[ovs-dev] OpenFlow rule deletion during port destroy

Justin Pettit jpettit at nicira.com
Wed Apr 16 17:00:04 UTC 2014


On April 16, 2014 at 9:00:15 AM, Zoltan Kiss (zoltan.kiss at citrix.com) wrote:

> To elaborate a bit more: now I figured out that normally the controller
> should take care of removing OpenFlow rules when the port is deleted. I
> thought ovs-vswitchd checks the tables for any reference to the deleted
> port, but it seems it doesn't.

Your current understanding of the behavior is correct.

> My actual problem is that an important rule gets deleted:
>  
> cookie=0x0, duration=1581.083s, table=0, n_packets=52804,
> n_bytes=88968151, idle_age=0, priority=0,in_port=ANY actions=NORMAL
>
> ...
>  
> There is no sign the controller did anything about deleting those rules,
> but somehow it still happened. Does anyone knows
> Unfortunately it is hard to reproduce the problem, it is only
> intermittent in one of our testcases.

I'm not sure that it's related, but it sounds similar to bug NIC-512 that I filed with Citrix over a year ago.  Here's the relevant part:

-=-=-=-=-=-=-=-=-
A new script called "setup-vif-rules" in "/opt/xensource/libexec" appears to have been added to Tampa that modifies the OVS flow table. The intention is to introduce security policies on VIFs. It attempts to get the OpenFlow port number from the database, but when it hasn't been set yet, the value is -1. This gets translated to 65535 (the NONE port) by ovs-ofctl, which then deletes flows with that set as the ingress port and connectivity to the hypervisor may be lost.

When run with DVS, this bug can lead to all traffic to and from the hypervisor to be blackholed due to a flow from the PIF bridge disappearing. DVS configures a flow that matches the local port and resubmits to NONE. There is no flow that matches port NONE, so traffic is blackholed. 
-=-=-=-=-=-=-=-=-

The NONE port maps to the ANY port, so I wonder if you're running into the same problem.  The issue was last updated on 24 January 2013 that it would be looked at it.  I don't think there was ever any follow-up.

I did commit a change that should lessen the impact:

  http://openvswitch.org/cgi-bin/gitweb.cgi?p=openvswitch;a=commitdiff;h=05dddba 

But I don't know what version you're running or if new integration scripts that modify the flow table have been introduced.

In any case, it may be an avenue worth exploring.

--Justin






More information about the dev mailing list