Message ID | 20191119122201.1485015-1-numans@ovn.org |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev,ovn] Skip IPv6 NS packets in router egress SNAT pipeline | expand |
Acked-by: Mark Michelson <mmichels@redhat.com> On 11/19/19 7:22 AM, numans@ovn.org wrote: > From: Numan Siddique <numans@ovn.org> > > When ovn-controller injects IPv6 NS packet to learn the mac, in some > setups it is observed that the packet is dropped by ovs-vswitchd. We see > below logs > > 2019-11-18T10:42:17.973Z|00001|ofproto_dpif_upcall(handler6)|INFO|received packet on unassociated datapath port 4294967295 > 2019-11-18T10:42:18.221Z|00001|ofproto_dpif_upcall(revalidator8)|WARN|Failed to acquire udpif_key corresponding to unexpected flow (Invalid argument): ufid:9ba1081f-a692-4c1c-a79b-d1cf04175f7d > > Upon further debugging I noticed that, xlate_lookup() fails when there is upcall > from kernel datapath because of ct related actions. When ovn-controller injects > the packet it sets inport=CONTROLLER. > > This patch addresses this issue by avoiding the IPv6 NS packets to be > sent to conntrack in the router egress pipeline. > > This should be ideally fixed in ovs-vswitchd. > > Reported-by: Russell Bryant <russell@ovn.org> > Signed-off-by: Numan Siddique <numans@ovn.org> > --- > northd/ovn-northd.8.xml | 9 +++++++++ > northd/ovn-northd.c | 5 +++++ > 2 files changed, 14 insertions(+) > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > index 78b1e84ad..956a10362 100644 > --- a/northd/ovn-northd.8.xml > +++ b/northd/ovn-northd.8.xml > @@ -2826,6 +2826,15 @@ nd_ns { > changed based on the configuration in the OVN Northbound database. > </p> > > + <ul> > + <li> > + A priority-120 flow to advance the IPv6 Neighbor solicitation packet > + to next table to skip SNAT. In the case where ovn-controller injects > + an IPv6 Neighbor Solicitation packet (for <code>nd_ns</code> action) > + we don't want the packet to go throught conntrack. > + </li> > + </ul> > + > <p>Egress Table 1: SNAT on Gateway Routers</p> > > <ul> > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > index 41e97f841..ccccd9651 100644 > --- a/northd/ovn-northd.c > +++ b/northd/ovn-northd.c > @@ -7976,6 +7976,11 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, > ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;"); > ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;"); > > + /* Send the IPv6 NS packets to next table. When ovn-controller > + * generates IPv6 NS (for the action - nd_ns{}), the injected > + * packet would go through conntrack - which is not required. */ > + ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 120, "nd_ns", "next;"); > + > /* NAT rules are only valid on Gateway routers and routers with > * l3dgw_port (router has a port with "redirect-chassis" > * specified). */ >
On Tue, Nov 19, 2019 at 11:41 PM Mark Michelson <mmichels@redhat.com> wrote: > > Acked-by: Mark Michelson <mmichels@redhat.com> Thanks. I applied this to master. Numan > > On 11/19/19 7:22 AM, numans@ovn.org wrote: > > From: Numan Siddique <numans@ovn.org> > > > > When ovn-controller injects IPv6 NS packet to learn the mac, in some > > setups it is observed that the packet is dropped by ovs-vswitchd. We see > > below logs > > > > 2019-11-18T10:42:17.973Z|00001|ofproto_dpif_upcall(handler6)|INFO|received packet on unassociated datapath port 4294967295 > > 2019-11-18T10:42:18.221Z|00001|ofproto_dpif_upcall(revalidator8)|WARN|Failed to acquire udpif_key corresponding to unexpected flow (Invalid argument): ufid:9ba1081f-a692-4c1c-a79b-d1cf04175f7d > > > > Upon further debugging I noticed that, xlate_lookup() fails when there is upcall > > from kernel datapath because of ct related actions. When ovn-controller injects > > the packet it sets inport=CONTROLLER. > > > > This patch addresses this issue by avoiding the IPv6 NS packets to be > > sent to conntrack in the router egress pipeline. > > > > This should be ideally fixed in ovs-vswitchd. > > > > Reported-by: Russell Bryant <russell@ovn.org> > > Signed-off-by: Numan Siddique <numans@ovn.org> > > --- > > northd/ovn-northd.8.xml | 9 +++++++++ > > northd/ovn-northd.c | 5 +++++ > > 2 files changed, 14 insertions(+) > > > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > > index 78b1e84ad..956a10362 100644 > > --- a/northd/ovn-northd.8.xml > > +++ b/northd/ovn-northd.8.xml > > @@ -2826,6 +2826,15 @@ nd_ns { > > changed based on the configuration in the OVN Northbound database. > > </p> > > > > + <ul> > > + <li> > > + A priority-120 flow to advance the IPv6 Neighbor solicitation packet > > + to next table to skip SNAT. In the case where ovn-controller injects > > + an IPv6 Neighbor Solicitation packet (for <code>nd_ns</code> action) > > + we don't want the packet to go throught conntrack. > > + </li> > > + </ul> > > + > > <p>Egress Table 1: SNAT on Gateway Routers</p> > > > > <ul> > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > > index 41e97f841..ccccd9651 100644 > > --- a/northd/ovn-northd.c > > +++ b/northd/ovn-northd.c > > @@ -7976,6 +7976,11 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, > > ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;"); > > ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;"); > > > > + /* Send the IPv6 NS packets to next table. When ovn-controller > > + * generates IPv6 NS (for the action - nd_ns{}), the injected > > + * packet would go through conntrack - which is not required. */ > > + ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 120, "nd_ns", "next;"); > > + > > /* NAT rules are only valid on Gateway routers and routers with > > * l3dgw_port (router has a port with "redirect-chassis" > > * specified). */ > > > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 78b1e84ad..956a10362 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -2826,6 +2826,15 @@ nd_ns { changed based on the configuration in the OVN Northbound database. </p> + <ul> + <li> + A priority-120 flow to advance the IPv6 Neighbor solicitation packet + to next table to skip SNAT. In the case where ovn-controller injects + an IPv6 Neighbor Solicitation packet (for <code>nd_ns</code> action) + we don't want the packet to go throught conntrack. + </li> + </ul> + <p>Egress Table 1: SNAT on Gateway Routers</p> <ul> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 41e97f841..ccccd9651 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -7976,6 +7976,11 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;"); + /* Send the IPv6 NS packets to next table. When ovn-controller + * generates IPv6 NS (for the action - nd_ns{}), the injected + * packet would go through conntrack - which is not required. */ + ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 120, "nd_ns", "next;"); + /* NAT rules are only valid on Gateway routers and routers with * l3dgw_port (router has a port with "redirect-chassis" * specified). */