<html><head></head><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div id="yiv7527242688"><div id="yui_3_16_0_ym19_1_1478104906003_7344"><div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;" id="yui_3_16_0_ym19_1_1478104906003_7343"><div id="yiv7527242688yui_3_16_0_ym19_1_1478104906003_5032"><span></span></div> <div class="yiv7527242688qtdSeparateBR" id="yiv7527242688yui_3_16_0_ym19_1_1478104906003_4684">If packets are making it to the SF but not making it out, it means the SFC has done its part.  Things to check.</div><div class="yiv7527242688qtdSeparateBR" id="yiv7527242688yui_3_16_0_ym19_1_1478104906003_4684"><br></div><div class="yiv7527242688qtdSeparateBR" id="yiv7527242688yui_3_16_0_ym19_1_1478104906003_4684">1. Check that the SF VM has routing enabled</div><div class="yiv7527242688qtdSeparateBR" id="yiv7527242688yui_3_16_0_ym19_1_1478104906003_4684"><br><div id="yui_3_16_0_ym19_1_1478104906003_7639">root@fs-10-145-106-2:~# sysctl net.ipv4.ip_forward</div><div id="yui_3_16_0_ym19_1_1478104906003_7640">net.ipv4.ip_forward = 1</div><div dir="ltr" id="yui_3_16_0_ym19_1_1478104906003_7641"><br id="yui_3_16_0_ym19_1_1478104906003_7642"></div><div dir="ltr" id="yui_3_16_0_ym19_1_1478104906003_7641">2.  Check the security group settings  for the SF VM.</div><div dir="ltr" id="yui_3_16_0_ym19_1_1478104906003_7641"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1478104906003_7641">3. Is port security enabled?  If so, you probably need it disabled for the SF VM.</div><div dir="ltr" id="yui_3_16_0_ym19_1_1478104906003_7641"><br></div><div dir="ltr" id="yui_3_16_0_ym19_1_1478104906003_7641">Farhad.</div><div dir="ltr" id="yui_3_16_0_ym19_1_1478104906003_7641"><br></div></div></div></div></div><div class=".yiv7527242688yahoo_quoted" id="yui_3_16_0_ym19_1_1478104906003_7365"><div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;" id="yiv7527242688yui_3_16_0_ym19_1_1478104906003_4522"><div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;" id="yiv7527242688yui_3_16_0_ym19_1_1478104906003_4521"><div class="yiv7527242688y_msg_container" id="yiv7527242688yui_3_16_0_ym19_1_1478104906003_4520"><br>Message: 5<br>Date: Wed, 2 Nov 2016 13:40:21 +0100<br>From: Alioune <<a rel="nofollow" ymailto="mailto:balioune3@gmail.com" target="_blank" href="mailto:balioune3@gmail.com" id="yui_3_16_0_ym19_1_1478104906003_7366">balioune3@gmail.com</a>><br>To: "OpenStack Development Mailing List (not for usage questions)"<br>    <<a rel="nofollow" ymailto="mailto:openstack-dev@lists.openstack.org" target="_blank" href="mailto:openstack-dev@lists.openstack.org" id="yiv7527242688yui_3_16_0_ym19_1_1478104906003_4675">openstack-dev@lists.openstack.org</a>><br>Subject: Re: [openstack-dev] [networking-sfc][devstack][mitaka] Chain<br>    doesn't work<br>Message-ID:<br>    <<a rel="nofollow" ymailto="mailto:CALVLy2cZpOhQ4wPsUULGBK_MgNDcQySG69J2YKEuzpzJJgh8_A@mail.gmail.com" target="_blank" href="mailto:CALVLy2cZpOhQ4wPsUULGBK_MgNDcQySG69J2YKEuzpzJJgh8_A@mail.gmail.com" id="yiv7527242688yui_3_16_0_ym19_1_1478104906003_4549">CALVLy2cZpOhQ4wPsUULGBK_MgNDcQySG69J2YKEuzpzJJgh8_A@mail.gmail.com</a>><br>Content-Type: text/plain; charset="utf-8"<br><br>Any suggestion ?