[ovs-dev] OVN ACLs and DHCP

Russell Bryant rbryant at redhat.com
Thu Nov 5 18:37:10 UTC 2015 

On 11/04/2015 03:52 PM, Russell Bryant wrote:
> I mentioned before that I had some trouble getting DHCP working with OVN
> ACLs enabled.  I think I have finally gotten to the bottom of it.
> 
> My first workaround was a brute force patch to bypass conntrack if the
> packet was a DHCP request or response.  That worked, but I wasn't able
> to explain why it was needed.
> 
> It turns out I was looking in the wrong place.  I thought it had to do
> with conntrack marking the odd looking DHCP requests as invalid.  I was
> actually getting confused by a bunch of IPv6 traffic getting marked as
> invalid.  It seems IPv6 neighbor discovery stuff is what's being marked
> invalid (at least that's my guess of what those packets are).  Once I
> filtered all IPv6 out earlier in the flows, I got a clearer picture of
> what was happening.  I'll have to revisit IPv6 later.
> 
> Here's the broadcast flow in table 33 (the beginning of the logical
> egress pipeline) on my test environment.
> 
> table=33, n_packets=1304, n_bytes=150792,
> priority=100,reg7=0xffff,metadata=0x1
> actions=set_field:0x2->reg5,set_field:0x2->reg7,resubmit(,34),set_field:0x1->reg5,set_field:0x1->reg7,resubmit(,34),set_field:0x3->reg5,set_field:0x3->reg7,resubmit(,34),set_field:0x4->reg5,set_field:0x4->reg7,resubmit(,34),set_field:0xffff->reg7
> 
> So, we should see the packet resubmitted to table 34 for each logical
> port on the network the DHCP request was broadcast to.  The problem is
> that it only hits table 34 once, for the first logical port, which is
> *not* the DHCP server.  In fact, this would probably explain why I've
> seen inconsistent behavior, since the DHCP server could be listed first
> sometimes.  I only see this problem when the ct() action is being used,
> so my guess is that this action causes the context to be lost:
> 
> table=48, n_packets=2, n_bytes=660, priority=100,ip,metadata=0x1
> actions=ct(table=49,zone=NXM_NX_REG5[0..15])
> 
> Does this seem plausible?  If so, would you consider that a bug in the
> ct() action?
> 

Something I noticed after posting this message is that I have this in
dmesg several times:

> [ 8696.723763] openvswitch: ovs-system: deferred action limit reached, drop recirc action

Also, here's the full flow table from the above for reference:

