Discussion:
[ovs-discuss] icmp paket matching ip packet rule
selen jia
2012-04-06 08:42:44 UTC
Permalink
hi,
im using openvswitch 1.2.2 and setting controller ptcp:6633

now from controller i add following flows
1. ovs-ofctl add-flow tcp:15.1.2.3 "ip actions=output:2"
2. ovs-ofctl add-flow tcp: 15:1.2.3 "icmp icmp_type=0 icmp_code=0
actions=output:2"

Now when i send packet with icmp type=0 and icmp code=0 ,
packet matches rule 1) with ip actions=2 and not with second rule icmp
icmp_type=0 and icmp_code=0

although rule 2 was exact match rule for packet..


How ever when i add these two flows from switch ,packet matches icmp rule
only.

why is switch behaving this way with random rule insertion and matching?
also rule insertion order is different form switch and controller?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/discuss/attachments/20120406/0b064515/attachment.htm>
Justin Pettit
2012-04-06 08:51:46 UTC
Permalink
I think you need to disambiguate those rules by using a priority. OpenFlow doesn't distinguish based on which rule is more specific, so switch behavior is undefined in those situations.

As described in the ovs-ofctl man page, you can use "check_overlap" to see whether this situation will occur at flow insertion time. The controller may have a similar flag you can set.

--Justin
Post by selen jia
hi,
im using openvswitch 1.2.2 and setting controller ptcp:6633
now from controller i add following flows
1. ovs-ofctl add-flow tcp:15.1.2.3 "ip actions=output:2"
2. ovs-ofctl add-flow tcp: 15:1.2.3 "icmp icmp_type=0 icmp_code=0 actions=output:2"
Now when i send packet with icmp type=0 and icmp code=0 ,
packet matches rule 1) with ip actions=2 and not with second rule icmp icmp_type=0 and icmp_code=0
although rule 2 was exact match rule for packet..
How ever when i add these two flows from switch ,packet matches icmp rule only.
why is switch behaving this way with random rule insertion and matching? also rule insertion order is different form switch and controller?
_______________________________________________
discuss mailing list
discuss at openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
Justin Pettit
2012-04-06 16:38:19 UTC
Permalink
[Adding back the discuss@ mailing list.]

If there are overlapping rules at the same priority, a switch is free to choose whichever one it wants. In the example you gave, an ICMP (0,0) packet would match both rules, since it is both IP and has the correct ICMP type and code. If you ran a ping, the echo requests and replies would only match the IP rule, since it has different ICMP types. If you want your special ICMP packets to consistently match the right rule you need to raise its priority relative to the IP rule.

--Justin
That means during add-flow in flow table, rules can be added in any order,there is no defined way how rule is added to flow table.
I think you need to disambiguate those rules by using a priority. OpenFlow doesn't distinguish based on which rule is more specific, so switch behavior is undefined in those situations.
As described in the ovs-ofctl man page, you can use "check_overlap" to see whether this situation will occur at flow insertion time. The controller may have a similar flag you can set.
--Justin
Post by selen jia
hi,
im using openvswitch 1.2.2 and setting controller ptcp:6633
now from controller i add following flows
1. ovs-ofctl add-flow tcp:15.1.2.3 "ip actions=output:2"
2. ovs-ofctl add-flow tcp: 15:1.2.3 "icmp icmp_type=0 icmp_code=0 actions=output:2"
Now when i send packet with icmp type=0 and icmp code=0 ,
packet matches rule 1) with ip actions=2 and not with second rule icmp icmp_type=0 and icmp_code=0
although rule 2 was exact match rule for packet..
How ever when i add these two flows from switch ,packet matches icmp rule only.
why is switch behaving this way with random rule insertion and matching? also rule insertion order is different form switch and controller?
_______________________________________________
discuss mailing list
discuss at openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
selen jia
2012-04-09 05:09:43 UTC
Permalink
But icmp rule is more exact and has icmp_type=0 icmp_code=0 and nw_proto=1
field as well. So i think all these rule parametres should match against
packet fields.and icmp rule should match to the icmp(0,0) packet and not
rule containing just dl_type=0x0800(ip) parameter.

