From patchwork Fri Jun 1 11:05:21 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lorenzo Bianconi X-Patchwork-Id: 923952 X-Patchwork-Delegate: guru@ovn.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=redhat.com Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 40y1hg2rb9z9ry1 for ; Fri, 1 Jun 2018 21:05:39 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 0E03BD8D; Fri, 1 Jun 2018 11:05:37 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 7EC2CD84 for ; Fri, 1 Jun 2018 11:05:35 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-wm0-f65.google.com (mail-wm0-f65.google.com [74.125.82.65]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 506B5710 for ; Fri, 1 Jun 2018 11:05:34 +0000 (UTC) Received: by mail-wm0-f65.google.com with SMTP id a67-v6so2255694wmf.3 for ; Fri, 01 Jun 2018 04:05:34 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=Hn6qcYHEyd+2YT9Aakwj8ygq5V0qvJ7f7tVTCUQr+wg=; b=LBnbc8nPMiTxh+O4uHxdzRDzxxaYcCeHil43J9+ZRI1YYEEuVWHGbMpTzdao3J20I6 KLBHtfNM62a3tQczVKKAL37WqLiktwhEGha/zHVSadPlmbFMhnvmY6B/ZFPg/kr5Nfsv 2cGEYF0sd1e/1M4RpC4MVlhKXprQiDRX0H0NgwSssGY9pnbZXBwTESmeZgDAVd9HoCD3 rJ1ya5Pv+HM4AvmxVlqg3KHtgln3cO1JlcHeWrZVga8uV2/i41UrDdZX/74xoIPo8L7y aMxAQ5oy/kCYin7eo2YnuJCQvtLIHQl4XIeTukCuu55suWwAlYQmwQUaFDcQuTyhWBPK Rabw== X-Gm-Message-State: APt69E2rfAogFee+9xQPsgkjnXND/xNu9qsMaeNsC5dcH//wGrHFu5DQ 6jf4B5+L4tTKEc9YiUlLU/S52hEumjM= X-Google-Smtp-Source: ADUXVKLXOdfJK8efoH2H9tqrDQH/Omn3hNAqCf/R+xduD3E//dUGDB3YpFtzZA1yOQ6PxK1jp4e4vw== X-Received: by 2002:a1c:d391:: with SMTP id k139-v6mr2218116wmg.45.1527851132681; Fri, 01 Jun 2018 04:05:32 -0700 (PDT) Received: from localhost.localdomain.com (nat-pool-mxp-t.redhat.com. [149.6.153.186]) by smtp.gmail.com with ESMTPSA id r6-v6sm44162443wrg.73.2018.06.01.04.05.31 for (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Fri, 01 Jun 2018 04:05:32 -0700 (PDT) From: Lorenzo Bianconi To: dev@openvswitch.org Date: Fri, 1 Jun 2018 13:05:21 +0200 Message-Id: X-Mailer: git-send-email 2.14.3 In-Reply-To: References: X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH v2] OVN: do not mark ND packets for conntrack in PRE_LB stage X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Do not send Neighbor Discovery packets to conntrack module if load balancing rules have been added to NB db since otherwise Neighbor Advertisement frames will be discarded by OVN. In order to reproduce the issue it is enough to add 2 logical ports to a single logical switch, assign an IPv6 address to each VIF, and define a load balance rule on the logical switch. After a while the ping6 from VIF1 to VIF2 will stop since the vm will not receive any NA packet Signed-off-by: Lorenzo Bianconi --- Changes since v1: - updated ovn-northd manpage --- ovn/northd/ovn-northd.8.xml | 34 +++++++++++++++++++--------------- ovn/northd/ovn-northd.c | 6 ++++++ 2 files changed, 25 insertions(+), 15 deletions(-) diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index 1d68f1aab..4f897bdbe 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -240,17 +240,19 @@

This table prepares flows for possible stateful load balancing processing in ingress table LB and Stateful. It contains - a priority-0 flow that simply moves traffic to the next table. If load - balancing rules with virtual IP addresses (and ports) are configured in - OVN_Northbound database for a logical switch datapath, a - priority-100 flow is added for each configured virtual IP address - VIP. For IPv4 VIPs, the match is ip - && ip4.dst == VIP. For IPv6 VIPs, - the match is ip && ip6.dst == VIP. The - flow sets an action reg0[0] = 1; next; to act as a - hint for table Pre-stateful to send IP packets to the - connection tracker for packet de-fragmentation before eventually - advancing to ingress table LB. + a priority-0 flow that simply moves traffic to the next table. Moreover + it contains a priority-110 flow to move IPv6 Neighbor Discovery traffic + to the next table. If load balancing rules with virtual IP addresses + (and ports) are configured in OVN_Northbound database for a + logical switch datapath, a priority-100 flow is added for each configured + virtual IP address VIP. For IPv4 VIPs, the match is + ip && ip4.dst == VIP. For IPv6 + VIPs, the match is ip && + ip6.dst == VIP. The flow sets an action + reg0[0] = 1; next; to act as a hint for table + Pre-stateful to send IP packets to the connection tracker + for packet de-fragmentation before eventually advancing to ingress table + LB.

Ingress Table 5: Pre-stateful

@@ -866,10 +868,12 @@ output;

This table is similar to ingress table Pre-LB. It contains a priority-0 flow that simply moves traffic to the next table. - If any load balancing rules exist for the datapath, a priority-100 flow - is added with a match of ip and action of reg0[0] = 1; - next; to act as a hint for table Pre-stateful to - send IP packets to the connection tracker for packet de-fragmentation. + Moreover it contains a priority-110 flow to move IPv6 Neighbor Discovery + traffic to the next table. If any load balancing rules exist for the + datapath, a priority-100 flow is added with a match of ip + and action of reg0[0] = 1; next; to act as a hint for + table Pre-stateful to send IP packets to the connection + tracker for packet de-fragmentation.

Egress Table 1: to-lport Pre-ACLs

diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 0e06776ad..aa9298d3b 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -2977,6 +2977,12 @@ ls_has_dns_records(const struct nbrec_logical_switch *nbs) static void build_pre_lb(struct ovn_datapath *od, struct hmap *lflows) { + /* Do not send ND packets to conntrack */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110, + "nd || nd_rs || nd_ra", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110, + "nd || nd_rs || nd_ra", "next;"); + /* Allow all packets to go to next tables by default. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;");