see is to manually delete them and add them again with lower priorities as Suresh suggested. 

Thank you both for your input.

Regards,
Giorgos

On 29/08/18 10:35, Le Quoc Khanh wrote:

Hi Giorgos,


Just need to make sure your flow has higher priority than the other 
two. The best practice is to explicitly specify the priority of all 
flows instead of leaving them to the default. For example, set the 
priority of the first 2 flow entries to 10 and the flow to drop 
traffic between 2 hosts to 100.


Regards,
Quoc Khanh



On Wed, Aug 29, 2018, 6:29 PM Giorgos Dimopoulos <gior...@talaia.io 
<mailto:gior...@talaia.io>> wrote:


    Hi Quoc, thanks a lot for clarifying this. I did try to add the
    flow with the default priority but that didn't work either.
    It seems that the two first flows are always prioritized over the
    one that I'm adding. It only works when I lower the priorities of
    the first two flows.

    Is there any way to add the new flow and override the others
    without having to modify their priorities?

    Thanks!
    Giorgos

    On 29/08/18 01:06, quockhanh...@gmail.com
    <mailto:quockhanh...@gmail.com> wrote:


    Hi Giorgos,

    From your flow table, it’s very likely that the flow entry you
    used to drop traffic between 2 hosts has a lower priority (=100)
    than the priorities of the other 2 entries (*default priority*).
    As mentioned in this
    <http://www.openvswitch.org/support/dist-docs/ovs-ofctl.8.html>,
    “when adding a flow, if the field is not specified, *the flow's
    priority will default to 32768*.” Therefore, incoming packets
    will always be matched and forwarded between h1 and h2 by the
    first 2 flow entries instead of being drop by the last one.

    Hope it helps.

    Regards,

    Quoc Khanh

    *From: *Giorgos Dimopoulos <mailto:gior...@talaia.io>
    *Sent: *Tuesday, 28 August 2018 10:55 PM
    *To: *ryu-devel@lists.sourceforge.net
    <mailto:ryu-devel@lists.sourceforge.net>
    *Subject: *[Ryu-devel] Rule to drop traffic between hosts in
    mininet doesn'twork

    Hello,

    I'm running mininet with the following configuration:

    sudo mn --topo single,2 --mac --controller remote --switch

    ovs,protocols=OpenFlow10

    on the host computer I'm running ryu with simple_switch and
    ofct_rest:

    ryu-manager --verbose --app-lists
    ryu.app.simple_switch,ryu.app.ofctl_rest

    then I'm using the REST API to block all traffic from h1 to h2:

    curl -X POST -d '{

        "dpid": 1,

        "cookie": 0,

        "table_id": 0,

        "priority": 100,

        "flags": 1,

        "match":{

            "nw_src": "10.0.0.1/32 <http://10.0.0.1/32>",

            "nw_dst": "10.0.0.2/32 <http://10.0.0.2/32>",

            "dl_type": 2048

        },

        "actions":[

        ]

     }' http://localhost:8080/stats/flowentry/add

    in mininet the OF rule appears correctly:

    mininet> sh ovs-ofctl -O OpenFlow10 dump-flows s1

     cookie=0x0, duration=40.692s, table=0, n_packets=4, n_bytes=336,

    in_port="s1-eth1",dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02

    actions=output:"s1-eth2"

     cookie=0x0, duration=40.687s, table=0, n_packets=3, n_bytes=238,

    in_port="s1-eth2",dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:00:01

    actions=output:"s1-eth1"

     cookie=0x0, duration=5.286s, table=0, n_packets=0, n_bytes=0,

    priority=100,ip,nw_src=10.0.0.1,nw_dst=10.0.0.2 actions=drop

    but the rule doesn't work since h1 can still ping h2:

    mininet> h1 ping h2

    PING 10.0.0.2 (10.0.0.2) 56(84) bytes of data.

    64 bytes from 10.0.0.2 <http://10.0.0.2>: icmp_seq=1 ttl=64
    time=0.496 ms

    64 bytes from 10.0.0.2 <http://10.0.0.2>: icmp_seq=2 ttl=64
    time=0.061 ms

    64 bytes from 10.0.0.2 <http://10.0.0.2>: icmp_seq=3 ttl=64
    time=0.065 ms

    am I missing something here?

    Thanks in advance!

    Giorgos

    
------------------------------------------------------------------------------

    Check out the vibrant tech community on one of the world's most

    engaging tech sites, Slashdot.org! http://sdm.link/slashdot

    _______________________________________________

    Ryu-devel mailing list

    Ryu-devel@lists.sourceforge.net
    <mailto:Ryu-devel@lists.sourceforge.net>

    https://lists.sourceforge.net/lists/listinfo/ryu-devel






------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Ryu-devel mailing list
Ryu-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/ryu-devel






















					Reply via email to