in ovs code we use memcmp(flow,packet_flow) to determine rule matching the
packet, so i still believe icmp rule should match the packet and not ip rule
Post by Justin Pettit
If there are overlapping rules at the same priority, a switch is free to
choose whichever one it wants. In the example you gave, an ICMP (0,0)
packet would match both rules, since it is both IP and has the correct ICMP
type and code. If you ran a ping, the echo requests and replies would only
match the IP rule, since it has different ICMP types. If you want your
special ICMP packets to consistently match the right rule you need to raise
its priority relative to the IP rule.
--Justin
That means during add-flow in flow table, rules can be added in any
order,there is no defined way how rule is added to flow table.
On Fri, Apr 6, 2012 at 2:21 PM, Justin Pettit <jpettit at nicira.com>
I think you need to disambiguate those rules by using a priority.
OpenFlow doesn't distinguish based on which rule is more specific, so
switch behavior is undefined in those situations.
As described in the ovs-ofctl man page, you can use "check_overlap" to
see whether this situation will occur at flow insertion time. The
controller may have a similar flag you can set.
--Justin
Post by selen jia
hi,
im using openvswitch 1.2.2 and setting controller ptcp:6633
now from controller i add following flows
1. ovs-ofctl add-flow tcp:15.1.2.3 "ip actions=output:2"
2. ovs-ofctl add-flow tcp: 15:1.2.3 "icmp icmp_type=0 icmp_code=0
actions=output:2"
Post by selen jia
Now when i send packet with icmp type=0 and icmp code=0 ,
packet matches rule 1) with ip actions=2 and not with second rule
icmp icmp_type=0 and icmp_code=0
Post by selen jia
although rule 2 was exact match rule for packet..
How ever when i add these two flows from switch ,packet matches icmp
rule only.
Post by selen jia
why is switch behaving this way with random rule insertion and
matching? also rule insertion order is different form switch and controller?
Post by selen jia
_______________________________________________
discuss mailing list
discuss at openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/discuss/attachments/20120409/7f222923/attachment.htm>
Justin Pettit
2012-04-09 05:16:24 UTC
Permalink
The specificity of the flow doesn't matter; feel free to check the OpenFlow 1.0 spec if you'd like.

