From patchwork Wed Feb 7 16:35:54 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ales Musil X-Patchwork-Id: 1896218 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=C1FrGZjc; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TVQjP11Hvz23hb for ; Thu, 8 Feb 2024 03:36:09 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 4650183C35; Wed, 7 Feb 2024 16:36:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id CDls8Kf2qPK8; Wed, 7 Feb 2024 16:36:06 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 28BBA83C1A Authentication-Results: smtp1.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=C1FrGZjc Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTPS id 28BBA83C1A; Wed, 7 Feb 2024 16:36:06 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id EDD19C0077; Wed, 7 Feb 2024 16:36:05 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137]) by lists.linuxfoundation.org (Postfix) with ESMTP id A3BF8C0037 for ; Wed, 7 Feb 2024 16:36:04 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp4.osuosl.org (Postfix) with ESMTP id 83956404E8 for ; Wed, 7 Feb 2024 16:36:04 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp4.osuosl.org ([127.0.0.1]) by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IILZlYnh9Ep7 for ; Wed, 7 Feb 2024 16:36:03 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=amusil@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp4.osuosl.org 7DFD3404A8 Authentication-Results: smtp4.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7DFD3404A8 Authentication-Results: smtp4.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=C1FrGZjc Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp4.osuosl.org (Postfix) with ESMTPS id 7DFD3404A8 for ; Wed, 7 Feb 2024 16:36:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1707323762; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=JNYjt1qmFyOjVPY5UnUHTC7lii/WeNoDu+Vr8VVTZjA=; b=C1FrGZjcvwXOsKzON6UzHkposysEXEunRw5HQhAK/9IzdFyAGaN8YLfEFsUkO84FHye5gY 0RYKJ5ayBJplcTAoC3YZP5ApoFrXR5Xxe7CS070Ak341o45ZLWtDS8p2w3Dg5jB61yQTPH omNLtUpkIysCQKSdP7H53ydE4A9WvDE= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-360-xF64TOMHOTCW77T94a_cIA-1; Wed, 07 Feb 2024 11:35:59 -0500 X-MC-Unique: xF64TOMHOTCW77T94a_cIA-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 1F43F831071 for ; Wed, 7 Feb 2024 16:35:59 +0000 (UTC) Received: from amusil.redhat.com (unknown [10.45.224.13]) by smtp.corp.redhat.com (Postfix) with ESMTP id EA45C2026D08; Wed, 7 Feb 2024 16:35:57 +0000 (UTC) From: Ales Musil To: dev@openvswitch.org Date: Wed, 7 Feb 2024 17:35:54 +0100 Message-ID: <20240207163555.213086-2-amusil@redhat.com> In-Reply-To: <20240207163555.213086-1-amusil@redhat.com> References: <20240207163555.213086-1-amusil@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: dceara@redhat.com Subject: [ovs-dev] [PATCH ovn v5 1/2] actions: Adjust the ct_commit_nat action. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" The ct_commit nat was hardcoded to use DNAT zone in router pipeline. Extend it that it accepts two new arguments (snat/dnat) which will determine the zone for router pipeline. The switch pipeline has only one, so it resolves to the same for both arguments. In order to keep backward compatibility the ct_commit_nat without any arguments is the same as ct_commit_nat(dnat). Signed-off-by: Ales Musil --- v5: Rebase on top of current main. v4: Rebase on top of current main. v3: Rebase on top of current main. v2: Rebase on top of current main. Address comment from Dumitru: - Make the ct_commit_nat to accept only snat/dnat parameter. --- include/ovn/actions.h | 12 ++++++-- lib/actions.c | 69 +++++++++++++++++++++++++++++++++---------- tests/ovn.at | 21 +++++++++++++ utilities/ovn-trace.c | 2 +- 4 files changed, 86 insertions(+), 18 deletions(-) diff --git a/include/ovn/actions.h b/include/ovn/actions.h index 49cfe0624..49fb96fc6 100644 --- a/include/ovn/actions.h +++ b/include/ovn/actions.h @@ -75,7 +75,7 @@ struct collector_set_ids; OVNACT(CT_LB_MARK, ovnact_ct_lb) \ OVNACT(SELECT, ovnact_select) \ OVNACT(CT_CLEAR, ovnact_null) \ - OVNACT(CT_COMMIT_NAT, ovnact_ct_nat) \ + OVNACT(CT_COMMIT_NAT, ovnact_ct_commit_nat) \ OVNACT(CLONE, ovnact_nest) \ OVNACT(ARP, ovnact_nest) \ OVNACT(ICMP4, ovnact_nest) \ @@ -274,7 +274,7 @@ enum