[ovs-build] Passed: ovsrobot/ovn#498 (series_166891 - 194a6a9)

Travis CI builds at travis-ci.com
Thu Mar 26 18:01:15 UTC 2020

Build Update for ovsrobot/ovn

Build: #498
Status: Passed

Duration: 18 mins and 16 secs
Commit: 194a6a9 (series_166891)
Author: Numan Siddique
Message: ovn-northd: Skip unsnat flows for load balancer vips in router ingress pipeline

Suppose there is below NAT entry with external_ip =

nat <UUID>
    external ip: ""
    logical ip: ""
    type: "snat"

And a load balancer with the VIP -

_uuid               : <UUID>
external_ids        : {}
name                : lb1
protocol            : tcp
vips                : {""=""}

And if these are associated to a gateway logical router

Then we will see the below lflows in the router pipeline

table=5 (lr_in_unsnat       ), priority=90   , match=(ip && ip4.dst ==, action=(ct_snat;)
table=6 (lr_in_dnat         ), priority=120  , match=(ct.new && ip && ip4.dst == && tcp && tcp.dst == 8080), action=(ct_lb(;)
table=6 (lr_in_dnat         ), priority=120  , match=(ct.est && ip && ip4.dst == && tcp && tcp.dst == 8080), action=(ct_dnat;)

When a new connection packet destinated for the lb vip and tcp.dst = 8080
is received, the ct.new flow in the lr_in_dnat is hit and the packet's ip4.dst is
dnatted to in the dnat conntrack zone.

But for the subsequent packet destined to the vip, the ct.est lflow in the lr_in_dnat
stage doesn't get hit. In this case, the packet first hits the lr_in_unsnat pri 90 flow
as mentioned above with the action ct_snat. Even though ct_snat should have no effect,
looks like it is resetting the ct flags.

In the case of tcp, the ct.new flow is hit instead of ct.est. In the the case of sctp, neither of the above
lflows in lr_in_dnat stage hit.

This needs to be investigated further. But we can avoid this scenario in OVN
by adding the below lflow.

table=5 (lr_in_unsnat       ), priority=120  , match=(ip4 && ip4.dst == && tcp.dst == 8080), action=(next;)

This patch adds the above lflow if the lb vip also has an entry in the NAT table.

This patch is also required to support sctp load balancers in OVN.

Reported-by: Tim Rozet <trozet at redhat.com>
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1815217
Signed-off-by: Numan Siddique <numans at ovn.org>
Signed-off-by: 0-day Robot <robot at bytheb.org>

View the changeset: https://github.com/ovsrobot/ovn/commit/194a6a9e6cd4

View the full build log and details: https://travis-ci.com/github/ovsrobot/ovn/builds/155599177?utm_medium=notification&utm_source=email


You can unsubscribe from build emails from the ovsrobot/ovn repository going to https://travis-ci.com/account/preferences/unsubscribe?repository=9136199&utm_medium=notification&utm_source=email.
Or unsubscribe from *all* email updating your settings at https://travis-ci.com/account/preferences/unsubscribe?utm_medium=notification&utm_source=email.
Or configure specific recipients for build notifications in your .travis.yml file. See https://docs.travis-ci.com/user/notifications.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-build/attachments/20200326/06d95102/attachment.html>

More information about the build mailing list