[ovs-dev] [PATCH v2] OVN: do not mark ND packets for conntrack in PRE_LB stage

Guru Shetty guru at ovn.org
Fri Jun 29 16:03:16 UTC 2018


On 1 June 2018 at 04:05, Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
wrote:

> Do not send Neighbor Discovery packets to conntrack module if
> load balancing rules have been added to NB db since otherwise
> Neighbor Advertisement frames will be discarded by OVN.
> In order to reproduce the issue it is enough to add 2 logical ports
> to a single logical switch, assign an IPv6 address to each VIF, and
> define a load balance rule on the logical switch. After a while the
> ping6 from VIF1 to VIF2 will stop since the vm will not receive any NA
> packet
>
> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>
>
I applied this to master.


> ---
> Changes since v1:
> - updated ovn-northd manpage
> ---
>  ovn/northd/ovn-northd.8.xml | 34 +++++++++++++++++++---------------
>  ovn/northd/ovn-northd.c     |  6 ++++++
>  2 files changed, 25 insertions(+), 15 deletions(-)
>
> diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
> index 1d68f1aab..4f897bdbe 100644
> --- a/ovn/northd/ovn-northd.8.xml
> +++ b/ovn/northd/ovn-northd.8.xml
> @@ -240,17 +240,19 @@
>      <p>
>        This table prepares flows for possible stateful load balancing
> processing
>        in ingress table <code>LB</code> and <code>Stateful</code>.  It
> contains
> -      a priority-0 flow that simply moves traffic to the next table.  If
> load
> -      balancing rules with virtual IP addresses (and ports) are
> configured in
> -      <code>OVN_Northbound</code> database for a logical switch datapath,
> a
> -      priority-100 flow is added for each configured virtual IP address
> -      <var>VIP</var>. For IPv4 <var>VIPs</var>, the match is <code>ip
> -      &amp;&amp; ip4.dst == <var>VIP</var></code>.  For IPv6
> <var>VIPs</var>,
> -      the match is <code>ip &amp;&amp; ip6.dst == <var>VIP</var></code>.
> The
> -      flow sets an action <code>reg0[0] = 1; next;</code> to act as a
> -      hint for table <code>Pre-stateful</code> to send IP packets to the
> -      connection tracker for packet de-fragmentation before eventually
> -      advancing to ingress table <code>LB</code>.
> +      a priority-0 flow that simply moves traffic to the next table.
> Moreover
> +      it contains a priority-110 flow to move IPv6 Neighbor Discovery
> traffic
> +      to the next table. If load balancing rules with virtual IP addresses
> +      (and ports) are configured in <code>OVN_Northbound</code> database
> for a
> +      logical switch datapath, a priority-100 flow is added for each
> configured
> +      virtual IP address <var>VIP</var>. For IPv4 <var>VIPs</var>, the
> match is
> +      <code>ip &amp;&amp; ip4.dst == <var>VIP</var></code>. For IPv6
> +      <var>VIPs</var>, the match is <code>ip &amp;&amp;
> +      ip6.dst == <var>VIP</var></code>. The flow sets an action
> +      <code>reg0[0] = 1; next;</code> to act as a hint for table
> +      <code>Pre-stateful</code> to send IP packets to the connection
> tracker
> +      for packet de-fragmentation before eventually advancing to ingress
> table
> +      <code>LB</code>.
>      </p>
>
>      <h3>Ingress Table 5: Pre-stateful</h3>
> @@ -866,10 +868,12 @@ output;
>      <p>
>        This table is similar to ingress table <code>Pre-LB</code>.  It
>        contains a priority-0 flow that simply moves traffic to the next
> table.
> -      If any load balancing rules exist for the datapath, a priority-100
> flow
> -      is added with a match of <code>ip</code> and action of
> <code>reg0[0] = 1;
> -       next;</code> to act as a hint for table <code>Pre-stateful</code>
> to
> -      send IP packets to the connection tracker for packet
> de-fragmentation.
> +      Moreover it contains a priority-110 flow to move IPv6 Neighbor
> Discovery
> +      traffic to the next table. If any load balancing rules exist for the
> +      datapath, a priority-100 flow is added with a match of
> <code>ip</code>
> +      and action of <code>reg0[0] = 1; next;</code> to act as a hint for
> +      table <code>Pre-stateful</code> to send IP packets to the connection
> +      tracker for packet de-fragmentation.
>      </p>
>
>      <h3>Egress Table 1: <code>to-lport</code> Pre-ACLs</h3>
> diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
> index 0e06776ad..aa9298d3b 100644
> --- a/ovn/northd/ovn-northd.c
> +++ b/ovn/northd/ovn-northd.c
> @@ -2977,6 +2977,12 @@ ls_has_dns_records(const struct
> nbrec_logical_switch *nbs)
>  static void
>  build_pre_lb(struct ovn_datapath *od, struct hmap *lflows)
>  {
> +    /* Do not send ND packets to conntrack */
> +    ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110,
> +                  "nd || nd_rs || nd_ra", "next;");
> +    ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110,
> +                  "nd || nd_rs || nd_ra", "next;");
> +
>      /* Allow all packets to go to next tables by default. */
>      ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;");
>      ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;");
> --
> 2.14.3
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>


More information about the dev mailing list