[ovs-dev] [PATCH v2 3/3] OVN: add protocol unreachable support to OVN router ports

Daniel Alvarez Sanchez dalvarez at redhat.com
Fri Jun 29 10:15:14 UTC 2018


Hi all,

We are hitting issues with this patch on OpenStack CI in this particular
test [0].
The scenario is one VM trying to ping the router interface; replies are
sent by
the router interface but never reached the instance back as the last NAT
action
doesn't happen. Stopping northd and deleting manually the Logical Flows
inserted
by this patch, fixed the issue.

VM with IP 10.0.0.9 trying to ping 172.24.4.1. Router interface for this
network is
172.24.4.12 and router interface for the LS of the VM is 10.0.0.1.
Deleting the following lflows solved the issue:

_uuid               : 82dd40a7-1ff9-4676-b450-7b5dfdb2fb3a
actions             : "icmp4 {eth.dst <-> eth.src; ip4.dst <-> ip4.src;
ip.ttl = 255; icmp4.type = 3; icmp4.code = 2; next; };"
external_ids        : {source="ovn-northd.c:5185",
stage-name=lr_in_ip_input}
logical_datapath    : 3b6be958-290c-4479-9864-007dd89bb056
match               : "ip4 && ip4.dst == 10.0.0.1 && !ip.later_frag"
pipeline            : ingress
priority            : 70
table_id            : 1
hash                : 0

_uuid               : c276a38d-f49c-4e8b-a005-25e92a17ba03
actions             : "icmp4 {eth.dst <-> eth.src; ip4.dst <-> ip4.src;
ip.ttl = 255; icmp4.type = 3; icmp4.code = 2; next; };"
external_ids        : {source="ovn-northd.c:5185",
stage-name=lr_in_ip_input}
logical_datapath    : 4908c283-fffd-42bc-80ef-86ed63e50b53
match               : "ip4 && ip4.dst == 10.0.0.1 && !ip.later_frag"
pipeline            : ingress
priority            : 70
table_id            : 1
hash                : 0

_uuid               : 07df1365-c4fd-4301-8e0f-96bf07a39f21
actions             : "icmp4 {eth.dst <-> eth.src; ip4.dst <-> ip4.src;
ip.ttl = 255; icmp4.type = 3; icmp4.code = 2; next; };"
external_ids        : {source="ovn-northd.c:5185",
stage-name=lr_in_ip_input}
logical_datapath    : 3b6be958-290c-4479-9864-007dd89bb056
match               : "ip4 && ip4.dst == 172.24.4.12 && !ip.later_frag"
pipeline            : ingress
priority            : 70
table_id            : 1
hash                : 0


[0]
https://github.com/openstack/neutron-tempest-plugin/blob/8bc66e3205b834e17e9a9e6b72b6203a7a02cada/neutron_tempest_plugin/scenario/test_floatingip.py#L180


On Mon, Jun 18, 2018 at 1:58 PM Lorenzo Bianconi <
lorenzo.bianconi at redhat.com> wrote:

> Add priority-70 flows to generate ICMP protocol unreachable messages
> in reply to packets directed to the router's IP address on IP protocols
> other than UDP, TCP, and ICMP
>
> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
> ---
>  ovn/northd/ovn-northd.8.xml |  4 ----
>  ovn/northd/ovn-northd.c     | 14 ++++++++++++++
>  tests/ovn.at                |  1 +
>  3 files changed, 15 insertions(+), 4 deletions(-)
>
> diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
> index 18a481b3d..cfd35115e 100644
> --- a/ovn/northd/ovn-northd.8.xml
> +++ b/ovn/northd/ovn-northd.8.xml
> @@ -1342,10 +1342,6 @@ nd_na {
>          <p>
>            These flows should not match IP fragments with nonzero offset.
>          </p>
> -
> -        <p>
> -          Details TBD.  Not yet implemented.
> -        </p>
>        </li>
>
>        <li>
> diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
> index 27d7aab06..7777b83f5 100644
> --- a/ovn/northd/ovn-northd.c
> +++ b/ovn/northd/ovn-northd.c
> @@ -5175,6 +5175,20 @@ build_lrouter_flows(struct hmap *datapaths, struct
> hmap *ports,
>                          "next; };";
>              ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 80,
>                            ds_cstr(&match), action);
> +
> +            ds_clear(&match);
> +            ds_put_format(&match,
> +                          "ip4 && ip4.dst == %s && !ip.later_frag",
> +                          op->lrp_networks.ipv4_addrs[i].addr_s);
> +            action = "icmp4 {"
> +                        "eth.dst <-> eth.src; "
> +                        "ip4.dst <-> ip4.src; "
> +                        "ip.ttl = 255; "
> +                        "icmp4.type = 3; "
> +                        "icmp4.code = 2; "
> +                        "next; };";
> +            ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 70,
> +                          ds_cstr(&match), action);
>          }
>
>          ds_clear(&match);
> diff --git a/tests/ovn.at b/tests/ovn.at
> index 4648a303c..6553d17c6 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -10444,6 +10444,7 @@ OVN_POPULATE_ARP
>  ovn-nbctl --wait=hv sync
>
>  test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1)
> $(ip_to_hex 192 168 1 254) 11 0000 7dae fcfc 0303
> +test_ip_packet 1 1 000000000001 00000000ff01 $(ip_to_hex 192 168 1 1)
> $(ip_to_hex 192 168 1 254) 84 0000 7dae fcfd 0302
>  OVN_CHECK_PACKETS([hv1/vif1-tx.pcap], [vif1.expected])
>
>  test_tcp_syn_packet 2 2 000000000002 00000000ff02 $(ip_to_hex 192 168 2
> 1) $(ip_to_hex 192 168 2 254) 0000 8b40 3039 0000 7bae 4486
> --
> 2.17.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>


More information about the dev mailing list