[ovs-discuss] ovn_l3: should vm get replies from pings to router interface (of non-local subnet)?
Flaviof
flavio at flaviof.com
Fri May 20 23:14:01 UTC 2016
Hi Justin (et all!),
As we talked in the last ovn meeting, I took a look at the code that
populates
the logical rules for doing the icmp response. It is here [1], in
ovn-northd.c,
function build_lrouter_flows(). Thanks Russell for the valuable pointers!
Unlike ARP, I come to the thinking that less is more. In other words, by
removing the match on inport we would get the responses to be generated
as we need, and this is not an issue since that code path is only relevant
when packets are part of the router datapath (i.e. eth.dst is one of the
router's
mac).
There is a caveat in that TTL check is not done until later and that should
be
enforced to disallow cases when ping is for the router but it has TTL < 2.
Not sure
how important y'all think that is, and if so, further work may be needed to
match
on ip.ttl at the logical table.
I also did not find a test unit that exercises the ICMP for LR, and that I
can
work on next if you do agree that "less is more". ;)
All in all here is a first [2] pass on what I think is needed to make this
issue
resolved. As always, I could be overlooking something. ;) I will also do
some
test under my devstack setup.
Thanks,
-- flaviof
[1]:
https://github.com/openvswitch/ovs/blob/master/ovn/northd/ovn-northd.c#L1897
[2]: http://openvswitch.org/pipermail/dev/2016-May/071462.html
On Thu, May 5, 2016 at 12:11 PM, Justin Pettit <jpettit at ovn.org> wrote:
>
>
> > On May 3, 2016, at 1:02 PM, Flaviof <flavio at flaviof.com> wrote:
> >
> > [cc Justin]
> >
> > Hello OVS/OVN folks,
> >
> > Using devstack and a slightly modified version of the local.conf.sample
[1],
> > I create an all-in-one node with OVN.
> >
> > After stacking, I run a simple script [2] (attached) that creates 2
internal subnet+networks and a OVN-L3 router with interfaces on each one of
them.
> >
> > It then creates a vm in each network, which makes it look like this:
> >
> > vm1 ---- net1 ---- rtr ---- net2 ---- vm2
> > 10.1.0.x 10.2.0.x
> >
> > The script adds an internal port to connect to net1 [br-int], so we get
to vm1
> > w/out relying on dhcp namespace. With that, I can ping from vm1 to vm2
and
> > also the interface of rtr on net1. However, I cannot ping [3] the rtr
interface on
> > net2 (i.e. 10.2.0.1) from vm1 (i.e. 10.1.0.3).
> >
> > Is that expected to work? I will dig into the flow rules to see if this
is a known
> > limitation, but would like to ask you guys to avoid wasting too much
energy. :)
> > I do understand that special rules have to be added so icmp replies
[table17]
> > are sent on behalf of the router interface. There was a similar issue
[4] in
> > ODL, which made some L3 tempest tests fail. It is possible that is the
case still.
>
> That is consistent with my recollection of how pinging the router works:
you can only ping the side that's adjacent to the sender. That would be
nice to fix.
>
> --Justin
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://openvswitch.org/pipermail/ovs-discuss/attachments/20160520/d5280ecb/attachment-0002.html>
More information about the discuss
mailing list