[ovs-dev] [PATCH v6 ovn 3/3] northd: add check_pkt_larger lflows for ingress traffic
Lorenzo Bianconi
lorenzo.bianconi at redhat.com
Tue Jul 27 14:34:08 UTC 2021
[...]
> > + <p>
> > + For a distributed logical router or for gateway router where
> > + the port is configured with <code>options:gateway_mtu</code>
> > + the action of the above flow is modified adding
> > + <code>check_pkt_larger</code> in order to mark the packet
> > + setting <code>REGBIT_PKT_LARGER</code> if the size is greater
> > + than the MTU
>
> nit: Forgot trailing '.'
ack, I will fix it
>
> > + </p>
> > </li>
> >
> > <li>
> > @@ -2164,6 +2173,46 @@ next;
> > </p>
> >
> > <ul>
> > + <li>
> > + <p>
> > + For distributed logical routers or gateway routers with gateway port
> > + configured with <code>options:gateway_mtu</code> to a valid integer
> > + value, a priority-150 flow with the match <code>inport ==
> > + <var>LRP</var> && REGBIT_PKT_LARGER &&
> > + REGBIT_EGRESS_LOOPBACK == 0</code>, where <var>LRP</var> is the
> > + logical router port and applies the following action for ipv4
> > + and ipv6 respectively:
> > + </p>
> > +
> > + <pre>
> > +icmp4 {
> > + icmp4.type = 3; /* Destination Unreachable. */
> > + icmp4.code = 4; /* Frag Needed and DF was Set. */
> > + icmp4.frag_mtu = <var>M</var>;
> > + eth.dst = <var>E</var>;
> > + ip4.dst = ip4.src;
> > + ip4.src = <var>I</var>;
> > + ip.ttl = 255;
> > + REGBIT_EGRESS_LOOPBACK = 1;
> > + REGBIT_PKT_LARGER 0;
> > + next(pipeline=ingress, table=0);
> > +};
> > +
> > +icmp6 {
> > + icmp6.type = 2;
> > + icmp6.code = 0;
> > + icmp6.frag_mtu = <var>M</var>;
> > + eth.dst = <var>E</var>;
> > + ip6.dst = ip6.src;
> > + ip6.src = <var>I</var>;
> > + ip.ttl = 255;
> > + REGBIT_EGRESS_LOOPBACK = 1;
> > + REGBIT_PKT_LARGER 0;
> > + next(pipeline=ingress, table=0);
> > +};
> > + </pre>
> > + </li>
> > +
> > <li>
> > <p>
> > For each NAT entry of a distributed logical router (with
> > @@ -3705,12 +3754,11 @@ REGBIT_PKT_LARGER = check_pkt_larger(<var>L</var>); next;
> > <p>
> > For distributed logical routers or gateway routers with gateway port
> > configured with <code>options:gateway_mtu</code> to a valid integer
> > - value, this table adds the following priority-50 logical flow for each
> > + value, this table adds the following priority-150 logical flow for each
>
> Why have you chnaged from a priority 50 flow to a priority 150 flow?
because now build_icmperr_pkt_big_flows() is used even in S_ROUTER_IN_IP_INPUT
and not only in S_ROUTER_IN_LARGER_PKTS one.
>
> > logical router port with the match <code>inport == <var>LRP</var>
> > - && outport == <var>GW_PORT</var> &&
> > - REGBIT_PKT_LARGER</code>, where <var>LRP</var> is the logical
> > - router port and <var>GW_PORT</var> is the gateway router port and applies
> > - the following action for ipv4 and ipv6 respectively:
> > + && REGBIT_PKT_LARGER && !REGBIT_EGRESS_LOOPBACK</code>,
> > + where <var>LRP</var> is the logical router port and applies the following
> > + action for ipv4 and ipv6 respectively:
> > </p>
> >
> > <pre>
> > @@ -3723,6 +3771,7 @@ icmp4 {
> > ip4.src = <var>I</var>;
> > ip.ttl = 255;
> > REGBIT_EGRESS_LOOPBACK = 1;
> > + REGBIT_PKT_LARGER = 0;
> > next(pipeline=ingress, table=0);
> > };
> >
> > @@ -3735,6 +3784,7 @@ icmp6 {
> > ip6.src = <var>I</var>;
> > ip.ttl = 255;
> > REGBIT_EGRESS_LOOPBACK = 1;
> > + REGBIT_PKT_LARGER = 0;
> > next(pipeline=ingress, table=0);
> > };
> > </pre>
> > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> > index 20f8d7b73..9d6f52c2e 100644
> > --- a/northd/ovn-northd.c
> > +++ b/northd/ovn-northd.c
> > @@ -9952,6 +9952,10 @@ build_adm_ctrl_flows_for_lrouter(
> > }
> > }
> >
> > +static void
> > +build_check_pkt_len_action_string(struct ovn_port *op, int *pmtu,
> > + struct ds *actions);
> > +
> > /* Logical router ingress Table 0: L2 Admission Control
> > * This table drops packets that the router shouldn’t see at all based
> > * on their Ethernet headers.