--Justin
But icmp rule is more exact and has icmp_type=0 icmp_code=0 and nw_proto=1 field as well. So i think all these rule parametres should match against packet fields.and icmp rule should match to the icmp(0,0) packet and not rule containing just dl_type=0x0800(ip) parameter.
in ovs code we use memcmp(flow,packet_flow) to determine rule matching the packet, so i still believe icmp rule should match the packet and not ip rule
If there are overlapping rules at the same priority, a switch is free to choose whichever one it wants. In the example you gave, an ICMP (0,0) packet would match both rules, since it is both IP and has the correct ICMP type and code. If you ran a ping, the echo requests and replies would only match the IP rule, since it has different ICMP types. If you want your special ICMP packets to consistently match the right rule you need to raise its priority relative to the IP rule.
--Justin
That means during add-flow in flow table, rules can be added in any order,there is no defined way how rule is added to flow table.
I think you need to disambiguate those rules by using a priority. OpenFlow doesn't distinguish based on which rule is more specific, so switch behavior is undefined in those situations.
As described in the ovs-ofctl man page, you can use "check_overlap" to see whether this situation will occur at flow insertion time. The controller may have a similar flag you can set.
--Justin
Post by selen jia
hi,
im using openvswitch 1.2.2 and setting controller ptcp:6633
now from controller i add following flows
1. ovs-ofctl add-flow tcp:15.1.2.3 "ip actions=output:2"
2. ovs-ofctl add-flow tcp: 15:1.2.3 "icmp icmp_type=0 icmp_code=0 actions=output:2"
Now when i send packet with icmp type=0 and icmp code=0 ,
packet matches rule 1) with ip actions=2 and not with second rule icmp icmp_type=0 and icmp_code=0
although rule 2 was exact match rule for packet..
How ever when i add these two flows from switch ,packet matches icmp rule only.
why is switch behaving this way with random rule insertion and matching? also rule insertion order is different form switch and controller?
_______________________________________________
discuss mailing list
discuss at openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/discuss/attachments/20120408/943f5735/attachment-0001.htm>
selen jia
2012-04-09 05:26:44 UTC
Permalink
hi,
I am looking at the code of openvswitch where to compare rules and packet
we have used memcmp function which compare flow structure of packet and
rule, and so only the more exact rule should match the packet.
Post by Justin Pettit
The specificity of the flow doesn't matter; feel free to check the
OpenFlow 1.0 spec if you'd like.
--Justin
But icmp rule is more exact and has icmp_type=0 icmp_code=0 and
nw_proto=1 field as well. So i think all these rule parametres should
match against packet fields.and icmp rule should match to the icmp(0,0)
packet and not rule containing just dl_type=0x0800(ip) parameter.
in ovs code we use memcmp(flow,packet_flow) to determine rule matching the
packet, so i still believe icmp rule should match the packet and not ip rule
Post by Justin Pettit
If there are overlapping rules at the same priority, a switch is free to
choose whichever one it wants. In the example you gave, an ICMP (0,0)
packet would match both rules, since it is both IP and has the correct ICMP
type and code. If you ran a ping, the echo requests and replies would only
match the IP rule, since it has different ICMP types. If you want your
special ICMP packets to consistently match the right rule you need to raise
its priority relative to the IP rule.
--Justin
That means during add-flow in flow table, rules can be added in any
order,there is no defined way how rule is added to flow table.
On Fri, Apr 6, 2012 at 2:21 PM, Justin Pettit <jpettit at nicira.com>
I think you need to disambiguate those rules by using a priority.
OpenFlow doesn't distinguish based on which rule is more specific, so
switch behavior is undefined in those situations.
As described in the ovs-ofctl man page, you can use "check_overlap" to
see whether this situation will occur at flow insertion time. The
controller may have a similar flag you can set.
--Justin
Post by selen jia
hi,
im using openvswitch 1.2.2 and setting controller ptcp:6633
now from controller i add following flows
1. ovs-ofctl add-flow tcp:15.1.2.3 "ip actions=output:2"
2. ovs-ofctl add-flow tcp: 15:1.2.3 "icmp icmp_type=0 icmp_code=0
actions=output:2"
Post by selen jia
Now when i send packet with icmp type=0 and icmp code=0 ,
packet matches rule 1) with ip actions=2 and not with second rule
icmp icmp_type=0 and icmp_code=0
Post by selen jia
although rule 2 was exact match rule for packet..
How ever when i add these two flows from switch ,packet matches icmp
rule only.
Post by selen jia
why is switch behaving this way with random rule insertion and
matching? also rule insertion order is different form switch and controller?
Post by selen jia
_______________________________________________
discuss mailing list
discuss at openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/discuss/attachments/20120409/e8fd9a0e/attachment.htm>
Justin Pettit
2012-04-09 05:31:00 UTC
Permalink
So what happens when you change the priority?

