[ovs-dev] [PATCH ovn] Skip IPv6 NS packets in router egress SNAT pipeline
Numan Siddique
numans at ovn.org
Tue Nov 19 19:05:03 UTC 2019
On Tue, Nov 19, 2019 at 11:41 PM Mark Michelson <mmichels at redhat.com> wrote:
>
> Acked-by: Mark Michelson <mmichels at redhat.com>
Thanks. I applied this to master.
Numan
>
> On 11/19/19 7:22 AM, numans at ovn.org wrote:
> > From: Numan Siddique <numans at ovn.org>
> >
> > When ovn-controller injects IPv6 NS packet to learn the mac, in some
> > setups it is observed that the packet is dropped by ovs-vswitchd. We see
> > below logs
> >
> > 2019-11-18T10:42:17.973Z|00001|ofproto_dpif_upcall(handler6)|INFO|received packet on unassociated datapath port 4294967295
> > 2019-11-18T10:42:18.221Z|00001|ofproto_dpif_upcall(revalidator8)|WARN|Failed to acquire udpif_key corresponding to unexpected flow (Invalid argument): ufid:9ba1081f-a692-4c1c-a79b-d1cf04175f7d
> >
> > Upon further debugging I noticed that, xlate_lookup() fails when there is upcall
> > from kernel datapath because of ct related actions. When ovn-controller injects
> > the packet it sets inport=CONTROLLER.
> >
> > This patch addresses this issue by avoiding the IPv6 NS packets to be
> > sent to conntrack in the router egress pipeline.
> >
> > This should be ideally fixed in ovs-vswitchd.
> >
> > Reported-by: Russell Bryant <russell at ovn.org>
> > Signed-off-by: Numan Siddique <numans at ovn.org>
> > ---
> > northd/ovn-northd.8.xml | 9 +++++++++
> > northd/ovn-northd.c | 5 +++++
> > 2 files changed, 14 insertions(+)
> >
> > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> > index 78b1e84ad..956a10362 100644
> > --- a/northd/ovn-northd.8.xml
> > +++ b/northd/ovn-northd.8.xml
> > @@ -2826,6 +2826,15 @@ nd_ns {
> > changed based on the configuration in the OVN Northbound database.
> > </p>
> >
> > + <ul>
> > + <li>
> > + A priority-120 flow to advance the IPv6 Neighbor solicitation packet
> > + to next table to skip SNAT. In the case where ovn-controller injects
> > + an IPv6 Neighbor Solicitation packet (for <code>nd_ns</code> action)
> > + we don't want the packet to go throught conntrack.
> > + </li>
> > + </ul>
> > +
> > <p>Egress Table 1: SNAT on Gateway Routers</p>
> >
> > <ul>
> > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> > index 41e97f841..ccccd9651 100644
> > --- a/northd/ovn-northd.c
> > +++ b/northd/ovn-northd.c
> > @@ -7976,6 +7976,11 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
> > ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;");
> > ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;");
> >
> > + /* Send the IPv6 NS packets to next table. When ovn-controller
> > + * generates IPv6 NS (for the action - nd_ns{}), the injected
> > + * packet would go through conntrack - which is not required. */
> > + ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 120, "nd_ns", "next;");
> > +
> > /* NAT rules are only valid on Gateway routers and routers with
> > * l3dgw_port (router has a port with "redirect-chassis"
> > * specified). */
> >
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
More information about the dev
mailing list