networking-sfc

traffic redirection not working

Asked by Navdeep Uniyal

I created a sfc with 3 vms (vm1, vm2, vm3). vm1 and vm3 are traffic generator and receiver respectively. I want to redirect icmp traffic going from vm1 to vm3 via vm2. I created a chain for the same. Port Pair(PP1) contains p1 and p2 of vm2. Port Group(PG) has only PP1. The chain is like: "neutron port-chain-create --port-pair-group PG1 --flow-classifier FC1 PC1"

Flow-Classifier, FC1 is like: "neutron flow-classifier-create --ethertype IPv4 --source-ip-prefix 22.33.0.6/32 --destination-ip-prefix 10.0.0.3/32 --protocol icmp FC1"

The Flows on the ovs are:

OFPST_FLOW reply (OF1.3) (xid=0x2):
 cookie=0xbf969f763a8af13d, duration=1674.789s, table=0, n_packets=0, n_bytes=0, priority=10,icmp6,in_port=11,icmp_type=136 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1574.529s, table=0, n_packets=2, n_bytes=164, priority=10,icmp6,in_port=12,icmp_type=136 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1148.528s, table=0, n_packets=0, n_bytes=0, priority=10,icmp6,in_port=14,icmp_type=136 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1148.395s, table=0, n_packets=2, n_bytes=164, priority=10,icmp6,in_port=13,icmp_type=136 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1674.785s, table=0, n_packets=3, n_bytes=126, priority=10,arp,in_port=11 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1574.526s, table=0, n_packets=3, n_bytes=126, priority=10,arp,in_port=12 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1148.523s, table=0, n_packets=0, n_bytes=0, priority=10,arp,in_port=14 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1148.391s, table=0, n_packets=4, n_bytes=168, priority=10,arp,in_port=13 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=3062.766s, table=0, n_packets=2, n_bytes=220, priority=2,in_port=1 actions=drop
 cookie=0xbf969f763a8af13d, duration=1674.792s, table=0, n_packets=257, n_bytes=24736, priority=9,in_port=11 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=1574.534s, table=0, n_packets=275, n_bytes=26606, priority=9,in_port=12 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=1148.538s, table=0, n_packets=5, n_bytes=550, priority=9,in_port=14 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=1148.404s, table=0, n_packets=265, n_bytes=25658, priority=9,in_port=13 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=3035.224s, table=0, n_packets=358, n_bytes=60622, priority=3,in_port=1,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4098->vlan_vid,NORMAL
 cookie=0xbf969f763a8af13d, duration=3063.206s, table=0, n_packets=1602, n_bytes=196679, priority=0 actions=NORMAL
 cookie=0xbf969f763a8af13d, duration=3063.204s, table=23, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0xbf969f763a8af13d, duration=1674.790s, table=24, n_packets=0, n_bytes=0, priority=2,icmp6,in_port=11,icmp_type=136,nd_target=fe80::f816:3eff:fe1d:70a0 actions=NORMAL
 cookie=0xbf969f763a8af13d, duration=1574.532s, table=24, n_packets=0, n_bytes=0, priority=2,icmp6,in_port=12,icmp_type=136,nd_target=fe80::f816:3eff:fea0:ce0b actions=NORMAL
 cookie=0xbf969f763a8af13d, duration=1574.530s, table=24, n_packets=2, n_bytes=164, priority=2,icmp6,in_port=12,icmp_type=136,nd_target=fdaf:fef7:58ac:0:f816:3eff:fea0:ce0b actions=NORMAL
 cookie=0xbf969f763a8af13d, duration=1148.534s, table=24, n_packets=0, n_bytes=0, priority=2,icmp6,in_port=14,icmp_type=136,nd_target=fdaf:fef7:58ac:0:f816:3eff:fe16:2c4 actions=NORMAL
 cookie=0xbf969f763a8af13d, duration=1148.530s, table=24, n_packets=0, n_bytes=0, priority=2,icmp6,in_port=14,icmp_type=136,nd_target=fe80::f816:3eff:fe16:2c4 actions=NORMAL
 cookie=0xbf969f763a8af13d, duration=1148.401s, table=24, n_packets=2, n_bytes=164, priority=2,icmp6,in_port=13,icmp_type=136,nd_target=fdaf:fef7:58ac:0:f816:3eff:feb1:2814 actions=NORMAL
 cookie=0xbf969f763a8af13d, duration=1148.397s, table=24, n_packets=0, n_bytes=0, priority=2,icmp6,in_port=13,icmp_type=136,nd_target=fe80::f816:3eff:feb1:2814 actions=NORMAL
 cookie=0xbf969f763a8af13d, duration=1674.787s, table=24, n_packets=3, n_bytes=126, priority=2,arp,in_port=11,arp_spa=22.33.0.6 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=1574.527s, table=24, n_packets=3, n_bytes=126, priority=2,arp,in_port=12,arp_spa=10.0.0.3 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=1148.526s, table=24, n_packets=0, n_bytes=0, priority=2,arp,in_port=14,arp_spa=10.0.0.14 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=1148.394s, table=24, n_packets=4, n_bytes=168, priority=2,arp,in_port=13,arp_spa=10.0.0.11 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=3063.204s, table=24, n_packets=0, n_bytes=0, priority=0 actions=drop
 cookie=0xbf969f763a8af13d, duration=1674.797s, table=25, n_packets=260, n_bytes=24862, priority=2,in_port=11,dl_src=fa:16:3e:1d:70:a0 actions=NORMAL
 cookie=0xbf969f763a8af13d, duration=1574.537s, table=25, n_packets=274, n_bytes=26292, priority=2,in_port=12,dl_src=fa:16:3e:a0:ce:0b actions=NORMAL
 cookie=0xbf969f763a8af13d, duration=1148.543s, table=25, n_packets=0, n_bytes=0, priority=2,in_port=14,dl_src=fa:16:3e:16:02:c4 actions=NORMAL
 cookie=0xbf969f763a8af13d, duration=1148.410s, table=25, n_packets=268, n_bytes=25736, priority=2,in_port=13,dl_src=fa:16:3e:b1:28:14 actions=NORMAL

