HTTP requests to public sites not going through SFC

asked 2017-03-09 05:09:31 -0500

DeepakRK gravatar image

Following are the details regarding source, service VMs and destination VM which I used for Service function chaining. ( Followed the steps mentioned in ( )

Source VM

Service VM 1 ingress-> egress->

Service VM 2 ingress-> egress->

Destination VM + a public interface

(MASQUERADE rule added in destination VM )

• Created flow classifiers for TCP & UDP traffic to pass through the chain

neutron flow-classifier-create --ethertype IPv4 --source-ip-prefix --destination-ip-prefix --protocol tcp --logical-source-port source_vm_port SFC_tcp

neutron flow-classifier-create --ethertype IPv4 --source-ip-prefix --destination-ip-prefix --protocol udp --logical-source-port source_vm_port SFC_udp

• Created a port chain using the above flow-classifier.

neutron port-chain-create --port-pair-group PG1 --port-pair-group PG2 --flow-classifier SFC_tcp --flow-classifier SFC_udp PC1

• Added static routing in service VMs

sudo sh -c 'echo 1 > /proc/sys/net/ipv4/ip_forward'

sudo ip route add dev eth0

sudo ip route add dev eth1

• Ran a simple http server in the destination VM (

while true; do echo -e "HTTP/1.0 200 OK\r\n\r\nWelcome to destination server" | sudo nc -l -p 80 ; done&

• Tried to curl the http server from Source VM(


Could see the HTTP request going through the service VMs (by checking tcpdump in service VM ports) and finally reaching the destination VM. This ensures that SFC is working as expected.

While trying to curl from source VM, the url is being resolved from DNS server( but we could not see HTTP request going to the service VMs ie.SFC

user@VNF:~$ curl -v

  • Rebuilt URL to:

  • Hostname was NOT found in DNS cache

  • Trying

  • connect to port 80 failed: Connection refused

  • Trying

  • connect to port 80 failed: Connection refused

  • Failed to connect to port 80: Connection refused

  • Closing connection 0

curl: (7) Failed to connect to port 80: Connection refused

user@VNF:~$ nslookup



Non-authoritative answer:






How to modify the flow classifier or what are the changes needed in static routes in service VMs to ensure that all http requests like "curl (") from source VM( goes through the service Vms & reaches destination VM and finally makes the request to through the public interface in ... (more)

edit retag flag offensive close merge delete

1 answer

Sort by » oldest newest most voted

answered 2017-06-21 08:24:56 -0500

bcafarel gravatar image

With the flow classifiers you created, only packets from source VM IP to destination VM IP will match, while packets to bing will have a different dest IP. You can remove the --destination-ip-prefix parameter (it is optional) so that all packets from the source VM will match: neutron flow-classifier-create --ethertype IPv4 --source-ip-prefix --protocol tcp --logical-source-port source_vm_port SFC_tcp (optionally specify the destination port so only HTTP traffic goes through the chain: --destination-port 80:80 )

At the end, though, the packet will have travelled through the service VMs, but to get on the Internet, this may need some additional configuration (configure to allow Internet access to the VMs, but that's an independant question)

edit flag offensive delete link more

Get to know Ask OpenStack

Resources for moderators

Question Tools



Asked: 2017-03-09 05:09:31 -0500

Seen: 132 times

Last updated: Jun 21 '17