<br><br>On Monday, 24 October 2016, Alioune <<a rel="nofollow" ymailto="mailto:balioune3@gmail.com" target="_blank" href="mailto:balioune3@gmail.com">balioune3@gmail.com</a>> wrote:<br><br>> Hi all,<br>><br>> I'm trying to implement service chain in OpenStack using networking-sfc<br>> (stable/mitaka) and OVS 2.5.90<br>><br>><br>> The following is the architecture I used :<br>><br>> SRC                                             DST<br>>   |                                                    |<br>>   ========== br-int ============<br>>                          |<br>>                        SF1<br>> SF1: 55.55.55.3<br>> SRC: 55.55.55.4<br>> DST: 55.55.55.5<br>><br>> I can create port-pairs, port-pair-group, classifier and chain with these<br>> commands:<br>><br>> neutron flow-classifier-create  --ethertype IPv4  --source-ip-prefix<br>> 55.55.55.4/32  --logical-source-port 0009034f-4c39-4cbf-be7d-fcf82dad024c<br>> --protocol icmp  FC1<br>> neutron port-pair-create --ingress=p1 --egress=p1 PP1<br>> neutron port-pair-group-create --port-pair PP1 PG1<br>> neutron port-chain-create --port-pair-group PG1 --flow-classifier FC1 PC1<br>><br>> I could ping from SRC to DST before setting the chain, but after the chain<br>> creating ping doesn't work.<br>><br>> ICMP echo request packets arrive to SF1 port but it doesn't send back the<br>> packets in order to allow them to get their destination DST (see output<br>> below).<br>><br>> The Opendaylight/SFC project uses NSH aware service function (SF) that<br>> send back packets to the chains after analyzing them, I would like to know :<br>><br>> - How networking-sfc configures SF to send back packets to the chain as<br>> seem in some of your presentation ?<br>> - What's wrong in my configurations (see commands and ovs-ofctl output<br>> below) ? I've followed the main steps described in your wiki page.<br>><br>> Best Regards,<br>><br>><br>> <a rel="nofollow" ymailto="mailto:vagrant@vagrant-ubuntu-trusty-64" target="_blank" href="mailto:vagrant@vagrant-ubuntu-trusty-64">vagrant@vagrant-ubuntu-trusty-64</a>:~$ neutron port-list<br>> +--------------------------------------+------+-------------<br>> ------+-----------------------------------------------------<br>> ---------------------------------+<br>> | id                                   | name | mac_address       |<br>> fixed_ips<br>> |<br>> +--------------------------------------+------+-------------<br>> ------+-----------------------------------------------------<br>> ---------------------------------+<br>> | 0009034f-4c39-4cbf-be7d-fcf82dad024c |      | fa:16:3e:dd:16:f7 |<br>> {"subnet_id": "8bf8a2e1-ecad-4b4b-beb1-d760a16667bc", "ip_address":<br>> "55.55.55.4"}    |<br>> | 082e896d-5982-458c-96e7-0dd372d3d7d9 | p1   | fa:16:3e:90:b4:67 |<br>> {"subnet_id": "8bf8a2e1-ecad-4b4b-beb1-d760a16667bc", "ip_address":<br>> "55.55.55.3"}    |<br>> | 2ad109e4-42a8-4554-b884-a32344e91036 |      | fa:16:3e:74:9a:fa |<br>> {"subnet_id": "3cf6eb27-7258-4252-8f3d-b6f9d27c948b", "ip_address":<br>> "192.168.105.2"} |<br>> | 51f055c0-ff4d-47f4-9328-9a0d7ca204f3 |      | fa:16:3e:da:f9:93 |<br>> {"subnet_id": "8bf8a2e1-ecad-4b4b-beb1-d760a16667bc", "ip_address":<br>> "55.55.55.1"}    |<br>> | 656ad901-2bc0-407a-a581-da955ecf3b59 |      | fa:16:3e:7f:44:01 |<br>> {"subnet_id": "8bf8a2e1-ecad-4b4b-beb1-d760a16667bc", "ip_address":<br>> "55.55.55.2"}    |<br>> | b1d14a4f-cde6-4c44-b42e-0f0466dba32a |      | fa:16:3e:a6:c6:35 |<br>> {"subnet_id": "8bf8a2e1-ecad-4b4b-beb1-d760a16667bc", "ip_address":<br>> "55.55.55.5"}    |<br>> +--------------------------------------+------+-------------<br>> ------+-----------------------------------------------------<br>> ---------------------------------+<br>><br>> <a rel="nofollow" ymailto="mailto:vagrant@vagrant-ubuntu-trusty-64" target="_blank" href="mailto:vagrant@vagrant-ubuntu-trusty-64">vagrant@vagrant-ubuntu-trusty-64</a>:~$ ifconfig |grep 082e896d<br>> qbr082e896d-59 Link encap:Ethernet  HWaddr b6:96:27:fa:ab:af<br>> qvb082e896d-59 Link encap:Ethernet  HWaddr b6:96:27:fa:ab:af<br>> qvo082e896d-59 Link encap:Ethernet  HWaddr 7e:1a:7b:7d:09:df<br>> tap082e896d-59 Link encap:Ethernet  HWaddr fe:16:3e:90:b4:67<br>><br>> <a rel="nofollow" ymailto="mailto:vagrant@vagrant-ubuntu-trusty-64" target="_blank" href="mailto:vagrant@vagrant-ubuntu-trusty-64">vagrant@vagrant-ubuntu-trusty-64</a>:~$ sudo tcpdump -i tap082e896d-59 icmp<br>> tcpdump: WARNING: tap082e896d-59: no IPv4 address assigned<br>> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode<br>> listening on tap082e896d-59, link-type EN10MB (Ethernet), capture size<br>> 65535 bytes<br>> 10:51:10.229674 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,<br>> seq 61, length 64<br>> 10:51:11.230318 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,<br>> seq 62, length 64<br>> 10:51:12.233451 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,<br>> seq 63, length 64<br>> 10:51:13.234496 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,<br>> seq 64, length 64<br>> 10:51:14.235583 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,<br>> seq 65, length 64<br>> 10:51:15.236585 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,<br>> seq 66, length 64<br>> 10:51:16.237568 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,<br>> seq 67, length 64<br>> 10:51:17.238974 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,<br>> seq 68, length 64<br>> 10:51:18.244244 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,<br>> seq 69, length 64<br>> 10:51:19.245758 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,<br>> seq 70, length 64<br>> 10:51:20.246521 IP 55.55.55.4 > 55.55.55.5: ICMP echo request, id 15617,<br>> seq 71, length 64<br>><br>><br>><br>> <a rel="nofollow" ymailto="mailto:vagrant@vagrant-ubuntu-trusty-64" target="_blank" href="mailto:vagrant@vagrant-ubuntu-trusty-64">vagrant@vagrant-ubuntu-trusty-64</a>:~/openstack_networking/simple-sf$ sudo<br>> ovs-ofctl dump-flows br-int -O OpenFlow13<br>><br>> 2016-10-24T11:28:43Z|00001|ofp_actions|INFO|OFPAT_SET_MPLS_TTL is<br>> deprecated in OpenFlow13 (use Set-Field)<br>> OFPST_FLOW reply (OF1.3) (xid=0x2):<br>>  cookie=0xbbf3cb977f3738c7, duration=2418.957s, table=0, n_packets=2297,<br>> n_bytes=225106, priority=30,icmp,in_port=5,nw_src=55.55.55.4<br>> actions=group:1<br>>  cookie=0xbbf3cb977f3738c7, duration=2418.955s, table=0, n_packets=0,<br>> n_bytes=0, priority=30,icmp,in_port=4,nw_src=55.55.55.4 actions=NORMAL<br>>  cookie=0xbbf3cb977f3738c7, duration=8868.309s, table=0, n_packets=0,<br>> n_bytes=0, priority=20,mpls actions=resubmit(,10)<br>>  cookie=0xbbf3cb977f3738c7, duration=2882.723s, table=0, n_packets=0,<br>> n_bytes=0, priority=10,icmp6,in_port=5,icmp_type=136 actions=resubmit(,24)<br>>  cookie=0xbbf3cb977f3738c7, duration=2866.752s, table=0, n_packets=0,<br>> n_bytes=0, priority=10,icmp6,in_port=6,icmp_type=136 actions=resubmit(,24)<br>>  cookie=0xbbf3cb977f3738c7, duration=2650.698s, table=0, n_packets=0,<br>> n_bytes=0, priority=10,icmp6,in_port=4,icmp_type=136 actions=resubmit(,24)<br>>  