> > @@ -9979,6 +9983,8 @@ build_adm_ctrl_flows_for_lrouter_port(
> > * the pipeline.
> > */
> > ds_clear(actions);
> > +
> > + build_check_pkt_len_action_string(op, NULL, actions);
> > ds_put_format(actions, REG_INPORT_ETH_ADDR " = %s; next;",
> > op->lrp_networks.ea_s);
> >
> > @@ -10914,33 +10920,121 @@ build_arp_resolve_flows_for_lrouter_port(
> >
> > }
[...]
> > +}
> > +
> > +static void
> > +build_check_pkt_len_action_string(struct ovn_port *op, int *pmtu,
> > + struct ds *actions)
>
> Could you just return the pmtu? i.e. something like
>
> static int
> build_check_pkt_len_action_string(struct ovn_port *op,
> struct ds *actions)
> {
> int gw_mtu = smap_get_int(&op->nbrp->options, "gateway_mtu", 0);
>
> if (gw_mtu > 0) {
> /* Add the flows only if gateway_mtu is configured. */
> ds_put_format(actions,
> REGBIT_PKT_LARGER" = check_pkt_larger(%d); ",
> gw_mtu + VLAN_ETH_HEADER_LEN);
> }
>
> return gw_mtu
> }
sure, I can change it
>
>
> > +{
> > + int gw_mtu = smap_get_int(&op->nbrp->options, "gateway_mtu", 0);
> > +
> > + if (gw_mtu > 0) {
> > + /* Add the flows only if gateway_mtu is configured. */
> > + ds_put_format(actions,
> > + REGBIT_PKT_LARGER" = check_pkt_larger(%d); ",
> > + gw_mtu + VLAN_ETH_HEADER_LEN);
> > + }
> > + if (pmtu) {
> > + *pmtu = gw_mtu;
> > + }
> > +}
> > +
> > + r in &Router(._uuid = lr_uuid),
> > + r.is_gateway,
> > + gw_mtu_rp in &RouterPort(.router = r),
> > + var gw_mtu = gw_mtu_rp.lrp.options.get_int_def("gateway_mtu", 0),
> > + gw_mtu > 0,
> > + var mtu = gw_mtu + vLAN_ETH_HEADER_LEN(),
> > + rp in &RouterPort(.router = r),
> > + rp.lrp == gw_mtu_rp.lrp,
> > + Some{var first_ipv6} = rp.networks.ipv6_addrs.nth(0).
> > +
> > /* Logical router ingress table GW_REDIRECT: Gateway redirect.
> > *
> > * For traffic with outport equal to the l3dgw_port
> > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
>
> You should add additional checks for flows in the ingress switch
> pipeline for the "L2 Admission Control" table.
>
> You should also add checks for flows in the ingress router pipeline for
> the "IP Input" table.
ack, I will add it.