ovnact_ct_nat_type { OVNACT_CT_NAT_UNSPEC, }; -/* OVNACT_CT_DNAT, OVNACT_CT_SNAT, OVNACT_CT_COMMIT_NAT. */ +/* OVNACT_CT_DNAT, OVNACT_CT_SNAT. */ struct ovnact_ct_nat { struct ovnact ovnact; int family; @@ -296,6 +296,14 @@ struct ovnact_ct_nat { uint8_t ltable; /* Logical table ID of next table. */ }; +/* OVNACT_CT_COMMIT_NAT. */ +struct ovnact_ct_commit_nat { + struct ovnact ovnact; + + bool dnat_zone; + uint8_t ltable; +}; + enum ovnact_ct_lb_flag { OVNACT_CT_LB_FLAG_NONE, OVNACT_CT_LB_FLAG_SKIP_SNAT, diff --git a/lib/actions.c b/lib/actions.c index fdc0529de..a45874dfb 100644 --- a/lib/actions.c +++ b/lib/actions.c @@ -1020,16 +1020,29 @@ parse_CT_COMMIT_NAT(struct action_context *ctx) if (ctx->pp->cur_ltable >= ctx->pp->n_tables) { lexer_error(ctx->lexer, - "\"ct_commit_related\" action not allowed in last table."); + "\"ct_commit_nat\" action not allowed in last table."); return; } - struct ovnact_ct_nat *cn = ovnact_put_CT_COMMIT_NAT(ctx->ovnacts); - cn->commit = true; + struct ovnact_ct_commit_nat *cn = ovnact_put_CT_COMMIT_NAT(ctx->ovnacts); cn->ltable = ctx->pp->cur_ltable + 1; - cn->family = AF_UNSPEC; - cn->type = OVNACT_CT_NAT_UNSPEC; - cn->port_range.exists = false; + cn->dnat_zone = true; + + if (!lexer_match(ctx->lexer, LEX_T_LPAREN)) { + return; + } + + if (lexer_match_id(ctx->lexer, "dnat")) { + cn->dnat_zone = true; + } else if (lexer_match_id(ctx->lexer, "snat")) { + cn->dnat_zone = false; + } else { + lexer_error(ctx->lexer, "\"ct_commit_nat\" action accepts" + " only \"dnat\" or \"snat\" parameter."); + return; + } + + lexer_force_match(ctx->lexer, LEX_T_RPAREN); } static void @@ -1082,9 +1095,10 @@ format_CT_SNAT_IN_CZONE(const struct ovnact_ct_nat *cn, struct ds *s) } static void -format_CT_COMMIT_NAT(const struct ovnact_ct_nat *cn OVS_UNUSED, struct ds *s) +format_CT_COMMIT_NAT(const struct ovnact_ct_commit_nat *cn, struct ds *s) { - ds_put_cstr(s, "ct_commit_nat;"); + ds_put_cstr(s, "ct_commit_nat"); + ds_put_cstr(s, cn->dnat_zone ? "(dnat);" : "(snat);"); } static void @@ -1189,20 +1203,45 @@ encode_CT_SNAT_IN_CZONE(const struct ovnact_ct_nat *cn, } static void -encode_CT_COMMIT_NAT(const struct ovnact_ct_nat *cn, - const struct ovnact_encode_params *ep, - struct ofpbuf *ofpacts) +encode_CT_COMMIT_NAT(const struct ovnact_ct_commit_nat *cn, + const struct ovnact_encode_params *ep, + struct ofpbuf *ofpacts) { - enum mf_field_id zone = ep->is_switch - ? MFF_LOG_CT_ZONE - : MFF_LOG_DNAT_ZONE; - encode_ct_nat(cn, ep, zone, ofpacts); + const size_t ct_offset = ofpacts->size; + + struct ofpact_conntrack *ct = ofpact_put_CT(ofpacts); + ct->recirc_table = cn->ltable + first_ptable(ep, ep->pipeline); + ct->zone_src.ofs = 0; + ct->zone_src.n_bits = 16; + ct->flags = NX_CT_F_COMMIT; + ct->alg = 0; + + if (ep->is_switch) { + ct->zone_src.field = mf_from_id(MFF_LOG_CT_ZONE); + } else { + ct->zone_src.field = mf_from_id(cn->dnat_zone + ? MFF_LOG_DNAT_ZONE + : MFF_LOG_SNAT_ZONE); + } + + struct ofpact_nat *nat = ofpact_put_NAT(ofpacts); + nat->range_af = AF_UNSPEC; + nat->flags = 0; + + ct = ofpbuf_at_assert(ofpacts, ct_offset, sizeof *ct); + ofpacts->header = ct; + ofpact_finish_CT(ofpacts, &ct); } static void ovnact_ct_nat_free(struct ovnact_ct_nat *ct_nat OVS_UNUSED) { } + +static void +ovnact_ct_commit_nat_free(struct ovnact_ct_commit_nat *cn OVS_UNUSED) +{ +} static void parse_ct_lb_action(struct action_context *ctx, bool ct_lb_mark) diff --git a/tests/ovn.at b/tests/ovn.at index 0bbf3d6da..f3f0264e5 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -1498,9 +1498,30 @@ ct_clear; # ct_commit_nat ct_commit_nat; + formats as ct_commit_nat(dnat); encodes as ct(commit,table=19,zone=NXM_NX_REG13[0..15],nat) has prereqs ip +ct_commit_nat(snat); + encodes as ct(commit,table=19,zone=NXM_NX_REG13[0..15],nat) + has prereqs ip + +ct_commit_nat(dnat); + encodes as ct(commit,table=19,zone=NXM_NX_REG13[0..15],nat) + has prereqs ip + +ct_commit_nat(snat, dnat); + Syntax error at `,' expecting `)'. + +ct_commit_nat(dnat, ignore); + Syntax error at `,' expecting `)'. + +ct_commit_nat(ignore); + "ct_commit_nat" action accepts only "dnat" or "snat" parameter. + +ct_commit_nat(); + "ct_commit_nat" action accepts only "dnat" or "snat" parameter. + # clone clone { ip4.dst = 255.255.255.255; output; }; next; encodes