cookie=0xbbf3cb977f3738c7, duration=2882.708s, table=0, n_packets=71,<br>> n_bytes=2982, priority=10,arp,in_port=5 actions=resubmit(,24)<br>>  cookie=0xbbf3cb977f3738c7, duration=2866.738s, table=0, n_packets=70,<br>> n_bytes=2940, priority=10,arp,in_port=6 actions=resubmit(,24)<br>>  cookie=0xbbf3cb977f3738c7, duration=2650.684s, table=0, n_packets=4,<br>> n_bytes=168, priority=10,arp,in_port=4 actions=resubmit(,24)<br>>  cookie=0xbbf3cb977f3738c7, duration=2882.737s, table=0, n_packets=70,<br>> n_bytes=8378, priority=9,in_port=5 actions=resubmit(,25)<br>>  cookie=0xbbf3cb977f3738c7, duration=2866.767s, table=0, n_packets=22,<br>> n_bytes=2332, priority=9,in_port=6 actions=resubmit(,25)<br>>  cookie=0xbbf3cb977f3738c7, duration=2650.715s, table=0, n_packets=15,<br>> n_bytes=1724, priority=9,in_port=4 actions=resubmit(,25)<br>>  cookie=0xbbf3cb977f3738c7, duration=8868.755s, table=0, n_packets=163,<br>> n_bytes=18908, priority=0 actions=NORMAL<br>>  cookie=0xbbf3cb977f3738c7, duration=2419.054s, table=5, n_packets=2297,<br>> n_bytes=225106, priority=0,ip,dl_dst=fa:16:3e:90:b4:67<br>> actions=push_mpls:0x8847,set_field:511->mpls_label,set_<br>> mpls_ttl(255),push_vlan:0x8100,set_field:4097->vlan_vid,resubmit(,10)<br>>  cookie=0xbbf3cb977f3738c7, duration=2418.916s, table=10, n_packets=2297,<br>> n_bytes=225106, priority=1,mpls,dl_vlan=1,dl_dst=fa:16:3e:90:b4:67,mpls_label=511<br>> actions=pop_vlan,pop_mpls:0x0800,output:4<br>>  cookie=0xbbf3cb977f3738c7, duration=8868.303s, table=10, n_packets=0,<br>> n_bytes=0, priority=0 actions=drop<br>>  cookie=0xbbf3cb977f3738c7, duration=8868.749s, table=23, n_packets=0,<br>> n_bytes=0, priority=0 actions=drop<br>>  cookie=0xbbf3cb977f3738c7, duration=2882.730s, table=24, n_packets=0,<br>> n_bytes=0, priority=2,icmp6,in_port=5,icmp_type=136,nd_target=fe80::f816:3eff:fedd:16f7<br>> actions=NORMAL<br>>  cookie=0xbbf3cb977f3738c7, duration=2866.760s, table=24, n_packets=0,<br>> n_bytes=0, priority=2,icmp6,in_port=6,icmp_type=136,nd_target=fe80::f816:3eff:fea6:c635<br>> actions=NORMAL<br>>  cookie=0xbbf3cb977f3738c7, duration=2650.708s, table=24, n_packets=0,<br>> n_bytes=0, priority=2,icmp6,in_port=4,icmp_type=136,nd_target=fe80::f816:3eff:fe90:b467<br>> actions=NORMAL<br>>  cookie=0xbbf3cb977f3738c7, duration=2882.715s, table=24, n_packets=68,<br>> n_bytes=2856, priority=2,arp,in_port=5,arp_spa=55.55.55.4<br>> actions=resubmit(,25)<br>>  cookie=0xbbf3cb977f3738c7, duration=2866.743s, table=24, n_packets=67,<br>> n_bytes=2814, priority=2,arp,in_port=6,arp_spa=55.55.55.5<br>> actions=resubmit(,25)<br>>  cookie=0xbbf3cb977f3738c7, duration=2650.690s, table=24, n_packets=1,<br>> n_bytes=42, priority=2,arp,in_port=4,arp_spa=55.55.55.3<br>> actions=resubmit(,25)<br>>  cookie=0xbbf3cb977f3738c7, duration=8868.743s, table=24, n_packets=0,<br>> n_bytes=0, priority=0 actions=drop<br>>  cookie=0xbbf3cb977f3738c7, duration=2882.753s, table=25, n_packets=138,<br>> n_bytes=11130, priority=2,in_port=5,dl_src=fa:16:3e:dd:16:f7<br>> actions=NORMAL<br>>  cookie=0xbbf3cb977f3738c7, duration=2866.783s, table=25, n_packets=87,<br>> n_bytes=4882, priority=2,in_port=6,dl_src=fa:16:3e:a6:c6:35 actions=NORMAL<br>>  cookie=0xbbf3cb977f3738c7, duration=2650.730s, table=25, n_packets=14,<br>> n_bytes=1502, priority=2,in_port=4,dl_src=fa:16:3e:90:b4:67 actions=NORMAL<br>><br><br><br><br><br></div>  </div> </div>  </div></div></body></html>