--Justin
hi,
I am looking at the code of openvswitch where to compare rules and packet we have used memcmp function which compare flow structure of packet and rule, and so only the more exact rule should match the packet.
The specificity of the flow doesn't matter; feel free to check the OpenFlow 1.0 spec if you'd like.
--Justin
But icmp rule is more exact and has icmp_type=0 icmp_code=0 and nw_proto=1 field as well. So i think all these rule parametres should match against packet fields.and icmp rule should match to the icmp(0,0) packet and not rule containing just dl_type=0x0800(ip) parameter.
in ovs code we use memcmp(flow,packet_flow) to determine rule matching the packet, so i still believe icmp rule should match the packet and not ip rule
If there are overlapping rules at the same priority, a switch is free to choose whichever one it wants. In the example you gave, an ICMP (0,0) packet would match both rules, since it is both IP and has the correct ICMP type and code. If you ran a ping, the echo requests and replies would only match the IP rule, since it has different ICMP types. If you want your special ICMP packets to consistently match the right rule you need to raise its priority relative to the IP rule.
--Justin
That means during add-flow in flow table, rules can be added in any order,there is no defined way how rule is added to flow table.
I think you need to disambiguate those rules by using a priority. OpenFlow doesn't distinguish based on which rule is more specific, so switch behavior is undefined in those situations.
As described in the ovs-ofctl man page, you can use "check_overlap" to see whether this situation will occur at flow insertion time. The controller may have a similar flag you can set.
--Justin
Post by selen jia
hi,
im using openvswitch 1.2.2 and setting controller ptcp:6633
now from controller i add following flows
1. ovs-ofctl add-flow tcp:15.1.2.3 "ip actions=output:2"
2. ovs-ofctl add-flow tcp: 15:1.2.3 "icmp icmp_type=0 icmp_code=0 actions=output:2"
Now when i send packet with icmp type=0 and icmp code=0 ,
packet matches rule 1) with ip actions=2 and not with second rule icmp icmp_type=0 and icmp_code=0
although rule 2 was exact match rule for packet..
How ever when i add these two flows from switch ,packet matches icmp rule only.
why is switch behaving this way with random rule insertion and matching? also rule insertion order is different form switch and controller?
_______________________________________________
discuss mailing list
discuss at openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/discuss/attachments/20120408/2d1fa81d/attachment.htm>
selen jia
2012-04-09 05:40:06 UTC
Permalink
when i change the priority it matches with higher priority flow,
but priority check is applied after matching rule is selected using memcmp
Post by Justin Pettit
So what happens when you change the priority?
--Justin
hi,
I am looking at the code of openvswitch where to compare rules and packet
we have used memcmp function which compare flow structure of packet and
rule, and so only the more exact rule should match the packet.
Post by Justin Pettit
The specificity of the flow doesn't matter; feel free to check the
OpenFlow 1.0 spec if you'd like.
--Justin
But icmp rule is more exact and has icmp_type=0 icmp_code=0 and
nw_proto=1 field as well. So i think all these rule parametres should
match against packet fields.and icmp rule should match to the icmp(0,0)
packet and not rule containing just dl_type=0x0800(ip) parameter.
in ovs code we use memcmp(flow,packet_flow) to determine rule matching
the packet, so i still believe icmp rule should match the packet and not ip
rule
Post by Justin Pettit
If there are overlapping rules at the same priority, a switch is free to
choose whichever one it wants. In the example you gave, an ICMP (0,0)
packet would match both rules, since it is both IP and has the correct ICMP
type and code. If you ran a ping, the echo requests and replies would only
match the IP rule, since it has different ICMP types. If you want your
special ICMP packets to consistently match the right rule you need to raise
its priority relative to the IP rule.
--Justin
That means during add-flow in flow table, rules can be added in any
order,there is no defined way how rule is added to flow table.
On Fri, Apr 6, 2012 at 2:21 PM, Justin Pettit <jpettit at nicira.com>
I think you need to disambiguate those rules by using a priority.
OpenFlow doesn't distinguish based on which rule is more specific, so
switch behavior is undefined in those situations.
As described in the ovs-ofctl man page, you can use "check_overlap" to
see whether this situation will occur at flow insertion time. The
controller may have a similar flag you can set.
--Justin
Post by selen jia
hi,
im using openvswitch 1.2.2 and setting controller ptcp:6633
now from controller i add following flows
1. ovs-ofctl add-flow tcp:15.1.2.3 "ip actions=output:2"
2. ovs-ofctl add-flow tcp: 15:1.2.3 "icmp icmp_type=0 icmp_code=0
actions=output:2"
Post by selen jia
Now when i send packet with icmp type=0 and icmp code=0 ,
packet matches rule 1) with ip actions=2 and not with second rule
icmp icmp_type=0 and icmp_code=0
Post by selen jia
although rule 2 was exact match rule for packet..
How ever when i add these two flows from switch ,packet matches icmp
rule only.
Post by selen jia
why is switch behaving this way with random rule insertion and
matching? also rule insertion order is different form switch and controller?
Post by selen jia
_______________________________________________
discuss mailing list
discuss at openvswitch.org
http://openvswitch.org/mailman/listinfo/discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/discuss/attachments/20120409/7270ca19/attachment-0001.htm>
Loading...