as clone(set_field:255.255.255.255->ip_dst,resubmit(,64)),resubmit(,19) diff --git a/utilities/ovn-trace.c b/utilities/ovn-trace.c index 13ae464ad..e0f1c3ec9 100644 --- a/utilities/ovn-trace.c +++ b/utilities/ovn-trace.c @@ -2463,7 +2463,7 @@ execute_ct_nat(const struct ovnact_ct_nat *ct_nat, } static void -execute_ct_commit_nat(const struct ovnact_ct_nat *ct_nat, +execute_ct_commit_nat(const struct ovnact_ct_commit_nat *ct_nat, const struct ovntrace_datapath *dp, struct flow *uflow, enum ovnact_pipeline pipeline, struct ovs_list *super) { From patchwork Wed Feb 7 16:35:55 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Ales Musil X-Patchwork-Id: 1896219 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=CunPoUqQ; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=patchwork.ozlabs.org) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4TVQjT4YSVz23hb for ; Thu, 8 Feb 2024 03:36:13 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id DC99141704; Wed, 7 Feb 2024 16:36:11 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 63rrv2uZZihe; Wed, 7 Feb 2024 16:36:09 +0000 (UTC) X-Comment: SPF check N/A for local connections - client-ip=140.211.9.56; helo=lists.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver= DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org DA950416F7 Authentication-Results: smtp2.osuosl.org; dkim=fail reason="signature verification failed" (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=CunPoUqQ Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp2.osuosl.org (Postfix) with ESMTPS id DA950416F7; Wed, 7 Feb 2024 16:36:08 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id AB541C0077; Wed, 7 Feb 2024 16:36:08 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1DCE1C0037 for ; Wed, 7 Feb 2024 16:36:08 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 1A17761450 for ; Wed, 7 Feb 2024 16:36:07 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u9irV4P0tiQ1 for ; Wed, 7 Feb 2024 16:36:04 +0000 (UTC) Received-SPF: Pass (mailfrom) identity=mailfrom; client-ip=170.10.133.124; helo=us-smtp-delivery-124.mimecast.com; envelope-from=amusil@redhat.com; receiver= DMARC-Filter: OpenDMARC Filter v1.4.2 smtp3.osuosl.org E619561443 Authentication-Results: smtp3.osuosl.org; dmarc=pass (p=none dis=none) header.from=redhat.com DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org E619561443 Authentication-Results: smtp3.osuosl.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=CunPoUqQ Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id E619561443 for ; Wed, 7 Feb 2024 16:36:03 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1707323762; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=YW6/Ptm8TthIJ3wO6/3dlv3OoLgtDonnhLyTZJY8VCo=; b=CunPoUqQWOa14Bp0md84uj/oGuq4pdYzmjm3StxQWqOeeobR3d4MZb0kyBmG5wL/6dZZPx matTQAxQukWqh9exTwBpSNiifRhiPkj+igpddLwdtY/MWjGV2z3PHWlBhDwmKyTIAesVNi Khpa2lWNQ0ooZdENQtLji63of6xMV6A= Received: from mimecast-mx02.redhat.com (mx-ext.redhat.com [66.187.233.73]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-462-6hJ8P4ljNGeCYVEISlhSHg-1; Wed, 07 Feb 2024 11:36:00 -0500 X-MC-Unique: 6hJ8P4ljNGeCYVEISlhSHg-1 Received: from smtp.corp.redhat.com (int-mx04.intmail.prod.int.rdu2.redhat.com [10.11.54.4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 595FB1C0691B for ; Wed, 7 Feb 2024 16:36:00 +0000 (UTC) Received: from amusil.redhat.com (unknown [10.45.224.13]) by smtp.corp.redhat.com (Postfix) with ESMTP id 60468200A380; Wed, 7 Feb 2024 16:35:59 +0000 (UTC) From: Ales Musil To: dev@openvswitch.org Date: Wed, 7 Feb 2024 17:35:55 +0100 Message-ID: <20240207163555.213086-3-amusil@redhat.com> In-Reply-To: <20240207163555.213086-1-amusil@redhat.com> References: <20240207163555.213086-1-amusil@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.4.1 on 10.11.54.4 X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: dceara@redhat.com Subject: [ovs-dev] [PATCH ovn v5 2/2] northd: Explicitly handle SNAT for ICMP need frag. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Considering following topology: client - sw0 - lrp0 - lr - lrp1 - sw1 - server sw0 in subnet 192.168.0.0/24 sw1 in subnet 172.168.0.0/24 SNAT configured for client gateway_mtu=1400 configured for lrp0 If we send UDP traffic from client to server and server responds with packet bigger than 1400 the following sequence will happen: 1) Packet is coming into lr via lrp1 2) unSNAT 3) Routing, the outport will be set to lrp0 4) Check for packet larger will fail 5) We will generate ICMP need frag However, the last step is wrong from the server perspective. The ICMP message will have IP source address = lrp1 IP address. Which means that SNAT won't happen because the source is not within the sw0 subnet, but the inner packet has sw0 subnet address, because it was unSNATted. This results in server ignoring the ICMP message because server never sent any packet to the sw0 subnet. In order to prevent this issue perform SNAT for the ICMP packet. Because the packet is related to already existing connection we just need to perform ct_commit_nat(snat) action. This is achieved with addition of the following flow for "lr_in_larger_pkts" stage (the flow for IPv6 is the in regard to the addition): match=(inport == "INPORT" && outport == "OUTPORT" && ip4 && REGBIT_PKT_LARGER && REGBIT_EGRESS_LOOPBACK == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; REGBIT_EGRESS_LOOPBACK = 1; REGBIT_PKT_LARGER = 0; eth.dst = ETH_DST; ip4.dst = ip4.src; ip4.src = IP_SRC; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };) Also, add flow to "lr_out_post_snat" stage: match=(icmp && flags.icmp_snat == 1), action=(ct_commit_nat(snat);) Partially revert 0e49f49c73d6 ("northd: Allow need frag to be SNATed") which attempted to fix the same issue in a wrong way. Also add feature flag for the updated ct_commit_nat action. In case there is an update of northd to newer version before all controllers are updated. Fixes: 0e49f49c73d6 ("northd: Allow need frag to be SNATed") Reported-at: https://issues.redhat.com/browse/FDP-134 Reported-at: https://issues.redhat.com/browse/FDP-159 Signed-off-by: Ales Musil Acked-by: Dumitru Ceara --- v5: Rebase on top of current main. v4: Rebase on top of current main. v3: Rebase on top of current main. v2: Rebase on top of current main. Squash the 2/3 and 3/3 from previous version to single commit. Add ack from Dumitru. --- controller/chassis.c | 8 ++ include/ovn/features.h | 1 + include/ovn/logical-fields.h | 3 + lib/logical-fields.c | 4 + northd/en-global-config.c | 10 ++ northd/en-global-config.h | 1 + northd/northd.c | 189 +++++++++++++++++++---------------- tests/ovn-northd.at | 118 +++++++++++++++------- tests/ovn.at | 6 +- tests/system-ovn-kmod.at | 3 +- 10 files changed, 218 insertions(+), 125 deletions(-) diff --git a/controller/chassis.c b/controller/chassis.c index 55f2beb37..ad75df288 100644 --- a/controller/chassis.c +++ b/controller/chassis.c @@ -370,6 +370,7 @@ chassis_build_other_config(const struct ovs_chassis_cfg *ovs_cfg, smap_replace(config, OVN_FEATURE_CT_LB_RELATED, "true"); smap_replace(config, OVN_FEATURE_FDB_TIMESTAMP, "true"); smap_replace(config, OVN_FEATURE_LS_DPG_COLUMN, "true"); + smap_replace(config, OVN_FEATURE_CT_COMMIT_NAT_V2, "true"); } /* @@ -509,6 +510,12 @@ chassis_other_config_changed(const struct ovs_chassis_cfg *ovs_cfg, return true; } + if (!smap_get_bool(&chassis_rec->other_config, + OVN_FEATURE_CT_COMMIT_NAT_V2, + false)) { + return true; + } + return false; } @@ -640,6 +647,7 @@ update_supported_sset(struct sset *supported) sset_add(supported, OVN_FEATURE_CT_LB_RELATED); sset_add(supported, OVN_FEATURE_FDB_TIMESTAMP); sset_add(supported, OVN_FEATURE_LS_DPG_COLUMN); + sset_add(supported, OVN_FEATURE_CT_COMMIT_NAT_V2); } static void diff --git a/include/ovn/features.h b/include/ovn/features.h index 2c47ab766..08f1d8288 100644 --- a/include/ovn/features.h +++ b/include/ovn/features.h @@ -27,6 +27,7 @@ #define OVN_FEATURE_CT_LB_RELATED "ovn-ct-lb-related" #define OVN_FEATURE_FDB_TIMESTAMP "fdb-timestamp" #define OVN_FEATURE_LS_DPG_COLUMN "ls-dpg-column" +#define OVN_FEATURE_CT_COMMIT_NAT_V2 "ct-commit-nat-v2" /* OVS datapath supported features. Based on availability OVN might generate * different types of openflows. diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h index 8384222c8..ce79b501c 100644 --- a/include/ovn/logical-fields.h +++ b/include/ovn/logical-fields.h @@ -81,6 +81,7 @@ enum mff_log_flags_bits { MLF_USE_LB_AFF_SESSION_BIT = 14, MLF_LOCALNET_BIT = 15, MLF_RX_FROM_TUNNEL_BIT = 16, + MLF_ICMP_SNAT_BIT = 17, }; /* MFF_LOG_FLAGS_REG flag assignments */ @@ -134,6 +135,8 @@ enum mff_log_flags { /* Indicate the packet has been received from the tunnel. */ MLF_RX_FROM_TUNNEL = (1 << MLF_RX_FROM_TUNNEL_BIT), + + MLF_ICMP_SNAT = (1 << MLF_ICMP_SNAT_BIT), }; /* OVN logical fields diff --git a/lib/logical-fields.c b/lib/logical-fields.c index 662c1ef0e..20219a67a 100644 --- a/lib/logical-fields.c +++ b/lib/logical-fields.c @@ -132,6 +132,10 @@ ovn_init_symtab(struct shash *symtab) snprintf(flags_str, sizeof flags_str, "flags[%d]", MLF_LOCALNET_BIT); expr_symtab_add_subfield(symtab, "flags.localnet", NULL, + flags_str); + snprintf(flags_str, sizeof flags_str, "flags[%d]", + MLF_ICMP_SNAT_BIT); + expr_symtab_add_subfield(symtab, "flags.icmp_snat", NULL, flags_str); snprintf(flags_str, sizeof flags_str, "flags[%d]", MLF_RX_FROM_TUNNEL_BIT); expr_symtab_add_subfield(symtab, "flags.tunnel_rx", NULL, flags_str); diff --git a/northd/en-global-config.c b/northd/en-global-config.c index 9ac5faf99..34e393b33 100644 --- a/northd/en-global-config.c +++ b/northd/en-global-config.c @@ -369,6 +369,7 @@ northd_enable_all_features(struct ed_type_global_config *data) .ct_lb_related = true, .fdb_timestamp = true, .ls_dpg_column = true, + .ct_commit_nat_v2 = true, }; } @@ -429,6 +430,15 @@ build_chassis_features(const struct sbrec_chassis_table *sbrec_chassis_table, chassis_features->ls_dpg_column) { chassis_features->ls_dpg_column = false; } + + bool ct_commit_nat_v2 = + smap_get_bool(&chassis->other_config, + OVN_FEATURE_CT_COMMIT_NAT_V2, + false); + if (!ct_commit_nat_v2 && + chassis_features->ct_commit_nat_v2) { + chassis_features->ct_commit_nat_v2 = false; + } } } diff --git a/northd/en-global-config.h b/northd/en-global-config.h index 436bc7fa3..38d732808 100644 --- a/northd/en-global-config.h +++ b/northd/en-global-config.h @@ -19,6 +19,7 @@ struct chassis_features { bool ct_lb_related; bool fdb_timestamp; bool ls_dpg_column; + bool ct_commit_nat_v2; }; struct global_config_tracked_data { diff --git a/northd/northd.c b/northd/northd.c index 01eec64ca..da1775326 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -13111,6 +13111,73 @@ build_arp_resolve_flows_for_lsp( } } +#define ICMP4_NEED_FRAG_FORMAT \ + "icmp4_error {" \ + "%s" \ + REGBIT_EGRESS_LOOPBACK" = 1; " \ + REGBIT_PKT_LARGER" = 0; " \ + "eth.dst = %s; " \ + "ip4.dst = ip4.src; " \ + "ip4.src = %s; " \ + "ip.ttl = 255; " \ + "icmp4.type = 3; /* Destination Unreachable. */ " \ + "icmp4.code = 4; /* Frag Needed and DF was Set. */ " \ + "icmp4.frag_mtu = %d; " \ + "next(pipeline=ingress, table=%d); };" \ + +#define ICMP6_NEED_FRAG_FORMAT \ + "icmp6_error {" \ + "%s" \ + REGBIT_EGRESS_LOOPBACK" = 1; " \ + REGBIT_PKT_LARGER" = 0; " \ + "eth.dst = %s; " \ + "ip6.dst = ip6.src; " \ + "ip6.src = %s; " \ + "ip.ttl = 255; " \ + "icmp6.type = 2; /* Packet Too Big. */ " \ + "icmp6.code = 0; " \ + "icmp6.frag_mtu = %d; " \ + "next(pipeline=ingress, table=%d); };" + +static void +create_icmp_need_frag_lflow(const struct ovn_port *op, int mtu, + struct ds *actions, struct ds *match, + const char *meter, struct lflow_table *lflows, + struct lflow_ref *lflow_ref, + enum ovn_stage stage, uint16_t priority, + bool is_ipv6, const char *extra_match, + const char *extra_action) +{ + if ((is_ipv6 && !op->lrp_networks.ipv6_addrs) || + (!is_ipv6 && !op->lrp_networks.ipv4_addrs)) { + return; + } + + const char *ip = is_ipv6 + ? op->lrp_networks.ipv6_addrs[0].addr_s + : op->lrp_networks.ipv4_addrs[0].addr_s; + size_t match_len = match->length; + + ds_put_format(match, " && ip%c && "REGBIT_PKT_LARGER + " && "REGBIT_EGRESS_LOOPBACK" == 0", is_ipv6 ? '6' : '4'); + + if (*extra_match) { + ds_put_format(match, " && %s", extra_match); + } + + ds_clear(actions); + ds_put_format(actions, + is_ipv6 ? ICMP6_NEED_FRAG_FORMAT : ICMP4_NEED_FRAG_FORMAT, + extra_action, op->lrp_networks.ea_s, ip, + mtu, ovn_stage_get_table(S_ROUTER_IN_ADMISSION)); + + ovn_lflow_add_with_hint__(lflows, op->od, stage, priority, + ds_cstr(match), ds_cstr(actions), + NULL, meter, &op->nbrp->header_, lflow_ref); + + ds_truncate(match, match_len); +} + static void build_icmperr_pkt_big_flows(struct ovn_port *op, int mtu, struct lflow_table *lflows, @@ -13119,92 +13186,31 @@ build_icmperr_pkt_big_flows(struct