openvswitch and OpenFlow


Layer 1

ovs-ofctl del-flow BRIDGE
ovs-ofctl add-flow BRIDGE priority=500,in_port=1,actions=output:2
ovs-ofctl add-flow BRIDGE priority=500,in_port=2,actions=output:1
ovs-ofctl dump-flows BRIDGE

Layer 2

ovs-ofctl del-flow BRIDGE
ovs-ofctl add-flow BRIDGE dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,actions=output:2
ovs-ofctl add-flow BRIDGE dl_src=00:00:00:00:00:02,dl_dst=00:00:00:00:00:01,actions=output:1
ovs-ofctl add-flow BRIDGE dl_type=0x806,nw_proto=1,actions=flood
ovs-ofctl dump-flows BRIDGE 

Layer 3

ovs-ofctl del-flow BRIDGE
ovs-ofctl add-flow BRIDGE priority=500,dl_type=0x800,nw_src=,nw_dst=,actions=normal
ovs-ofctl add-flow BRIDGE priority=800,ip,nw_src=,actions=mod_nw_tos=184,normal
ovs-ofctl add-flow BRIDGE arp,nw_dst=,actions=output:1
ovs-ofctl add-flow BRIDGE arp,nw_dst=,actions=output:2
ovs-ofctl add-flow BRIDGE arp,nw_dst=,actions=output:3
ovs-ofctl dump-flows BRIDGE 

Layer 4

ovs-ofctl del-flow BRIDGE 
ovs-ofctl add-flow BRIDGE arp,actions=normal
ovs-ofctl add-flow BRIDGE priority=500,dl_type=0x800,nw_proto=6,tp_dst=80,actions=output:3
ovs-ofctl add-flow BRIDGE priority=800,ip,nw_src=,actions=normal
ovs-ofctl dump-flows BRIDGE 



Priority rules

When no priority is set is the default – 32768! Allowed values are from 0 to 65536. A higher priority will match at first.


dl_type and nw_proto

dl_type and nw_proto are filters to match a specific network packet. Generally dl_type is for L2 (matches ethertype) and nw_proto (matches IP protocol type) for L3 actions. For example:

dl_type=0x800 – for ipv4 packets

dl_type=0x86dd – for ipv6 packets

dl_type=0x806 and nw_proto=1 – match only arp requests (ARP opcode, see layer 2)

dl_type=0x800 or ip (as keyword, see layer 3) has the same meaning

ip and nw_proto=17 – udp packets

ip and nw_proto=6 – tcp packets

Parameters for actions can be (excerpt)

  • normal – Default mode, OVS acts like a normal L2 switch
  • drop – drops all packets
  • output – define the output port for a packet/rule
  • resubmit – useful for multiple tables, resend a packet to a port or table
  • flood – forword all packets on all port except the port on which it was received
  • strip_vlan – remove a vlan tag from a packet
  • set_tunnel – set a tunnel id (gre & vxlan)
  • mod_vlan_vid – add a vlan tag for a packet
  • learn – complex foo 😉

ovs-ofctl man page

Example from a openstack node (w/ GRE, see table 22) – ovs flows from the br-tun device