> OFPST_FLOW reply (OF1.3) (xid=0x2):
>  table=0, n_packets=128, n_bytes=15789, priority=100,in_port=1 actions=set_field:0x1->reg5,set_field:0x1->metadata,set_field:0x1->reg6,resubmit(,16)
>  table=0, n_packets=30, n_bytes=2040, priority=100,in_port=2 actions=set_field:0x2->reg5,set_field:0x1->metadata,set_field:0x2->reg6,resubmit(,16)
>  table=0, n_packets=2383, n_bytes=262146, priority=100,in_port=3 actions=set_field:0x3->reg5,set_field:0x1->metadata,set_field:0x3->reg6,resubmit(,16)
>  table=0, n_packets=8, n_bytes=1128, priority=100,in_port=21 actions=set_field:0x4->reg5,set_field:0x1->metadata,set_field:0x4->reg6,resubmit(,16)
>  table=16, n_packets=0, n_bytes=0, priority=100,metadata=0x1,vlan_tci=0x1000/0x1000 actions=drop
>  table=16, n_packets=0, n_bytes=0, priority=100,metadata=0x3,vlan_tci=0x1000/0x1000 actions=drop
>  table=16, n_packets=0, n_bytes=0, priority=100,metadata=0x1,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
>  table=16, n_packets=0, n_bytes=0, priority=100,metadata=0x3,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 actions=drop
>  table=16, n_packets=128, n_bytes=15789, priority=50,reg6=0x1,metadata=0x1,dl_src=fa:16:3e:ea:92:b1 actions=resubmit(,17)
>  table=16, n_packets=30, n_bytes=2040, priority=50,reg6=0x2,metadata=0x1,dl_src=fa:16:3e:0a:a0:ca actions=resubmit(,17)
>  table=16, n_packets=0, n_bytes=0, priority=50,reg6=0x1,metadata=0x3,dl_src=fa:16:3e:e4:36:b6 actions=resubmit(,17)
>  table=16, n_packets=2383, n_bytes=262146, priority=50,reg6=0x3,metadata=0x1,dl_src=fa:16:3e:0d:cf:ea actions=resubmit(,17)
>  table=16, n_packets=8, n_bytes=1128, priority=50,reg6=0x4,metadata=0x1,dl_src=fa:16:3e:b0:f9:f9 actions=resubmit(,17)
>  table=17, n_packets=2, n_bytes=660, priority=100,ip,metadata=0x1 actions=ct(table=18,zone=NXM_NX_REG5[0..15])
>  table=17, n_packets=0, n_bytes=0, priority=100,ipv6,metadata=0x1 actions=ct(table=18,zone=NXM_NX_REG5[0..15])
>  table=17, n_packets=19, n_bytes=1898, priority=200,ipv6,metadata=0x1 actions=drop
>  table=17, n_packets=1345, n_bytes=141210, priority=0,metadata=0x1 actions=resubmit(,18)
>  table=17, n_packets=0, n_bytes=0, priority=0,metadata=0x3 actions=resubmit(,18)
>  table=18, n_packets=0, n_bytes=0, priority=65534,ct_state=+inv+trk,metadata=0x1 actions=drop
>  table=18, n_packets=0, n_bytes=0, priority=65534,ct_state=-new+est-rel-inv+trk,metadata=0x1 actions=resubmit(,19)
>  table=18, n_packets=0, n_bytes=0, priority=65534,ct_state=-new-est+rel-inv+trk,metadata=0x1 actions=resubmit(,19)
>  table=18, n_packets=0, n_bytes=0, priority=2002,ct_state=+new+trk,ipv6,reg6=0x4,metadata=0x1 actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,19)
>  table=18, n_packets=2, n_bytes=660, priority=2002,ct_state=+new+trk,ip,reg6=0x4,metadata=0x1 actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,19)
>  table=18, n_packets=0, n_bytes=0, priority=2001,ip,reg6=0x4,metadata=0x1 actions=drop
>  table=18, n_packets=0, n_bytes=0, priority=2001,ipv6,reg6=0x4,metadata=0x1 actions=drop
>  table=18, n_packets=0, n_bytes=0, priority=1,ipv6,metadata=0x1 actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,19)
>  table=18, n_packets=0, n_bytes=0, priority=1,ip,metadata=0x1 actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,19)
>  table=18, n_packets=1344, n_bytes=141100, priority=0,metadata=0x1 actions=resubmit(,19)
>  table=18, n_packets=0, n_bytes=0, priority=0,metadata=0x3 actions=resubmit(,19)
>  table=19, n_packets=1304, n_bytes=150792, priority=100,metadata=0x1,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=set_field:0xffff->reg7,resubmit(,32)
>  table=19, n_packets=0, n_bytes=0, priority=100,metadata=0x3,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=set_field:0xffff->reg7,resubmit(,32)
>  table=19, n_packets=41, n_bytes=3270, priority=50,metadata=0x1,dl_dst=fa:16:3e:ea:92:b1 actions=set_field:0x1->reg7,resubmit(,32)
>  table=19, n_packets=11, n_bytes=798, priority=50,metadata=0x1,dl_dst=fa:16:3e:0a:a0:ca actions=set_field:0x2->reg7,resubmit(,32)
>  table=19, n_packets=0, n_bytes=0, priority=50,metadata=0x3,dl_dst=fa:16:3e:e4:36:b6 actions=set_field:0x1->reg7,resubmit(,32)
>  table=19, n_packets=0, n_bytes=0, priority=50,metadata=0x1,dl_dst=fa:16:3e:0d:cf:ea actions=set_field:0x3->reg7,resubmit(,32)
>  table=19, n_packets=0, n_bytes=0, priority=50,metadata=0x1,dl_dst=fa:16:3e:b0:f9:f9 actions=set_field:0x4->reg7,resubmit(,32)
>  table=32, n_packets=1492, n_bytes=170973, priority=0 actions=resubmit(,33)