ovn_port *op, int mtu, struct ovn_port *outport, struct lflow_ref *lflow_ref) { - char *outport_match = outport ? xasprintf("outport == %s && ", - outport->json_key) - : NULL; - - char *ip4_src = NULL; + const char *ipv4_meter = copp_meter_get(COPP_ICMP4_ERR, op->od->nbr->copp, + meter_groups); + const char *ipv6_meter = copp_meter_get(COPP_ICMP6_ERR, op->od->nbr->copp, + meter_groups); - if (outport && outport->lrp_networks.ipv4_addrs) { - ip4_src = outport->lrp_networks.ipv4_addrs[0].addr_s; - } else if (op->lrp_networks.ipv4_addrs) { - ip4_src = op->lrp_networks.ipv4_addrs[0].addr_s; - } - - if (ip4_src) { - ds_clear(match); - ds_put_format(match, "inport == %s && %sip4 && "REGBIT_PKT_LARGER - " && "REGBIT_EGRESS_LOOPBACK" == 0", op->json_key, - outport ? outport_match : ""); - - ds_clear(actions); - /* Set icmp4.frag_mtu to gw_mtu */ - ds_put_format(actions, - "icmp4_error {" - REGBIT_EGRESS_LOOPBACK" = 1; " - REGBIT_PKT_LARGER" = 0; " - "eth.dst = %s; " - "ip4.dst = ip4.src; " - "ip4.src = %s; " - "ip.ttl = 255; " - "icmp4.type = 3; /* Destination Unreachable. */ " - "icmp4.code = 4; /* Frag Needed and DF was Set. */ " - "icmp4.frag_mtu = %d; " - "next(pipeline=ingress, table=%d); };", - op->lrp_networks.ea_s, ip4_src, mtu, - ovn_stage_get_table(S_ROUTER_IN_ADMISSION)); - ovn_lflow_add_with_hint__(lflows, op->od, stage, 150, - ds_cstr(match), ds_cstr(actions), - NULL, - copp_meter_get( - COPP_ICMP4_ERR, - op->od->nbr->copp, - meter_groups), - &op->nbrp->header_, - lflow_ref); - } + ds_clear(match); + ds_put_format(match, "inport == %s", op->json_key); - char *ip6_src = NULL; + if (outport) { + ds_put_format(match, " && outport == %s", outport->json_key); - if (outport && outport->lrp_networks.ipv6_addrs) { - ip6_src = outport->lrp_networks.ipv6_addrs[0].addr_s; - } else if (op->lrp_networks.ipv6_addrs) { - ip6_src = op->lrp_networks.ipv6_addrs[0].addr_s; + create_icmp_need_frag_lflow(op, mtu, actions, match, ipv4_meter, + lflows, lflow_ref, stage, 160, false, + "ct.trk && ct.rpl && ct.dnat", + "flags.icmp_snat = 1; "); + create_icmp_need_frag_lflow(op, mtu, actions, match, ipv6_meter, + lflows, lflow_ref, stage, 160, true, + "ct.trk && ct.rpl && ct.dnat", + "flags.icmp_snat = 1; "); } - if (ip6_src) { - ds_clear(match); - ds_put_format(match, "inport == %s && %sip6 && "REGBIT_PKT_LARGER - " && "REGBIT_EGRESS_LOOPBACK" == 0", op->json_key, - outport ? outport_match : ""); - - ds_clear(actions); - /* Set icmp6.frag_mtu to gw_mtu */ - ds_put_format(actions, - "icmp6_error {" - REGBIT_EGRESS_LOOPBACK" = 1; " - REGBIT_PKT_LARGER" = 0; " - "eth.dst = %s; " - "ip6.dst = ip6.src; " - "ip6.src = %s; " - "ip.ttl = 255; " - "icmp6.type = 2; /* Packet Too Big. */ " - "icmp6.code = 0; " - "icmp6.frag_mtu = %d; " - "next(pipeline=ingress, table=%d); };", - op->lrp_networks.ea_s, ip6_src, mtu, - ovn_stage_get_table(S_ROUTER_IN_ADMISSION)); - ovn_lflow_add_with_hint__(lflows, op->od, stage, 150, - ds_cstr(match), ds_cstr(actions), - NULL, - copp_meter_get( - COPP_ICMP6_ERR, - op->od->nbr->copp, - meter_groups), - &op->nbrp->header_, - lflow_ref); - } - free(outport_match); + create_icmp_need_frag_lflow(op, mtu, actions, match, ipv4_meter, lflows, + lflow_ref, stage, 150, false, "", ""); + create_icmp_need_frag_lflow(op, mtu, actions, match, ipv6_meter, lflows, + lflow_ref, stage, 150, true, "", ""); } static void @@ -13212,9 +13218,9 @@ build_check_pkt_len_flows_for_lrp(struct ovn_port *op, struct lflow_table *lflows, const struct hmap *lr_ports, const struct shash *meter_groups, - struct ds *match, - struct ds *actions, - struct lflow_ref *lflow_ref) + struct ds *match, struct ds *actions, + struct lflow_ref *lflow_ref, + const struct chassis_features *features) { int gw_mtu = smap_get_int(&op->nbrp->options, "gateway_mtu", 0); if (gw_mtu <= 0) { @@ -13244,6 +13250,13 @@ build_check_pkt_len_flows_for_lrp(struct ovn_port *op, match, actions, S_ROUTER_IN_LARGER_PKTS, op, lflow_ref); } + + if (features->ct_commit_nat_v2) { + ovn_lflow_add_with_hint(lflows, op->od, S_ROUTER_OUT_POST_SNAT, 100, + "icmp && flags.icmp_snat == 1", + "ct_commit_nat(snat);", &op->nbrp->header_, + lflow_ref); + } } /* Local router ingress table CHK_PKT_LEN: Check packet length. @@ -13265,7 +13278,8 @@ build_check_pkt_len_flows_for_lrouter( const