Search code examples
network-programmingsdnmininetvirtual-network

ovs-ofctl add a flow to allow only ARP ethernet frames


I am starting to learn SDN with ovs-ofctl and mininet, and I am configuring a switch following some tutorials, but there's something I don't catch.

When I start my topology with:

sudo mn --topo single,2 --controller remote --switch ovsk

Now if I want to add a simple flow between h1 and h5, I do:

sh ovs-ofctl add-flow s1 in_port=1,actions=output:2
sh ovs-ofctl add-flow s1 in_port=2,actions=output:1

And if I test the connectivity between hosts all is ok.

But now, deleting all flows, if I try:

sh ovs-ofctl add-flow s1 in_port=1,dl_type=0x806,nw_dst=10.0.0.2,actions=output:2
sh ovs-ofctl add-flow s1 in_port=2,dl_type=0x806,nw_dst=10.0.0.1,actions=output:1

Now if I try to ping, there is no reachability, but if I execute:

sh ovs-ofctl add-flow s1 action=NORMAL

Now I can ping again between hosts.

What am I missing here? Specifying dl_type=0x806 in the command is not enough to allow only ethernet using ARP traffic? Why ping fails there?


Solution

  • I think the main reason is a confusion between all involved protocols.

    (1) Ping is done using ICMP, in particular ICMP echo request and ICMP echo reply messages. These messages are encapsulated in IP packets, which are in turn encapsulated in it Ethernet packets. In this case Ethernet next header field (i think it is actually called ethertype in general and dl_type here) is set to IP, which is 0x0800.

    A more in-depth guide on how to read ICMP packets in wireshark can be found here.

    (2) ARP is necessary for end-systems to match IP addresses to MAC addresses. ARP is encapsulated directly into Ethernet frames, where ethernet next header is set to value 0x806

    Thus

    sh ovs-ofctl add-flow s1 in_port=1,dl_type=0x806,nw_dst=10.0.0.2,actions=output:2
    

    will allow only ARP packets to pass through, while dropping every non-ARP ethernet frame. Thus ping packets are being dropped.

    (3) The last question is why this works.

    sh ovs-ofctl add-flow s1 action=NORMAL
    

    I am not familiar with the details of OVS. From what I understand from here, action=NORMAL will make OVS act as a normal linux bridge, which does normal ethernet bridge operation, which involves forwarding all frames based on normal MAC learning rules.

    Also, since there is no match part in this rule, it should match every packet. I do not know how this one would work.

    sh ovs-ofctl add-flow s1 in_port=1,dl_type=0x806,nw_dst=10.0.0.2,actions=NORMAL
    

    (4) This reference has a table at the bottom, which lists openflow rules to match common network protocols.