From patchwork Tue Nov 19 12:22:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Numan Siddique X-Patchwork-Id: 1197423 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=ovn.org Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 47HQ2G11wBz9sPV for ; Tue, 19 Nov 2019 23:22:45 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id A55CC88356; Tue, 19 Nov 2019 12:22:43 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ae+Jm+wGzhlp; Tue, 19 Nov 2019 12:22:41 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by hemlock.osuosl.org (Postfix) with ESMTP id 348AD88330; Tue, 19 Nov 2019 12:22:41 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1CB0CC18DA; Tue, 19 Nov 2019 12:22:41 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id BE465C07AC for ; Tue, 19 Nov 2019 12:22:38 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id ABF8585F57 for ; Tue, 19 Nov 2019 12:22:38 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7SUGmh_LmTtL for ; Tue, 19 Nov 2019 12:22:37 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net [217.70.183.196]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 91AD6858F7 for ; Tue, 19 Nov 2019 12:22:37 +0000 (UTC) X-Originating-IP: 115.99.247.119 Received: from nummac.local (unknown [115.99.247.119]) (Authenticated sender: numans@ovn.org) by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id B3774E0012; Tue, 19 Nov 2019 12:22:33 +0000 (UTC) From: numans@ovn.org To: dev@openvswitch.org Date: Tue, 19 Nov 2019 17:52:01 +0530 Message-Id: <20191119122201.1485015-1-numans@ovn.org> X-Mailer: git-send-email 2.23.0 MIME-Version: 1.0 Subject: [ovs-dev] [PATCH ovn] Skip IPv6 NS packets in router egress SNAT pipeline X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Numan Siddique When ovn-controller injects IPv6 NS packet to learn the mac, in some setups it is observed that the packet is dropped by ovs-vswitchd. We see below logs 2019-11-18T10:42:17.973Z|00001|ofproto_dpif_upcall(handler6)|INFO|received packet on unassociated datapath port 4294967295 2019-11-18T10:42:18.221Z|00001|ofproto_dpif_upcall(revalidator8)|WARN|Failed to acquire udpif_key corresponding to unexpected flow (Invalid argument): ufid:9ba1081f-a692-4c1c-a79b-d1cf04175f7d Upon further debugging I noticed that, xlate_lookup() fails when there is upcall from kernel datapath because of ct related actions. When ovn-controller injects the packet it sets inport=CONTROLLER. This patch addresses this issue by avoiding the IPv6 NS packets to be sent to conntrack in the router egress pipeline. This should be ideally fixed in ovs-vswitchd. Reported-by: Russell Bryant Signed-off-by: Numan Siddique Acked-by: Mark Michelson --- northd/ovn-northd.8.xml | 9 +++++++++ northd/ovn-northd.c | 5 +++++ 2 files changed, 14 insertions(+) diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 78b1e84ad..956a10362 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -2826,6 +2826,15 @@ nd_ns { changed based on the configuration in the OVN Northbound database.

+
    +
  • + A priority-120 flow to advance the IPv6 Neighbor solicitation packet + to next table to skip SNAT. In the case where ovn-controller injects + an IPv6 Neighbor Solicitation packet (for nd_ns action) + we don't want the packet to go throught conntrack. +
    • +
+

Egress Table 1: SNAT on Gateway Routers

    diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 41e97f841..ccccd9651 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -7976,6 +7976,11 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;"); + /* Send the IPv6 NS packets to next table. When ovn-controller + * generates IPv6 NS (for the action - nd_ns{}), the injected + * packet would go through conntrack - which is not required. */ + ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 120, "nd_ns", "next;"); + /* NAT rules are only valid on Gateway routers and routers with * l3dgw_port (router has a port with "redirect-chassis" * specified). */