struct hmap *lr_ports, struct ds *match, struct ds *actions, const struct shash *meter_groups, - struct lflow_ref *lflow_ref) + struct lflow_ref *lflow_ref, + const struct chassis_features *features) { ovs_assert(od->nbr); @@ -13282,7 +13296,7 @@ build_check_pkt_len_flows_for_lrouter( continue; } build_check_pkt_len_flows_for_lrp(rp, lflows, lr_ports, meter_groups, - match, actions, lflow_ref); + match, actions, lflow_ref, features); } } @@ -15639,7 +15653,8 @@ build_lswitch_and_lrouter_iterate_by_lr(struct ovn_datapath *od, build_arp_resolve_flows_for_lrouter(od, lsi->lflows, NULL); build_check_pkt_len_flows_for_lrouter(od, lsi->lflows, lsi->lr_ports, &lsi->match, &lsi->actions, - lsi->meter_groups, NULL); + lsi->meter_groups, NULL, + lsi->features); build_gateway_redirect_flows_for_lrouter(od, lsi->lflows, &lsi->match, &lsi->actions, NULL); build_arp_request_flows_for_lrouter(od, lsi->lflows, &lsi->match, diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 151610dfd..591ad5aad 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -6225,7 +6225,8 @@ OVN_FOR_EACH_NORTHD_NO_HV([ AT_SETUP([ovn -- gateway mtu check pkt larger flows]) ovn_start -check ovn-sbctl chassis-add ch1 geneve 127.0.0.1 +check ovn-sbctl chassis-add ch1 geneve 127.0.0.1 --\ + set chassis ch1 other_config:ct-commit-nat-v2=true check ovn-nbctl ls-add sw0 check ovn-nbctl ls-add sw1 @@ -6270,10 +6271,14 @@ AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | ovn_strip_lflo table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;) table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1514); next;) table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) ]) AT_CHECK([grep -E "lr_in_admission.*check_pkt_larger" lr0flows | ovn_strip_lflows], [0], [dnl @@ -6288,6 +6293,10 @@ AT_CHECK([grep -E "lr_in_ip_input.*icmp6_error" lr0flows | ovn_strip_lflows], [0 table=??(lr_in_ip_input ), priority=150 , match=(inport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) ]) +AT_CHECK([grep -E "lr_out_post_snat.*ct_commit_nat" lr0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_out_post_snat ), priority=100 , match=(icmp && flags.icmp_snat == 1), action=(ct_commit_nat(snat);) +]) + # Clear the gateway-chassis for lr0-public check ovn-nbctl --wait=sb clear logical_router_port lr0-public gateway_chassis @@ -6301,10 +6310,14 @@ AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | ovn_strip_lflo table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;) table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1514); next;) table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) ]) AT_CHECK([grep -E "lr_in_admission.*check_pkt_larger" lr0flows | ovn_strip_lflows], [0], [dnl @@ -6319,6 +6332,10 @@ AT_CHECK([grep -E "lr_in_ip_input.*icmp6_error" lr0flows | ovn_strip_lflows], [0 table=??(lr_in_ip_input ), priority=150 , match=(inport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) ]) +AT_CHECK([grep -E "lr_out_post_snat.*ct_commit_nat" lr0flows | ovn_strip_lflows], [0], [dnl + table=??(lr_out_post_snat ), priority=100 , match=(icmp && flags.icmp_snat == 1), action=(ct_commit_nat(snat);) +]) + # Set gateway_mtu_bypass to avoid check_pkt_larger() for tcp on lr0-public. check ovn-nbctl --wait=sb set logical_router_port lr0-public options:gateway_mtu_bypass=tcp @@ -6330,10 +6347,14 @@ AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | ovn_strip_lflo table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1514); next;) table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport == "lr0-public" && (tcp)), action=(next;) table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) ]) AT_CHECK([grep "lr_in_admission" lr0flows | grep -e "check_pkt_larger" -e "tcp" | ovn_strip_lflows], [0], [dnl @@ -6355,14 +6376,22 @@ AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | ovn_strip_lflo table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-sw0"), action=(reg9[[1]] = check_pkt_larger(1414); next;) table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport == "lr0-public" && (tcp)), action=(next;) table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) ]) AT_CHECK([grep "lr_in_admission.*check_pkt_larger" lr0flows | ovn_strip_lflows], [0], [dnl @@ -6381,6 +6410,10 @@ AT_CHECK([grep -E "lr_in_ip_input.