[ovs-discuss] nd_target is not working at IPv6
Andrey Ziltsov
ziltsov at fastvps.ee
Mon Nov 6 12:31:58 UTC 2017
Hallo!!!
On external interface bond0.6 we have following traffic:
*# tcpdump -e -nn -i bond0.6 icmp6 and ip6[40] == 135 | grep
xxxx:xxxx:2:2::a5*
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on bond0.6, link-type EN10MB (Ethernet), capture size 262144 bytes
13:39:28.724325 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
(0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
13:39:29.723075 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
(0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
13:39:30.723165 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
(0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
13:39:31.739472 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
(0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
13:39:32.738971 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
(0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
13:39:33.738933 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
(0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
13:39:34.755430 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
(0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
The output of "ovs-appctl ofproto/trace" have a right output port in
datapath action:
*# ovs-appctl ofproto/trace public-switch
in_port=1,icmp6,icmpv6_type=135,nd_target=xxxx:xxxx:2:2::a5,dl_src=xx:xx:xx:1b:b3:67,dl_dst=33:33:ff:00:00:a5,ipv6_src=fe80::xxxx:xxff:fe1b:b367,ipv6_dst=ff02::1:ff00:a5*
Flow:
icmp6,in_port=1,vlan_tci=0x0000,dl_src=xx:xx:xx:1b:b3:67,dl_dst=33:33:ff:00:00:a5,ipv6_src=fe80::xxxx:xxff:fe1b:b367,ipv6_dst=ff02::1:ff00:a5,ipv6_label=0x00000,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=135,icmp_code=0,nd_target=xxxx:xxxx:2:2::a5,nd_sll=00:00:00:00:00:00,nd_tll=00:00:00:00:00:00
bridge("public-switch")
-----------------------
0. icmp6,in_port=1,icmp_type=135, priority 10005, cookie 0x10005
resubmit(,2)
2. icmp6,icmp_type=135,nd_target=xxxx:xxxx:2:2::a5, priority 108, cookie
0x124994
output:27
Final flow: unchanged
Megaflow:
recirc_id=0,eth,icmp6,in_port=1,nw_frag=no,icmp_type=0x87/0xff,nd_target=xxxx:xxxx:2:2::a5
Datapath actions: 3
The output of "ovs-appctl dpif/show":
*# ovs-appctl dpif/show*
system at ovs-system: hit:479117438 missed:112792546
public-switch:
bond0.6 1/2: (system)
public-switch 65534/1: (internal)
vnet0 27/3: (system)
vnet1 28/4: (system)
The configuration file of external interface bond0.6:
*# cat /etc/sysconfig/network-scripts/ifcfg-bond0.6 *
DEVICE=bond0.6
VLAN=yes
ONBOOT=yes
BOOTPROTO=static
TYPE="OVSPort"
DEVICETYPE="ovs"
OVS_BRIDGE="public-switch"
The configuration file of openvswitch bridge public-switch:
*# cat /etc/sysconfig/network-scripts/ifcfg-public-switch *
DEVICE=public-switch
ONBOOT=yes
BOOTPROTO=static
TYPE="OVSBridge"
DEVICETYPE="ovs"
For example, the answer for ICMP6 type 135 request is looks like following:
*# ovs-dpctl --more --names dump-flows filter="icmp6"*
ufid:c171538c-9800-472c-9666-253f1873f478,
recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(bond0.6),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:00:00:00:00/00:00:00:00:00:00,dst=00:00:00:00:00:00/00:00:00:00:00:00),eth_type(0x86dd),ipv6(src=::/::,dst=::/::,label=0/0,proto=58,tclass=0/0,hlimit=0/0,frag=no),icmpv6(type=135,code=0/0),nd(target=::/::,sll=00:00:00:00:00:00/00:00:00:00:00:00,tll=00:00:00:00:00:00/00:00:00:00:00:00),
packets:115, bytes:9890, used:0.752s, actions:vnet1
ufid:9b2cf37e-52c1-4874-bb9f-d21bd319c054,
recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(vnet1),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:00:00:00:00/00:00:00:00:00:00,dst=00:00:00:00:00:00/00:00:00:00:00:00),eth_type(0x86dd),ipv6(src=::/::,dst=::/::,label=0/0,proto=58,tclass=0/0,hlimit=0/0,frag=no),icmpv6(type=136,code=0/0),nd(target=::/::,sll=00:00:00:00:00:00/00:00:00:00:00:00,tll=00:00:00:00:00:00/00:00:00:00:00:00),
packets:79, bytes:6794, used:0.760s, actions:drop
If we add two flows as following:
cookie=0x1, table=3, priority=1 actions=output:"bond0.6"
cookie=0x10005, priority=10005,icmp6,in_port=vnet1,icmp_type=136
actions=resubmit(,3)
2017-11-03 20:04 GMT+02:00 Ben Pfaff <blp at ovn.org>:
> On Fri, Nov 03, 2017 at 04:18:25PM +0200, Andrey Ziltsov wrote:
> > Hallo!!!
> >
> > We have a problem with flow field "nd_target" at IPv6.
> >
> > For example.
> >
> > We have two VM with virtual interfaces vnet0 and vnet1.
> >
> > At the bridge set fail_mode to "secure":
> >
> > *# ovs-vsctl list br public-switch | grep fail_mode*
> > fail_mode : secure
> >
> > The interface bond0.6 is external interface.
> >
> > We added only three flows for the test :
> >
> > *# ovs-ofctl --no-stat dump-flows public-switch --sort=priority*
> > cookie=0x123575, table=2, priority=1,icmp6,icmp_type=135
> > actions=output:vnet1
> > cookie=0x124994, table=2,
> > priority=108,icmp6,icmp_type=135,nd_target=XXXX:XXXX:2:2::a5
> > actions=output:vnet0
> > cookie=0x10005, priority=10005,icmp6,in_port="bond0.6",icmp_type=135
> > actions=resubmit(,2)
> >
> > So, all ICMP6 traffic with type 135 going on bond0.6 resubmit to table 2
> > and the if nd_target field equals to IPv6 address XXXX:XXXX:2:2::a5 the
> > traffic send to vnet0 (VM1 have IPv6 XXXX:XXXX:2:2::a5). All other
> traffic
> > should go to vnet1 (VM2).
>
> Hmm, that does seem wrong. Can you try out an example packet with
> "ovs-appctl ofproto/trace" and paste the output?
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20171106/80504d5e/attachment.html>
More information about the discuss
mailing list