[ovs-discuss] MAC address rule blocking failure

Ben Pfaff blp at nicira.com
Thu Dec 22 10:45:37 PST 2011

OK.  So it seems that MAC learning entries are expiring in cases where
we expect them to persist.  I can look into that, if you can give me
some more details; to start, the version of OVS involved.  (I think
that you might have already given detail to our support team in
parallel; I'm trying to find out how I get direct access to that

Let me reiterate that the "normal" action isn't an effective way to
enforce ACLs.  Nevertheless, there appears to be a bug that I should
investigate here.



On Thu, Dec 22, 2011 at 06:35:50PM +0000, Mike Bursell wrote:
> I believe that there is nothing else going on at all.
> The CLI tools were used to construct the rules: no DVSC in play.
> -Mike.
> --
> Mike Bursell.
> Ben Pfaff <blp at nicira.com> wrote:
> On Thu, Dec 22, 2011 at 04:35:45PM +0000, Mike Bursell wrote:
> > We've discovered what we suspect is a bug, and are looking for
> > thoughts, please!
> >
> > Observed behaviour:
> > - Continuous pings being sent from laptop to vm1
> > - vm2 is quiescent
> > - Intermittently, the response to a ping from laptop is seen on vm2
> Is anything else going on?  Certain kinds of changes to a bridge
> (adding and removing ports, etc.) can cause the MAC learning table, or
> particular entries in it, to be flushed.  If VMs are being brought up
> or down, VLANs being created or destroyed, etc., one might expect to
> see a need to re-learn MAC addresses immediately after those events.
> I have not carefully looked over your flow table.  Is this flow table
> constructed by hand, generated by DVS, or generated by some other
> controller?  I ask because the "normal" action may not be an effective
> way to enforce ACLs--it is an implementation of a MAC learning switch,
> which is not itself an effective way to enforce ACLs--so I wonder what
> assumptions lie behind this flow table construction.

More information about the discuss mailing list