*icmp6_error" lr0flows | ovn_strip_lflows], [0 table=??(lr_in_ip_input ), priority=150 , match=(inport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) ]) +AT_CHECK([grep -E "lr_out_post_snat.*ct_commit_nat" lr0flows | ovn_strip_lflows], [0], [dnl + table=??(lr_out_post_snat ), priority=100 , match=(icmp && flags.icmp_snat == 1), action=(ct_commit_nat(snat);) +]) + # Set gateway_mtu_bypass to avoid check_pkt_larger() for tcp on lr0-sw0. check ovn-nbctl --wait=sb set logical_router_port lr0-sw0 options:gateway_mtu_bypass=tcp @@ -6394,14 +6427,22 @@ AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | ovn_strip_lflo table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport == "lr0-public" && (tcp)), action=(next;) table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport == "lr0-sw0" && (tcp)), action=(next;) table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) ]) AT_CHECK([grep "lr_in_admission" lr0flows | grep -e "check_pkt_larger" -e "tcp" | ovn_strip_lflows], [0], [dnl @@ -6420,16 +6461,19 @@ check ovn-nbctl --wait=sb clear logical_router_port lr0-public options ovn-sbctl dump-flows lr0 > lr0flows AT_CAPTURE_FILE([lr0flows]) -grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | ovn_strip_lflows AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | ovn_strip_lflows], [0], [dnl table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;) table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-sw0"), action=(reg9[[1]] = check_pkt_larger(1414); next;) table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport == "lr0-sw0" && (tcp)), action=(next;) table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=??); };) + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=??); };) ]) check ovn-nbctl --wait=sb clear logical_router_port lr0-sw0 options @@ -6462,6 +6506,12 @@ AT_CHECK([grep "lr_in_admission" lr0flows | grep -e "check_pkt_larger" | ovn_str table=??(lr_in_admission ), priority=50 , match=(eth.mcast && inport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); xreg0[[0..47]] = 00:00:20:20:12:13; next;) ]) +check ovn-sbctl set chassis ch1 other_config:ct-commit-nat-v2=false +check ovn-nbctl --wait=sb sync + +ovn-sbctl dump-flows lr0 > lr0flows +AT_CHECK([grep -E "lr_out_post_snat.*ct_commit_nat" lr0flows], [1]) + AT_CLEANUP ]) diff --git a/tests/ovn.at b/tests/ovn.at index f3f0264e5..958af5c42 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -20601,12 +20601,12 @@ test_ip_packet_larger() { expected=${expected}0000000000000000000000000000 echo $expected > br_phys_n1.expected else - src_ip=`ip_to_hex 172.168.0.100` + src_ip=`ip_to_hex 10 0 0 1` dst_ip=`ip_to_hex 10 0 0 3` # pkt len should be 146 (28 (icmp packet) + 118 (orig ip + payload)) reply_pkt_len=008e ip_csum=fc97 - icmp_reply=${src_mac}${dst_mac}08004500${reply_pkt_len}00004000fe01c55f + icmp_reply=${src_mac}${dst_mac}08004500${reply_pkt_len}00004000fe01686b icmp_reply=${icmp_reply}${src_ip}${dst_ip}0304${ip_csum}0000$(printf "%04x" $mtu) icmp_reply=${icmp_reply}4500${pkt_len}000000003f01c4dd icmp_reply=${icmp_reply}${orig_packet_l3} @@ -20698,7 +20698,7 @@ test_ip6_packet_larger() { local ipv6_src=10000000000000000000000000000003 local ipv6_dst=20000000000000000000000000000002 - local ipv6_rt=20000000000000000000000000000001 + local ipv6_rt=10000000000000000000000000000001 local payload=0000000000000000000000000000000000000000 local payload=${payload}0000000000000000000000000000000000000000 diff --git a/tests/system-ovn-kmod.at b/tests/system-ovn-kmod.at index 454dacd73..14fe4ecec 100644 --- a/tests/system-ovn-kmod.at +++ b/tests/system-ovn-kmod.at @@ -977,7 +977,7 @@ dnl check ovn-nbctl lr-lb-add lr lb1 check ovn-nbctl set logical_router lr options:chassis=hv1 check ovn-nbctl set logical_router_port lr-internal options:gateway_mtu=800 -check ovn-nbctl lr-nat-add lr snat 192.168.1.1 172.16.1.2/24 +check ovn-nbctl lr-nat-add lr snat 192.168.1.1 172.16.1.2 check ovn-nbctl --wait=hv sync @@ -1032,6 +1032,7 @@ NS_CHECK_EXEC([client], [$PYTHON3 ./client.py]) dnl Expecting 2 outgoing packets and 2 fragments back - 8 lines total. OVS_WAIT_UNTIL([test "$(cat client.tcpdump | wc -l)" = "8"]) +AT_CHECK([test $(grep -c "need to frag (mtu 800)" server.tcpdump) -eq 1]) ovn-appctl -t ovn-controller vlog/set info