>
> > index 56d8be7cc..f0a047d56 100644
> > --- a/tests/ovn-northd.at
> > +++ b/tests/ovn-northd.at
> > @@ -4865,10 +4865,10 @@ AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sort], [0], [d
> > table=15(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;)
> > table=15(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); next;)
> > table=16(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]]), action=(icmp4_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]]), action=(icmp6_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]]), action=(icmp4_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]]), action=(icmp6_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > ])
> >
> > # Clear the gateway-chassis for lr0-public
> > @@ -4892,10 +4892,10 @@ AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sort], [0], [d
> > table=15(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;)
> > table=15(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); next;)
> > table=16(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]]), action=(icmp4_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]]), action=(icmp6_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]]), action=(icmp4_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]]), action=(icmp6_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > ])
> >
> > # Set gateway_mtu option on lr0-sw0
> > @@ -4909,14 +4909,14 @@ AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sort], [0], [d
> > table=15(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); next;)
> > table=15(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-sw0"), action=(reg9[[1]] = check_pkt_larger(1418); next;)
> > table=16(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]]), action=(icmp4_error {reg9[[0]] = 1; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]]), action=(icmp6_error {reg9[[0]] = 1; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]]), action=(icmp4_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]]), action=(icmp6_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]]), action=(icmp4_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]]), action=(icmp6_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip4 && reg9[[1]]), action=(icmp4_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]]), action=(icmp6_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> > ])
> >
> > # Clear gateway_mtu option on lr0-public
> > @@ -4928,10 +4928,10 @@ AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sort], [0], [d
> > table=15(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;)
> > table=15(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-sw0"), action=(reg9[[1]] = check_pkt_larger(1418); next;)
> > table=16(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]]), action=(icmp4_error {reg9[[0]] = 1; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]]), action=(icmp6_error {reg9[[0]] = 1; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip4 && reg9[[1]]), action=(icmp4_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > - table=16(lr_in_larger_pkts ), priority=50 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]]), action=(icmp6_error {reg9[[0]] = 1; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > + table=16(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> > ])
> >
> > AT_CLEANUP
> > diff --git a/tests/ovn.at b/tests/ovn.at
> > index 6af62aab0..49741f45b 100644
> > --- a/tests/ovn.at
> > +++ b/tests/ovn.at
> > @@ -16637,6 +16637,52 @@ test_ip_packet_larger() {
> > fi
> > }
> >
> > +test_ip_packet_larger_ext() {
> > + local mtu=$1
> > +
> > + # Send ip packet from sw0-port1 to outside
> > + src_mac="00000012af11" # external mac
> > + dst_mac="000020201213" # lr0-public mac
> > + src_ip=`ip_to_hex 172 168 0 4`
> > + dst_ip=`ip_to_hex 172 168 0 100`
> > + # Set the packet length to 118.
> > + pkt_len=0076
> > + packet=${dst_mac}${src_mac}08004500${pkt_len}00000000400120cf
> > + orig_packet_l3=${src_ip}${dst_ip}0900000000000000
> > + orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
> > + orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
> > + orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
> > + orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
> > + orig_packet_l3=${orig_packet_l3}000000000000000000000000000000000000
> > + packet=${packet}${orig_packet_l3}
> > +
> > + gw_ip_garp=ffffffffffff00002020121308060001080006040001000020201213aca80064000000000000aca80064
> > + ext_ip_garp=ffffffffffff00000012af110806000108000604000100000012af11aca80004000000000000aca80004
> > +
> > + src_ip=`ip_to_hex 172 168 0 100`
> > + dst_ip=`ip_to_hex 172 168 0 4`
> > + # pkt len should be 146 (28 (icmp packet) + 118 (orig ip + payload))
> > + reply_pkt_len=0092
> > + ip_csum=f397
> > + icmp_reply=${src_mac}${dst_mac}08004500${reply_pkt_len}00004000fe0122b2
> > + icmp_reply=${icmp_reply}${src_ip}${dst_ip}0304${ip_csum}0000$(printf "%04x" $mtu)
> > + icmp_reply=${icmp_reply}4500${pkt_len}00000000400120cf
> > + icmp_reply=${icmp_reply}${orig_packet_l3}
> > + echo $icmp_reply > br-phys_n1.expected
> > +
> > + echo $gw_ip_garp >> br-phys_n1.expected
> > +
> > + as hv1 reset_pcap_file br-phys_n1 hv1/br-phys_n1
> > + as hv1 reset_pcap_file hv1-vif1 hv1/vif1
> > +
> > + check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $ext_ip_garp
> > + sleep 1
> > + # Send packet from sw0-port1 to outside
> > + check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $packet
> > +
> > + OVN_CHECK_PACKETS([hv1/br-phys_n1-tx.pcap], [br-phys_n1.expected])
> > +}
> > +
> > test_ip6_packet_larger() {
> > local mtu=$1
> >
> > @@ -16652,7 +16698,7 @@ test_ip6_packet_larger() {
> > local payload=${payload}0000000000000000000000000000000000000000
> > local payload=${payload}0000000000000000000000000000000000000000
> >
> > - local ip6_hdr=6000000000583aff${ipv6_src}${ipv6_dst}
> > + local ip6_hdr=6000000000583afe${ipv6_src}${ipv6_dst}
> > local packet=${eth_dst}${eth_src}86dd${ip6_hdr}8000ec7662f00001${payload}
> >
> > as hv1 reset_pcap_file br-phys_n1 hv1/br-phys_n1
> > @@ -16669,7 +16715,7 @@ test_ip6_packet_larger() {
> > mtu_needed=$(expr ${packet_bytes} - 18)
> > if test $mtu -lt $mtu_needed; then
> > # First construct the inner IPv6 packet.
