<div dir="ltr"><div><div><div><div><div><div><div>I'm trying to follow the second option.<br></div>The forwarding process is working just one way. <br></div>I would like prepare the switch to forward the ack response from the host, so I want to install a proctive rule.<br>
</div>I've tried to do it in this way:<br><br> actions2=[]<br> actions2.append(of.ofp_action_dl_addr.set_dst(mac2))<br> actions2.append(of.ofp_action_output(port=inport))<br> match = of.ofp_match()<br>
match.in_port=1<br> match.dl_src=mac<br> match.dl_dst=mac2<br> match.nw_proto=6<br> match.nw_src=dstaddr<br> match.nw_dst=srcaddr<br> msg=of.ofp_flow_mod(command=of.OFPFC_ADD,<br>
#idle_timeout=FLOW_IDLE_TIMEOUT,<br> hard_timeout=of.OFP_FLOW_PERMANENT,<br> buffer_id=event.ofp.buffer_id,<br> actions=actions2,match=match)<br>
event.connection.send(msg.pack())<br><br></div>where:<br></div>mac = self.arpTable[dpid][dstaddr].mac #dst host mac addr<br>mac2 = self.arpTable[dpid][srcaddr].mac #src host mac addr<br>dstaddr = packet.next.dstip <br>
srcaddr = packet.next.srcip<br> <br></div>the in port is setted 1 because it's the default port to/from core network.<br><br></div>When I try this implementation I've got this error:<br><div><br>WARNING:libopenflow_01:Fields ignored due to unspecified prerequisites: nw_dst nw_src nw_proto<br>
<br>ERROR:openflow.of_01:[00-00-00-00-00-01 3] OpenFlow Error:<br>[00-00-00-00-00-01 3] Error: header: <br>[00-00-00-00-00-01 3] Error: version: 1<br>[00-00-00-00-00-01 3] Error: type: 1 (OFPT_ERROR)<br>[00-00-00-00-00-01 3] Error: length: 76<br>
[00-00-00-00-00-01 3] Error: xid: 17<br>[00-00-00-00-00-01 3] Error: type: OFPET_BAD_REQUEST (1)<br>[00-00-00-00-00-01 3] Error: code: OFPBRC_BUFFER_EMPTY (7)<br>[00-00-00-00-00-01 3] Error: datalen: 64<br>[00-00-00-00-00-01 3] Error: 0000: 01 0e 00 60 00 00 00 11 00 10 00 12 00 01 76 57 |...`..........vW|<br>
[00-00-00-00-00-01 3] Error: 0010: 3b c6 e3 37 de c9 a5 fe 9c ee 00 00 00 00 00 00 |;..7............|<br>[00-00-00-00-00-01 3] Error: 0020: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................|<br>[00-00-00-00-00-01 3] Error: 0030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 |................|<br>
<br></div><div>What's wrong? <br><br></div><div>Thank you.<br></div><div><div><div><br><br></div></div></div></div><div class="gmail_extra"><br><br><div class="gmail_quote">2013/12/10 Silvia Fichera <span dir="ltr"><<a href="mailto:fichera.sil@gmail.com" target="_blank">fichera.sil@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div>Hi Murphy,<br><br>I would like to have controller C1 connected only to the access network. It checks if the source is honest pretending the mechanism of 3WHS if the source is unknown. So when it receives a SYN request it answers with the SYN ACK
and, only if the source sends the ACK it is added to a whitelist, and it's allowed to send packet in
the network. If the source is in whitelist when it wants send packet sends againg SYN but this time is a controller C0 that install the forwarding rules because it's connected to all switches of the network. C0 and C1 could share a list of valid source or malicious source (whitelist and blacklist).<br>
<br></div>Another solution could be connect C1 only to the access network and C0 to the core network,<br><div><br>After the mechanism of 3WHS check, C1 installs the rule to forward the packet through the port
connected to the core network (a sort of default gateway). When the
packet arrives on the switch belonging to the core network C0 will
install forwanding rules to the destination (that is never in my access network).<br></div><div>But here the problem is have a mechanism to know a priori the output port of all access switches or to set it when I build the network.<br>
<br></div><div>Have you got any suggestions?<br></div><div><br></div><div>Bests,<br> </div></div><div class="gmail_extra"><div><div class="h5"><br><br><div class="gmail_quote">2013/12/9 Murphy McCauley <span dir="ltr"><<a href="mailto:murphy.mccauley@gmail.com" target="_blank">murphy.mccauley@gmail.com</a>></span><br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">So you want to have two controllers which communicate with the same switch, but that do different things? There's no straightforward way to do this with straight OpenFlow 1.0, but it may be possible with some of the Open vSwitch extensions related to multiple controllers. You should look into those OVS features (controller role, controller ID, etc.).<br>
<br>
I assume you have a good reason for wanting to use two separate controllers. From your description, it's not obvious.<br>
<span><font color="#888888"><br>
-- Murphy<br>
</font></span><div><div><br>
On Dec 9, 2013, at 4:11 AM, Silvia Fichera <<a href="mailto:fichera.sil@gmail.com" target="_blank">fichera.sil@gmail.com</a>> wrote:<br>
<br>
> Hi all,<br>
> I've a l3_learning controller that check if a TCP request connection is valid.<br>
> In a tree topology I would like that this one checks only the edge switches and, if the connection if valid, another controller will install flow rule on the switches.<br>
><br>
> So, if I receive a tcp SYN packet first of all the switch talks to my controller, it checks the "honesty" of the source:<br>
> - if it's not honest "install" a drop rule on the switch<br>
> - else I would that the switch forwards the connection request to the regular controller that install flows.<br>
><br>
> How can I contact the regular controller from the switch?<br>
><br>
> Thank you<br>
><br>
> --<br>
> Silvia Fichera<br>
</div></div></blockquote></div><br><br clear="all"><br></div></div><span class="HOEnZb"><font color="#888888">-- <br>Silvia Fichera
</font></span></div>
</blockquote></div><br><br clear="all"><br>-- <br>Silvia Fichera
</div>