[root@node1 ~]# ovs-ofctl dump-flows br-tun
NXST_FLOW reply (xid=0x4):
cookie=0x0, duration=1221.218s, table=0, n_packets=0, n_bytes=0, idle_age=1221, priority=0 actions=drop
cookie=0x0, duration=1221.323s, table=0, n_packets=747, n_bytes=54800, idle_age=0, priority=1,in_port=1 actions=resubmit(,2)
cookie=0x0, duration=1220.226s, table=0, n_packets=0, n_bytes=0, idle_age=1220, priority=1,in_port=2 actions=resubmit(,3)
cookie=0x0, duration=1221.126s, table=2, n_packets=0, n_bytes=0, idle_age=1221, priority=0,dl_dst=00:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,20)
cookie=0x0, duration=1221.051s, table=2, n_packets=747, n_bytes=54800, idle_age=0, priority=0,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,22)
cookie=0x0, duration=1220.974s, table=3, n_packets=0, n_bytes=0, idle_age=1220, priority=0 actions=drop
cookie=0x0, duration=1218.706s, table=3, n_packets=0, n_bytes=0, idle_age=1218, priority=1,tun_id=0x3f7 actions=mod_vlan_vid:1,resubmit(,10)
cookie=0x0, duration=1217.462s, table=3, n_packets=0, n_bytes=0, idle_age=1217, priority=1,tun_id=0x442 actions=mod_vlan_vid:2,resubmit(,10)
cookie=0x0, duration=1220.898s, table=4, n_packets=0, n_bytes=0, idle_age=1220, priority=0 actions=drop
cookie=0x0, duration=1220.821s, table=10, n_packets=0, n_bytes=0, idle_age=1220, priority=1 actions=learn(table=20,hard_timeout=300,priority=1,NXM_OF_VLAN_TCI[0..11],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:0->NXM_OF_VLAN_TCI[],load:NXM_NX_TUN_ID[]->NXM_NX_TUN_ID[],output:NXM_OF_IN_PORT[]),output:1
cookie=0x0, duration=1220.742s, table=20, n_packets=0, n_bytes=0, idle_age=1220, priority=0 actions=resubmit(,22)
cookie=0x0, duration=1220.666s, table=22, n_packets=137, n_bytes=21860, idle_age=13, priority=0 actions=drop
cookie=0x0, duration=1220.093s, table=22, n_packets=610, n_bytes=32940, idle_age=0, hard_age=1217, dl_vlan=2 actions=strip_vlan,set_tunnel:0x442,output:2
cookie=0x0, duration=1219.970s, table=22, n_packets=0, n_bytes=0, idle_age=1219, hard_age=1218, dl_vlan=1 actions=strip_vlan,set_tunnel:0x3f7,output:2

Syncing a fork with git/github

  • Configure a remote
    git remove -v
    # git remote add <name> <url>
    git remote add upstream
    git remove -v
  • Pull “upstream”
    # git fetch <name>
    git fetch upstream
  • Checkout the master
    git checkout master
  • Merge “upstream” master to local master
    # git merge <name>/<branch>
    git merge upstream/master
  • (optional) Delete old branch
    # git push origin :<branch>
    git push origin :foobar
    git branch -d foobar


mutt: daily use (still in progress)

Tag messages matching
shift-t -> “search string”

Limit messages matching (pattern)
l > ~T (tagged)
l > ~A (all)
l > ~N (new)
l > ~U (unread)
l > ~F (flagged)
l > “search string”

Random commands
;d > Delete tagged messages
s > Move message
;s > Move tagged messages
b > Bounce messages
w/W > Set/Clear Flag
:source /path/to/muttrc > Reload mutt configuration

“No Java compiler available” on SLES11SP1 and tomcat6

On one of my two sle11 machines i had a java exception which i could not explain.

java.lang.IllegalStateException: No Java compiler available
# rpm -qa tomcat6

Oracle Java JDK 1.6.0_27

After i compared both, i’ve found some missing links on the second one.

# ln -s /usr/share/java/commons-collections-tomcat5.jar /usr/share/tomcat6/lib/
# ln -s /usr/share/java/commons-dbcp-tomcat5.jar /usr/share/tomcat6/lib/
# ln -s /usr/share/java/commons-pool-tomcat5.jar /usr/share/tomcat6/lib/
# ln -s /usr/share/java/ecj.jar /usr/share/tomcat6/lib/

Restart the tomcat and be happy 🙂

openssl with version information under sles11sp1

If you getting errors like this one

$ /path/to/program
/usr/lib/ no version information available

you need a and a with version information.

Here are some information about the problem.

openssl has evolved to a very important library in Linux distribution. A
lot of cryptographic applications link to it including system libraries
like pam modules and apache modules. Now it becomes more and more
difficult to get all the binaries and libraries to link to the same
version of openssl. This leads to situations where an application uses
some libraries where on links to openssl 0.9.7 and another one to
version 0.9.8. Since the symbols of the libraries are not yet versioned
this leads to severe segfaults.