> > - inner_ip6=6000000000583afe${ipv6_src}${ipv6_dst}
> > + inner_ip6=6000000000583afd${ipv6_src}${ipv6_dst}
> > inner_icmp6=8000000062f00001
> > inner_icmp6_and_payload=$(icmp6_csum_inplace ${inner_icmp6}${payload} ${inner_ip6})
> > inner_packet=${inner_ip6}${inner_icmp6_and_payload}
> > @@ -16691,6 +16737,53 @@ test_ip6_packet_larger() {
> > fi
> > }
> >
> > +test_ip6_packet_larger_ext() {
>
> What is the difference between test_ip6_packet_larger_ext() and
> test_ip6_packet_larger()? Can you add a comment? Its hard to decode the
> IPv6 header which makes it difficult to review the changes to the test :S
sure, I will add it.
test_ip6_packet_larger_ext: ingress traffic generated outside the cluster.
test_ip6_packet_larger: outgoing traffic generated inside the cluster.
>
>
> > + local mtu=$1
> > +
> > + local eth_src=00000012af11
> > + local eth_dst=000020201213
> > +
> > + local ipv6_src=20000000000000000000000000000004
> > + local ipv6_dst=20000000000000000000000000000001
> > +
> > + local payload=0000000000000000000000000000000000000000
> > + local payload=${payload}0000000000000000000000000000000000000000
> > + local payload=${payload}0000000000000000000000000000000000000000
> > + local payload=${payload}0000000000000000000000000000000000000000
> > +
> > + local ip6_hdr=6000000000583afe${ipv6_src}${ipv6_dst}
> > + local packet=${eth_dst}${eth_src}86dd${ip6_hdr}9000cc7662f00001${payload}
> > +
> > + local ns=ffffffffffff00002020121308060001080006040001000020201213aca80064000000000000aca80064
> > + echo $ns > br-phys_n1.expected
> > +
> > + as hv1 reset_pcap_file br-phys_n1 hv1/br-phys_n1
> > + as hv1 reset_pcap_file hv1-vif1 hv1/vif1
> > +
> > + local na_ip6_hdr=6000000000203aff${ipv6_src}${ipv6_dst}
> > + local na=${eth_dst}${eth_src}86dd${na_ip6_hdr}8800d78440000000${ipv6_src}0201${eth_src}
> > + check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $na
> > + sleep 1
> > + check as hv1 ovs-appctl netdev-dummy/receive br-phys_n1 $packet
> > + AT_CAPTURE_FILE([trace-$mtu])
> > +
> > + # First construct the inner IPv6 packet.
> > + inner_ip6=6000000000583afe${ipv6_src}${ipv6_dst}
> > + inner_icmp6=9000000062f00001
> > + inner_icmp6_and_payload=$(icmp6_csum_inplace ${inner_icmp6}${payload} ${inner_ip6})
> > + inner_packet=${inner_ip6}${inner_icmp6_and_payload}
> > +
> > + # Then the outer.
