[ovs-dev] possible issue with connection tracing with action Normal

Sun Feb 17 18:39:19 UTC 2019

Hi ,

I have openstack setup with ovs mechanism driver and ovs firewall driver (using connection tracing for security groups).
The ovs firewall driver is implement as describe [1].

I have 2 compute (hypervisors)  nodes and I am running ICMP from VM1 with mac fa:16:3e:b9:f4:4c which locate on compute 1 to VM2 with  mac fa:16:3e:d4:3d:ae which locate on compute 2.
The setup is with is using vlan networks (but I seem same behavior on vxlan and flat networks) and the setup is configured to allow ICMP traffic between the 2 VMs.
The openstack pipeline with ovs mechanism driver is using the action=Normal for a mac learning.

I run ping from VM1 to VM2 and I see the following behavior.

If VM2 don't have arp entry of fa:16:3e:b9:f4:4c (VM1 mac) the mac learning is working (using ovs-appctl fdb/show br-int command on compute 1)
ufid:3137ffe5-a609-4b7b-bded-d7726ea67e6d, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(tape7f147e2-ca),skb_mark(0/0),ct_state(0/0x20),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=fa:16:3e:b9:f4:4c,dst=00:00:00:00:00:00/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=10.10.10.12,dst=0.0.0.0/0.0.0.0,proto=1,tos=0/0,ttl=0/0,frag=no),icmp(type=0/0,code=0/0), packets:128, bytes:12544, used:0.392s, dp:ovs, actions:ct(zone=1),recirc(0x20)
ufid:941598b7-7d1b-46bd-804d-03dc14e0a7d8, skb_priority(0/0),skb_mark(0/0),recirc_id(0x20),dp_hash(0/0),in_port(tape7f147e2-ca),ct_state(0x2/0xf),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0/0,id=0/0),eth(src=fa:16:3e:b9:f4:4c,dst=fa:16:3e:d4:3d:ae),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=0.0.0.0/0.0.0.0,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:0, bytes:0, used:5.250s, dp:ovs, actions:push_vlan(vid=70,pcp=0),enp2s0f0

If VM2 does have arp  entry of fa:16:3e:b9:f4:4c (VM1 mac) and the fdb don't have fa:16:3e:b9:f4:4c the mac learning is not happening and the datapath rule will look like

ufid:3137ffe5-a609-4b7b-bded-d7726ea67e6d, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(tape7f147e2-ca),skb_mark(0/0),ct_state(0/0x20),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=fa:16:3e:b9:f4:4c,dst=00:00:00:00:00:00/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=10.10.10.12,dst=0.0.0.0/0.0.0.0,proto=1,tos=0/0,ttl=0/0,frag=no),icmp(type=0/0,code=0/0), packets:47, bytes:4606, used:0.920s, dp:ovs, actions:ct(zone=1),recirc(0x20)
ufid:9b8061d7-0606-476a-8cf5-f77997185138, recirc_id(0x20),dp_hash(0/0),skb_priority(0/0),in_port(tape7f147e2-ca),skb_mark(0/0),ct_state(0x1/0xf),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=fa:16:3e:b9:f4:4c,dst=fa:16:3e:d4:3d:ae),eth_type(0x0800),ipv4(src=0.0.0.0/0.0.0.0,dst=0.0.0.0/0.0.0.0,proto=0/0,tos=0/0,ttl=0/0,frag=no), packets:0, bytes:0, used:never, dp:ovs, actions:ct(commit,zone=1),push_vlan(vid=1,pcp=0),br-int,pop_vlan,push_vlan(vid=70,pcp=0),enp2s0f0,pop_vlan

as you can see the ICMP packet send to also to br-int.

Please note that I see the behavior only when using (using connection tracing for security groups) without it, it is working fine.

Did someone encounter this issue?

[1] -  https://github.com/openstack/neutron/blob/master/doc/source/contributor/internals/openvswitch_firewall.rst