Install source package from the repository

$ zypper in -t srcpackages openssl

Create patches

diff -Naur openssl-0.9.8h/Configure openssl-0.9.8h-new/Configure
--- openssl-0.9.8h/Configure	2008-05-02 01:11:30.000000000 +0200
+++ openssl-0.9.8h-new/Configure	2011-02-22 15:30:05.000000000 +0100
@@ -1327,6 +1327,8 @@

+$shared_ldflag .= " -Wl,--version-script=openssl.ld";
 open(IN,'$") || die "unable to create $$!\n";
diff -Naur openssl-0.9.8h/engines/openssl.ld openssl-0.9.8h-new/engines/openssl.ld
--- openssl-0.9.8h/engines/openssl.ld	1970-01-01 01:00:00.000000000 +0100
+++ openssl-0.9.8h-new/engines/openssl.ld	2011-02-22 15:31:41.000000000 +0100
@@ -0,0 +1,4 @@
+OPENSSL_0.9.8 {
+    global:
+       *;
diff -Naur openssl-0.9.8h/Makefile openssl-0.9.8h-new/Makefile
--- openssl-0.9.8h/Makefile	2008-05-28 10:48:27.000000000 +0200
+++ openssl-0.9.8h-new/Makefile	2011-02-22 15:30:59.000000000 +0100
@@ -140,9 +140,9 @@
 LIBS=   libcrypto.a libssl.a
+SHARED_LDFLAGS=-m64 -Wl,--version-script=openssl.ld

 GENERAL=        Makefile
 BASENAME=       openssl
diff -Naur openssl-0.9.8h/openssl.ld openssl-0.9.8h-new/openssl.ld
--- openssl-0.9.8h/openssl.ld	1970-01-01 01:00:00.000000000 +0100
+++ openssl-0.9.8h-new/openssl.ld	2011-02-22 15:31:48.000000000 +0100
@@ -0,0 +1,4 @@
+OPENSSL_0.9.8 {
+    global:
+       *;


--- openssl.spec	2011-02-22 17:00:26.000000000 +0100
+++ openssl-new.spec	2011-02-22 16:59:58.000000000 +0100
@@ -32,7 +32,7 @@
 Version:        0.9.8h
-Release:        30.30.1
+Release:        30.30.1.custom
 Summary:        Secure Sockets and Transport Layer Security
 Source:         http://www.%{name}.org/source/%{name}-%{version}.tar.bz2
@@ -67,6 +67,7 @@
 Patch26:        bug608666.patch
 Patch27:        CVE-2010-3864.patch
 Patch28:        CVE-2010-4180.patch
+Patch29:	openssl-version-patch.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

@@ -222,6 +223,7 @@
 %patch26 -p1
 %patch27 -p1
 %patch28 -p1
+%patch29 -p1
 cp -p %{S:10} .
 # lib64 installation fixes
 for i in engines/Makefile; do
@@ -433,6 +435,8 @@

+* Tue Feb 22 2011
+- added for rsa usage the version information.
 * Tue Dec  7 2010
 - fix bug [bnc#657663]

Patch the spec file

$ cd /usr/src/packages/SPEC/
$ patch -i openssl.spec.patch
patching file openssl.spec

Build the new rpm packages

$ rpmbuild -bb /usr/src/packages/SPECS/openssl.spec

Create a shared disk for VMware ESX guests

To create a shared disk between two or more VMs, login into one of your ESX hosts and create a disk image.

cd /vmfs/volumes/#volume-name#/#vm-name#/;
vmkfstools -d thick -a lsilogic -c 50G shareddisk.vmdk;

Add the new hardrive to the guest(s) and select a new SCSI bus (like SCSI 2:0). VMware create a new SCSI controller. Set SCSI Bus Sharing = Physical or Virtual and have fun 🙂

Apache Tomcat & logrotate

Some linux distribution are shiped without a config for the catalina.out (Tomcat application server) 😉

$ cat /etc/logrotate.d/tomcat
/var/log/tomcat/base/catalina.out {
	create 644 tomcat tomcat
	rotate 30
	size 4M

The catalina.out will be rotated after 4 mb and stored for 30 days (/var/log/tomcat/base/catalina.out.1; /var/log/tomcat/base/catalina.out.2.gz and so on)