From patchwork Tue Nov 19 12:22:01 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Numan Siddique
X-Patchwork-Id: 1197423
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized)
smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133;
helo=hemlock.osuosl.org;
envelope-from=ovs-dev-bounces@openvswitch.org;
receiver=)
Authentication-Results: ozlabs.org;
dmarc=none (p=none dis=none) header.from=ovn.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
bits)) (No client certificate requested)
by ozlabs.org (Postfix) with ESMTPS id 47HQ2G11wBz9sPV
for ;
Tue, 19 Nov 2019 23:22:45 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
by hemlock.osuosl.org (Postfix) with ESMTP id A55CC88356;
Tue, 19 Nov 2019 12:22:43 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id ae+Jm+wGzhlp; Tue, 19 Nov 2019 12:22:41 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
by hemlock.osuosl.org (Postfix) with ESMTP id 348AD88330;
Tue, 19 Nov 2019 12:22:41 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
by lists.linuxfoundation.org (Postfix) with ESMTP id 1CB0CC18DA;
Tue, 19 Nov 2019 12:22:41 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id BE465C07AC
for ; Tue, 19 Nov 2019 12:22:38 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by fraxinus.osuosl.org (Postfix) with ESMTP id ABF8585F57
for ; Tue, 19 Nov 2019 12:22:38 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 7SUGmh_LmTtL for ;
Tue, 19 Nov 2019 12:22:37 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from relay4-d.mail.gandi.net (relay4-d.mail.gandi.net
[217.70.183.196])
by fraxinus.osuosl.org (Postfix) with ESMTPS id 91AD6858F7
for ; Tue, 19 Nov 2019 12:22:37 +0000 (UTC)
X-Originating-IP: 115.99.247.119
Received: from nummac.local (unknown [115.99.247.119])
(Authenticated sender: numans@ovn.org)
by relay4-d.mail.gandi.net (Postfix) with ESMTPSA id B3774E0012;
Tue, 19 Nov 2019 12:22:33 +0000 (UTC)
From: numans@ovn.org
To: dev@openvswitch.org
Date: Tue, 19 Nov 2019 17:52:01 +0530
Message-Id: <20191119122201.1485015-1-numans@ovn.org>
X-Mailer: git-send-email 2.23.0
MIME-Version: 1.0
Subject: [ovs-dev] [PATCH ovn] Skip IPv6 NS packets in router egress SNAT
pipeline
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev"
From: Numan Siddique
When ovn-controller injects IPv6 NS packet to learn the mac, in some
setups it is observed that the packet is dropped by ovs-vswitchd. We see
below logs
2019-11-18T10:42:17.973Z|00001|ofproto_dpif_upcall(handler6)|INFO|received packet on unassociated datapath port 4294967295
2019-11-18T10:42:18.221Z|00001|ofproto_dpif_upcall(revalidator8)|WARN|Failed to acquire udpif_key corresponding to unexpected flow (Invalid argument): ufid:9ba1081f-a692-4c1c-a79b-d1cf04175f7d
Upon further debugging I noticed that, xlate_lookup() fails when there is upcall
from kernel datapath because of ct related actions. When ovn-controller injects
the packet it sets inport=CONTROLLER.
This patch addresses this issue by avoiding the IPv6 NS packets to be
sent to conntrack in the router egress pipeline.
This should be ideally fixed in ovs-vswitchd.
Reported-by: Russell Bryant
Signed-off-by: Numan Siddique
Acked-by: Mark Michelson
---
northd/ovn-northd.8.xml | 9 +++++++++
northd/ovn-northd.c | 5 +++++
2 files changed, 14 insertions(+)
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index 78b1e84ad..956a10362 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -2826,6 +2826,15 @@ nd_ns {
changed based on the configuration in the OVN Northbound database.
+
+ -
+ A priority-120 flow to advance the IPv6 Neighbor solicitation packet
+ to next table to skip SNAT. In the case where ovn-controller injects
+ an IPv6 Neighbor Solicitation packet (for
nd_ns
action)
+ we don't want the packet to go throught conntrack.
+
+
+
Egress Table 1: SNAT on Gateway Routers
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 41e97f841..ccccd9651 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -7976,6 +7976,11 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;");
+ /* Send the IPv6 NS packets to next table. When ovn-controller
+ * generates IPv6 NS (for the action - nd_ns{}), the injected
+ * packet would go through conntrack - which is not required. */
+ ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 120, "nd_ns", "next;");
+
/* NAT rules are only valid on Gateway routers and routers with
* l3dgw_port (router has a port with "redirect-chassis"
* specified). */