Dump-Groups output:

sudo ovs-ofctl -O Openflow13 dump-groups br-int
OFPST_GROUP_DESC reply (OF1.3) (xid=0x2):

The flows remained same before and after creation of the port chain. I guess it means that the port chain is not getting triggered. Please help me to triage this. where I could be going wrong?

Question information

Language:
English Edit question
Status:
Answered
For:
networking-sfc Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
Navdeep Uniyal (navdeep89) said : 		#1

Which log files to look into in order to triage the issue.

Revision history for this message
Louis Fourie (lfourie) said : 		#2

the ovs flows are not correct. Expect to see ovs flow rules similar to:

sudo ovs-ofctl -O openflow13 dump-flows br-int table=0
cookie=0xb9ff83614b0e24fc, duration=89.308s, table=0, n_packets=0, n_bytes=0, priority=30,icmp,in_port=11,nw_src=10.0.0.3,nw_dst=10.0.0.5 actions=group:2

Also ovs groups:

sudo ovs-ofctl -O Openflow13 dump-groups br-int
OFPST_GROUP_DESC reply (OF1.3) (xid=0x2):
 group_id=2,type=select,bucket=actions=set_field:fa:16:3e:8f:12:79->eth_dst,...

Revision history for this message
Louis Fourie (lfourie) said : 		#3

look at q-svc log

Revision history for this message
Navdeep Uniyal (navdeep89) said : 		#4

I followed following steps:

1. neutron flow-classifier-create --ethertype IPv4 --source-ip-prefix 10.0.0.5/32 --destination-ip-prefix 10.0.0.4/32 --protocol icmp FC1
2. neutron port-pair-create --ingress=port1 --egress=port2 PP1
3. neutron port-pair-group-create --port-pair PP1 PG1
4. neutron port-chain-create --port-pair-group PG1 --flow-classifier FC1 PC1

q-svc shows no error.