> > + outer_ip6=6000000000883afe${ipv6_dst}${ipv6_src}
> > + outer_icmp6_and_payload=$(icmp6_csum_inplace 020000000000$(printf "%04x" $mtu)${inner_packet} $outer_ip6)
> > + outer_packet=${outer_ip6}${outer_icmp6_and_payload}
> > +
> > + icmp6_reply=${eth_src}${eth_dst}86dd${outer_packet}
> > + echo $icmp6_reply >> br-phys_n1.expected
> > +
> > + OVN_CHECK_PACKETS([hv1/br-phys_n1-tx.pcap], [br-phys_n1.expected])
> > +}
> > +
> > wait_for_ports_up
> > ovn-nbctl --wait=hv sync
> >
> > @@ -16723,7 +16816,7 @@ for mtu in 100 500 118; do
> > OVS_WAIT_FOR_OUTPUT([
> > as hv1 ovs-ofctl dump-flows br-int > br-int-flows-$mtu
> > AT_CAPTURE_FILE([br-int-flows-$mtu])
> > - grep "check_pkt_larger($(expr $mtu + 18))" br-int-flows-$mtu | wc -l], [0], [1
> > + grep "check_pkt_larger($(expr $mtu + 18))" br-int-flows-$mtu | wc -l], [0], [3
> > ])
> >
> > AS_BOX([testing mtu $mtu - IPv4])
> > @@ -16733,6 +16826,23 @@ for mtu in 100 500 118; do
> > test_ip6_packet_larger $mtu
> > done
> >
> > +AS_BOX([testing mtu $mtu])
> > +check ovn-nbctl --wait=hv set logical_router_port lr0-public options:gateway_mtu=100
> > +ovn-sbctl dump-flows > ext-sbflows-100
> > +AT_CAPTURE_FILE([ext-sbflows-$mtu])
> > +
> > +OVS_WAIT_FOR_OUTPUT([
> > + as hv1 ovs-ofctl dump-flows br-int > ext-br-int-flows-100
> > + AT_CAPTURE_FILE([ext-br-int-flows-100])
> > + grep "check_pkt_larger(118)" ext-br-int-flows-100 | wc -l], [0], [3
> > +])
> > +
> > +AS_BOX([testing ext mtu 100 - IPv4])
> > +test_ip_packet_larger_ext 100
> > +
> > +AS_BOX([testing mtu 100 - IPv6])
> > +test_ip6_packet_larger_ext 100
> > +
> > ovn-nbctl lsp-del sw0-lr0
> >
> > ovn-nbctl lr-del lr0
> > @@ -16770,7 +16880,7 @@ for mtu in 100 500 118; do
> > OVS_WAIT_FOR_OUTPUT([
> > as hv1 ovs-ofctl dump-flows br-int > br-int-gw-flows-$mtu
> > AT_CAPTURE_FILE([br-int-gw-flows-$mtu])
> > - grep "check_pkt_larger($(expr $mtu + 18))" br-int-gw-flows-$mtu | wc -l], [0], [1
> > + grep "check_pkt_larger($(expr $mtu + 18))" br-int-gw-flows-$mtu | wc -l], [0], [3
> > ])
> >
> > AS_BOX([testing gw mtu $mtu - IPv4])
> > @@ -16780,6 +16890,23 @@ for mtu in 100 500 118; do
> > test_ip6_packet_larger $mtu
> > done
> >
> > +AS_BOX([testing gw mtu $mtu])
>
> s/$mtu/100
>
> Also could you maybe change the description? The AS_BOX text is the same
> as in the loop above this AS_BOX but the tests are different (i.e. the
> run test_ip6_packet_larger_ext). What does test_ip6_packet_larger_ext()
> do differently to test_ip6_packet_larger()?
ack, I will fix it
Regards,
Lorenzo
>
> > +check ovn-nbctl --wait=hv set logical_router_port lr1-public options:gateway_mtu=100
> > +ovn-sbctl dump-flows > ext-gw-sbflows-100
> > +AT_CAPTURE_FILE([ext-gw-sbflows-$mtu])
> > +
> > +OVS_WAIT_FOR_OUTPUT([
> > + as hv1 ovs-ofctl dump-flows br-int > ext-br-int-gw-flows-100
> > + AT_CAPTURE_FILE([ext-br-int-gw-flows-100])
> > + grep "check_pkt_larger(118)" ext-br-int-gw-flows-100 | wc -l], [0], [3
> > +])
> > +
> > +AS_BOX([testing gw ext mtu 100 - IPv4])
> > +test_ip_packet_larger_ext 100
> > +
> > +AS_BOX([testing gw mtu 100 - IPv6])
> > +test_ip6_packet_larger_ext 100
> > +
> > OVN_CLEANUP([hv1])
> > AT_CLEANUP
> > ])
> >
> >
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >
>
More information about the dev
mailing list