[ovs-discuss] nd_target is not working at IPv6

Andrey Ziltsov ziltsov at fastvps.ee
Mon Nov 6 12:36:45 UTC 2017


Sorry.

The answer for ICMP6 type 135 request is looks like following:

*# ovs-dpctl --more --names dump-flows filter="icmp6"*

ufid:fb335040-2772-448e-8fc3-c489754013da,
recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(bond0.6),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:00:00:00:00/00:00:00:00:00:00,dst=00:00:00:00:00:00/00:00:00:00:00:00),eth_type(0x86dd),ipv6(src=::/::,dst=::/::,label=0/0,proto=58,tclass=0/0,hlimit=0/0,frag=no),icmpv6(type=135,code=0/0),nd(target=::/::,sll=00:00:00:00:00:00/00:00:00:00:00:00,tll=00:00:00:00:00:00/00:00:00:00:00:00),
packets:10, bytes:860, used:0.275s, actions:vnet1

ufid:43e8508a-1164-419a-945d-dd0d7f57d0a2,
recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(vnet1),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:00:00:00:00/00:00:00:00:00:00,dst=00:00:00:00:00:00/00:00:00:00:00:00),eth_type(0x86dd),ipv6(src=::/::,dst=::/::,label=0/0,proto=58,tclass=0/0,hlimit=0/0,frag=no),icmpv6(type=136,code=0/0),nd(target=::/::,sll=00:00:00:00:00:00/00:00:00:00:00:00,tll=00:00:00:00:00:00/00:00:00:00:00:00),
packets:0, bytes:0, used:never, actions:bond0.6

2017-11-06 14:31 GMT+02:00 Andrey Ziltsov <ziltsov at fastvps.ee>:

> Hallo!!!
>
> On external interface bond0.6 we have following traffic:
>
> *# tcpdump -e -nn -i bond0.6 icmp6 and ip6[40] == 135 | grep
> xxxx:xxxx:2:2::a5*
> tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
> listening on bond0.6, link-type EN10MB (Ethernet), capture size 262144
> bytes
> 13:39:28.724325 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
> (0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
> neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
> 13:39:29.723075 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
> (0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
> neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
> 13:39:30.723165 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
> (0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
> neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
> 13:39:31.739472 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
> (0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
> neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
> 13:39:32.738971 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
> (0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
> neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
> 13:39:33.738933 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
> (0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
> neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
> 13:39:34.755430 xx:xx:xx:1b:b3:67 > 33:33:ff:00:00:a5, ethertype IPv6
> (0x86dd), length 86: fe80::xxxx:xxff:fe1b:b367 > ff02::1:ff00:a5: ICMP6,
> neighbor solicitation, who has xxxx:xxxx:2:2::a5, length 32
>
> The output of "ovs-appctl ofproto/trace" have a right output port in
> datapath action:
>
> *# ovs-appctl ofproto/trace public-switch
> in_port=1,icmp6,icmpv6_type=135,nd_target=xxxx:xxxx:2:2::a5,dl_src=xx:xx:xx:1b:b3:67,dl_dst=33:33:ff:00:00:a5,ipv6_src=fe80::xxxx:xxff:fe1b:b367,ipv6_dst=ff02::1:ff00:a5*
> Flow: icmp6,in_port=1,vlan_tci=0x0000,dl_src=xx:xx:xx:1b:b3:
> 67,dl_dst=33:33:ff:00:00:a5,ipv6_src=fe80::xxxx:xxff:fe1b:
> b367,ipv6_dst=ff02::1:ff00:a5,ipv6_label=0x00000,nw_tos=0,
> nw_ecn=0,nw_ttl=0,icmp_type=135,icmp_code=0,nd_target=
> xxxx:xxxx:2:2::a5,nd_sll=00:00:00:00:00:00,nd_tll=00:00:00:00:00:00
>
> bridge("public-switch")
> -----------------------
>  0. icmp6,in_port=1,icmp_type=135, priority 10005, cookie 0x10005
>     resubmit(,2)
>  2. icmp6,icmp_type=135,nd_target=xxxx:xxxx:2:2::a5, priority 108, cookie
> 0x124994
>     output:27
>
> Final flow: unchanged
> Megaflow: recirc_id=0,eth,icmp6,in_port=1,nw_frag=no,icmp_type=0x87/
> 0xff,nd_target=xxxx:xxxx:2:2::a5
> Datapath actions: 3
>
>
> The output of "ovs-appctl dpif/show":
>
> *# ovs-appctl dpif/show*
> system at ovs-system: hit:479117438 missed:112792546
>     public-switch:
>         bond0.6 1/2: (system)
>         public-switch 65534/1: (internal)
>         vnet0 27/3: (system)
>         vnet1 28/4: (system)
>
> The configuration file of external interface bond0.6:
>
> *# cat /etc/sysconfig/network-scripts/ifcfg-bond0.6 *
> DEVICE=bond0.6
> VLAN=yes
> ONBOOT=yes
> BOOTPROTO=static
>
> TYPE="OVSPort"
> DEVICETYPE="ovs"
> OVS_BRIDGE="public-switch"
>
>
> The configuration file of openvswitch bridge public-switch:
>
> *# cat /etc/sysconfig/network-scripts/ifcfg-public-switch *
> DEVICE=public-switch
> ONBOOT=yes
> BOOTPROTO=static
>
> TYPE="OVSBridge"
> DEVICETYPE="ovs"
>
>
> For example, the answer for ICMP6 type 135 request is looks like
> following:
>
> *# ovs-dpctl --more --names dump-flows filter="icmp6"*
>
> ufid:c171538c-9800-472c-9666-253f1873f478, recirc_id(0),dp_hash(0/0),skb_
> priority(0/0),in_port(bond0.6),skb_mark(0/0),ct_state(0/0),
> ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:00:
> 00:00:00/00:00:00:00:00:00,dst=00:00:00:00:00:00/00:00:
> 00:00:00:00),eth_type(0x86dd),ipv6(src=::/::,dst=::/::,
> label=0/0,proto=58,tclass=0/0,hlimit=0/0,frag=no),icmpv6(
> type=135,code=0/0),nd(target=::/::,sll=00:00:00:00:00:00/00:
> 00:00:00:00:00,tll=00:00:00:00:00:00/00:00:00:00:00:00), packets:115,
> bytes:9890, used:0.752s, actions:vnet1
>
> ufid:9b2cf37e-52c1-4874-bb9f-d21bd319c054, recirc_id(0),dp_hash(0/0),skb_
> priority(0/0),in_port(vnet1),skb_mark(0/0),ct_state(0/0),
> ct_zone(0/0),ct_mark(0/0),ct_label(0/0),eth(src=00:00:00:
> 00:00:00/00:00:00:00:00:00,dst=00:00:00:00:00:00/00:00:
> 00:00:00:00),eth_type(0x86dd),ipv6(src=::/::,dst=::/::,
> label=0/0,proto=58,tclass=0/0,hlimit=0/0,frag=no),icmpv6(
> type=136,code=0/0),nd(target=::/::,sll=00:00:00:00:00:00/00:
> 00:00:00:00:00,tll=00:00:00:00:00:00/00:00:00:00:00:00), packets:79,
> bytes:6794, used:0.760s, actions:drop
>
> If we add two flows as following:
>
>  cookie=0x1, table=3, priority=1 actions=output:"bond0.6"
>  cookie=0x10005, priority=10005,icmp6,in_port=vnet1,icmp_type=136
> actions=resubmit(,3)
>
>
> 2017-11-03 20:04 GMT+02:00 Ben Pfaff <blp at ovn.org>:
>
>> On Fri, Nov 03, 2017 at 04:18:25PM +0200, Andrey Ziltsov wrote:
>> > Hallo!!!
>> >
>> > We have a problem with flow field "nd_target" at IPv6.
>> >
>> > For example.
>> >
>> > We have two VM with virtual interfaces vnet0 and vnet1.
>> >
>> > At the bridge set fail_mode to "secure":
>> >
>> > *# ovs-vsctl list br public-switch | grep fail_mode*
>> > fail_mode           : secure
>> >
>> > The interface bond0.6 is external interface.
>> >
>> > We added only three flows for the test :
>> >
>> > *# ovs-ofctl --no-stat dump-flows public-switch --sort=priority*
>> >  cookie=0x123575, table=2, priority=1,icmp6,icmp_type=135
>> > actions=output:vnet1
>> >  cookie=0x124994, table=2,
>> > priority=108,icmp6,icmp_type=135,nd_target=XXXX:XXXX:2:2::a5
>> > actions=output:vnet0
>> >  cookie=0x10005, priority=10005,icmp6,in_port="bond0.6",icmp_type=135
>> > actions=resubmit(,2)
>> >
>> > So, all ICMP6 traffic with type 135 going on bond0.6 resubmit to table 2
>> > and the if nd_target field equals to IPv6 address XXXX:XXXX:2:2::a5 the
>> > traffic send to vnet0 (VM1 have IPv6 XXXX:XXXX:2:2::a5). All other
>> traffic
>> > should go to vnet1 (VM2).
>>
>> Hmm, that does seem wrong.  Can you try out an example packet with
>> "ovs-appctl ofproto/trace" and paste the output?
>>
>
>


-- 
Respectfully, Andrei Ziltsov
FASTVPS technical department

С уважением, Андрей Жильцов
Специалист службы поддержки FASTVPS
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20171106/8da1b9e3/attachment-0001.html>


More information about the discuss mailing list