On checking the flows:

sudo ovs-ofctl -O openflow13 dump-flows br-int table=0
OFPST_FLOW reply (OF1.3) (xid=0x2):
 cookie=0xbf969f763a8af13d, duration=259932.831s, table=0, n_packets=0, n_bytes=0, priority=10,icmp6,in_port=12,icmp_type=136 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=2855.896s, table=0, n_packets=4, n_bytes=320, priority=10,icmp6,in_port=15,icmp_type=136 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1102.861s, table=0, n_packets=2, n_bytes=164, priority=10,icmp6,in_port=16,icmp_type=136 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1082.147s, table=0, n_packets=2, n_bytes=164, priority=10,icmp6,in_port=17,icmp_type=136 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1082.019s, table=0, n_packets=2, n_bytes=164, priority=10,icmp6,in_port=18,icmp_type=136 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=933.339s, table=0, n_packets=0, n_bytes=0, priority=10,icmp6,in_port=19,icmp_type=136 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=259932.827s, table=0, n_packets=19, n_bytes=798, priority=10,arp,in_port=12 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=2855.893s, table=0, n_packets=12, n_bytes=504, priority=10,arp,in_port=15 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1102.858s, table=0, n_packets=5, n_bytes=210, priority=10,arp,in_port=16 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1082.143s, table=0, n_packets=4, n_bytes=168, priority=10,arp,in_port=17 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=1082.013s, table=0, n_packets=4, n_bytes=168, priority=10,arp,in_port=18 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=933.335s, table=0, n_packets=0, n_bytes=0, priority=10,arp,in_port=19 actions=goto_table:24
 cookie=0xbf969f763a8af13d, duration=259935.904s, table=0, n_packets=0, n_bytes=0, priority=2,in_port=1 actions=drop
 cookie=0xbf969f763a8af13d, duration=259932.837s, table=0, n_packets=1823, n_bytes=168473, priority=9,in_port=12 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=2855.903s, table=0, n_packets=363, n_bytes=34253, priority=9,in_port=15 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=1102.866s, table=0, n_packets=273, n_bytes=26368, priority=9,in_port=16 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=1082.153s, table=0, n_packets=266, n_bytes=25742, priority=9,in_port=17 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=1082.025s, table=0, n_packets=276, n_bytes=26742, priority=9,in_port=18 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=933.347s, table=0, n_packets=1, n_bytes=130, priority=9,in_port=19 actions=goto_table:25
 cookie=0xbf969f763a8af13d, duration=259933.138s, table=0, n_packets=9278, n_bytes=31791864, priority=3,in_port=1,vlan_tci=0x0000/0x1fff actions=push_vlan:0x8100,set_field:4098->vlan_vid,NORMAL
 cookie=0xbf969f763a8af13d, duration=259936.131s, table=0, n_packets=50819, n_bytes=34182738, priority=0 actions=NORMAL

Also, I could not see any group created:

sudo ovs-ofctl -O Openflow13 dump-groups br-int
OFPST_GROUP_DESC reply (OF1.3) (xid=0x2):

OVS Version:
$ ovs-ofctl --version
ovs-ofctl (Open vSwitch) 2.6.90
OpenFlow versions 0x1:0x4

Revision history for this message
niveditapaul (niveditapaul) said : 		#5

I'm facing the same issue.

Revision history for this message
JOE (443095920-k) said : 		#6

Did you integrate openstack with ODL?

Revision history for this message
wangchenglong (wangchenglong) said : 		#7

I'm facing the same issue without ODL integration.

Any experts could give any suggestions ?

Revision history for this message
Javier Bautista (javibr) said : 		#8

Did you disable the anti-spoofing mechanism for your network?
Otherwise the forwarding into VMs will not work

Revision history for this message
Silvia (fichera-sil) said : 		#9

I have the same problem with Rocky branch.
After disabling the anti-spoofing do I have to remove all the flow classifier, port pairs, etc?

Revision history for this message
Hamza Noweder (noweder) said : 		#10

Dears,

it seems a general issue faced by everyone!

any updates on this case as i am having the same problem using networking-sfc in openstack without ODL

Revision history for this message
Hamza Noweder (noweder) said : 		#11

Solution was to disable port-security using "--disable-port-security" optional argument when creating the network in openstack

Can you help with this problem?

Provide an answer of your own, or ask Navdeep Uniyal for more information if necessary.

To post a message you must log in.