>  table=33, n_packets=41, n_bytes=3270, priority=100,reg7=0x1,metadata=0x1 actions=set_field:0x1->reg5,resubmit(,34)
>  table=33, n_packets=11, n_bytes=798, priority=100,reg7=0x2,metadata=0x1 actions=set_field:0x2->reg5,resubmit(,34)
>  table=33, n_packets=0, n_bytes=0, priority=100,reg7=0x3,metadata=0x1 actions=set_field:0x3->reg5,resubmit(,34)
>  table=33, n_packets=1304, n_bytes=150792, priority=100,reg7=0xffff,metadata=0x1 actions=set_field:0x2->reg5,set_field:0x2->reg7,resubmit(,34),set_field:0x1->reg5,set_field:0x1->reg7,resubmit(,34),set_field:0x3->reg5,set_field:0x3->reg7,resubmit(,34),set_field:0x4->reg5,set_field:0x4->reg7,resubmit(,34),set_field:0xffff->reg7
>  table=33, n_packets=0, n_bytes=0, priority=100,reg7=0x4,metadata=0x1 actions=set_field:0x4->reg5,resubmit(,34)
>  table=34, n_packets=9, n_bytes=726, priority=100,reg6=0x1,reg7=0x1,metadata=0x1 actions=drop
>  table=34, n_packets=10, n_bytes=864, priority=100,reg6=0x2,reg7=0x2,metadata=0x1 actions=drop
>  table=34, n_packets=1234, n_bytes=135756, priority=100,reg6=0x3,reg7=0x3,metadata=0x1 actions=drop
>  table=34, n_packets=0, n_bytes=0, priority=100,reg6=0x4,reg7=0x4,metadata=0x1 actions=drop
>  table=34, n_packets=2798, n_bytes=325201, priority=0 actions=set_field:0->reg0,set_field:0->reg1,set_field:0->reg2,set_field:0->reg3,set_field:0->reg4,resubmit(,48)
>  table=48, n_packets=0, n_bytes=0, priority=100,ipv6,metadata=0x1 actions=ct(table=49,zone=NXM_NX_REG5[0..15])
>  table=48, n_packets=2, n_bytes=660, priority=100,ip,metadata=0x1 actions=ct(table=49,zone=NXM_NX_REG5[0..15])
>  table=48, n_packets=2594, n_bytes=277348, priority=0,metadata=0x1 actions=resubmit(,49)
>  table=48, n_packets=0, n_bytes=0, priority=0,metadata=0x3 actions=resubmit(,49)
>  table=49, n_packets=0, n_bytes=0, priority=65534,ct_state=-new-est+rel-inv+trk,metadata=0x1 actions=resubmit(,50)
>  table=49, n_packets=0, n_bytes=0, priority=65534,ct_state=-new+est-rel-inv+trk,metadata=0x1 actions=resubmit(,50)
>  table=49, n_packets=0, n_bytes=0, priority=65534,ct_state=+inv+trk,metadata=0x1 actions=drop
>  table=49, n_packets=0, n_bytes=0, priority=2002,ct_state=+new+trk,tcp,reg7=0x4,metadata=0x1,tp_dst=22 actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,50)
>  table=49, n_packets=0, n_bytes=0, priority=2002,ct_state=+new+trk,icmp,reg7=0x4,metadata=0x1 actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,50)
>  table=49, n_packets=0, n_bytes=0, priority=2002,udp,reg7=0x4,metadata=0x1,nw_src=10.0.0.0/24,tp_src=67,tp_dst=68 actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,50)
>  table=49, n_packets=0, n_bytes=0, priority=2001,ip,reg7=0x4,metadata=0x1 actions=drop
>  table=49, n_packets=0, n_bytes=0, priority=2001,ipv6,reg7=0x4,metadata=0x1 actions=drop
>  table=49, n_packets=2, n_bytes=660, priority=1,ip,metadata=0x1 actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,50)
>  table=49, n_packets=0, n_bytes=0, priority=1,ipv6,metadata=0x1 actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,50)
>  table=49, n_packets=2594, n_bytes=277348, priority=0,metadata=0x1 actions=resubmit(,50)
>  table=49, n_packets=0, n_bytes=0, priority=0,metadata=0x3 actions=resubmit(,50)
>  table=50, n_packets=2610, n_bytes=305020, priority=100,metadata=0x1,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,64)
>  table=50, n_packets=0, n_bytes=0, priority=100,metadata=0x3,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 actions=resubmit(,64)
>  table=50, n_packets=41, n_bytes=3270, priority=50,reg7=0x1,metadata=0x1,dl_dst=fa:16:3e:ea:92:b1 actions=resubmit(,64)
>  table=50, n_packets=11, n_bytes=798, priority=50,reg7=0x2,metadata=0x1,dl_dst=fa:16:3e:0a:a0:ca actions=resubmit(,64)
>  table=50, n_packets=0, n_bytes=0, priority=50,reg7=0x1,metadata=0x3,dl_dst=fa:16:3e:e4:36:b6 actions=resubmit(,64)
>  table=50, n_packets=0, n_bytes=0, priority=50,reg7=0x3,metadata=0x1,dl_dst=fa:16:3e:0d:cf:ea actions=resubmit(,64)
>  table=50, n_packets=0, n_bytes=0, priority=50,reg7=0x4,metadata=0x1,dl_dst=fa:16:3e:b0:f9:f9 actions=resubmit(,64)
>  table=64, n_packets=1324, n_bytes=149376, priority=100,reg7=0x1,metadata=0x1 actions=output:1
>  table=64, n_packets=1298, n_bytes=150148, priority=100,reg7=0x2,metadata=0x1 actions=output:2
>  table=64, n_packets=40, n_bytes=9564, priority=100,reg7=0x3,metadata=0x1 actions=output:3
>  table=64, n_packets=0, n_bytes=0, priority=100,reg7=0x4,metadata=0x1 actions=output:21


-- 
Russell Bryant

More information about the dev mailing list