[ovs-discuss] [OVN] egress ACLs on Port Groups seem broken

Daniel Alvarez Sanchez dalvarez at redhat.com
Mon Jun 18 20:43:22 UTC 2018


Hi all,

I'm writing the code to implement the port groups in networking-ovn (the
OpenStack integration project with OVN). I found out that when a boot a VM,
looks like the egress traffic (from VM) is not working properly. The VM
port belongs to 3 Port Groups:

1. Default drop port group with the following ACLs:

_uuid               : 0b092bb2-e97b-463b-a678-8a28085e3d68
action              : drop
direction           : from-lport
external_ids        : {}
log                 : false
match               : "inport == @neutron_pg_drop && ip"
name                : []
priority            : 1001
severity            : []

_uuid               : 849ee2e0-f86e-4715-a949-cb5d93437847
action              : drop
direction           : to-lport
external_ids        : {}
log                 : false
match               : "outport == @neutron_pg_drop && ip"
name                : []
priority            : 1001
severity            : []


2. Subnet port group to allow DHCP traffic on that subnet:

_uuid               : 8360a415-b7e1-412b-95ff-15cc95059ef0
action              : allow
direction           : from-lport
external_ids        : {}
log                 : false
match               : "inport == @pg_b1a572c6_2331_4cfb_a892_3d9d7b0af70c
&& ip4 && ip4.dst == {255.255.255.255, 10.0.0.0/26} && udp && udp.src == 68
&& udp.dst == 67"
name                : []
priority            : 1002
severity            : []


3. Security group port group which the following rules:

3.1 Allow ICMP traffic:

_uuid               : d12a749f-0f75-4634-aa20-6116e1d5d26d
action              : allow-related
direction           : to-lport
external_ids        :
{"neutron:security_group_rule_id"="9675d6df-56a1-4640-9a0f-1f88e49ed2b5"}
log                 : false
match               : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef
&& ip4 && ip4.src == 0.0.0.0/0 && icmp4"
name                : []
priority            : 1002
severity            : []

3.2 Allow SSH traffic:

_uuid               : 05100729-816f-4a09-b15c-4759128019d4
action              : allow-related
direction           : to-lport
external_ids        :
{"neutron:security_group_rule_id"="2a48979f-8209-4fb7-b24b-fff8d82a2ae9"}
log                 : false
match               : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef
&& ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22"
name                : []
priority            : 1002
severity            : []


3.3 Allow IPv4/IPv6 traffic from this same port group


_uuid               : b56ce66e-da6b-48be-a66e-77c8cfd6ab92
action              : allow-related
direction           : to-lport
external_ids        :
{"neutron:security_group_rule_id"="5b0a47ee-8114-4b13-8d5b-b16d31586b3b"}
log                 : false
match               : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef
&& ip6 && ip6.src == $pg_d237185f_733f_4a09_8832_bcee773722ef_ip6"
name                : []
priority            : 1002
severity            : []


_uuid               : 7b68f430-41b5-414d-a2ed-6c548be53dce
action              : allow-related
direction           : to-lport
external_ids        :
{"neutron:security_group_rule_id"="299bd9ca-89fb-4767-8ae9-a738e98603fb"}
log                 : false
match               : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef
&& ip4 && ip4.src == $pg_d237185f_733f_4a09_8832_bcee773722ef_ip4"
name                : []
priority            : 1002
severity            : []


3.4 Allow all egress (VM point of view) IPv4 traffic

_uuid               : c5fbf0b7-6461-4f27-802e-b0d743be59e5
action              : allow-related
direction           : from-lport
external_ids        :
{"neutron:security_group_rule_id"="a4ffe40a-f773-41d6-bc04-40500d158f51"}
log                 : false
match               : "inport == @pg_d237185f_733f_4a09_8832_bcee773722ef
&& ip4"
name                : []
priority            : 1002
severity            : []



So, I boot a VM using this port and I can verify that ICMP and SSH traffic
works good while the egress traffic doesn't work. From the VM I curl to an
IP living in a network namespace and this is what I see with tcpdump there:

On the VM:
$ ip r get 169.254.254.169
169.254.254.169 via 10.0.0.1 dev eth0  src 10.0.0.6
$ curl 169.254.169.254

On the hypervisor (haproxy listening on 169.254.169.254:80):

$ sudo ip net e ovnmeta-0cf12eb0-fdb3-4087-98b0-9c52cafd0bdf tcpdump -i any
po
rt 80 -vvn
tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size
262144 bytes
21:59:47.106883 IP (tos 0x0, ttl 64, id 61543, offset 0, flags [DF], proto
TCP (6), length 60)
    10.0.0.6.34553 > 169.254.169.254.http: Flags [S], cksum 0x851c
(correct), seq 2571046510, win 14020, options [mss 1402,sackOK,TS val
22740490 ecr 0,nop,wscale 2], length 0
21:59:47.106935 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP
(6), length 60)
    169.254.169.254.http > 10.0.0.6.34553: Flags [S.], cksum 0x5e31
(incorrect -> 0x34c0), seq 3215869181, ack 2571046511, win 28960, options
[mss 1460,sackOK,TS val 200017176 ecr 22740490,nop,wscale 7], length 0
21:59:48.105256 IP (tos 0x0, ttl 64, id 61544, offset 0, flags [DF], proto
TCP (6), length 60)
    10.0.0.6.34553 > 169.254.169.254.http: Flags [S], cksum 0x5e31
(incorrect -> 0x8422), seq 2571046510, win 14020, options [mss
1402,sackOK,TS val 22740740 ecr 0,nop,wscale 2], length 0
21:59:48.105315 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP
(6), length 60)
    169.254.169.254.http > 10.0.0.6.34553: Flags [S.], cksum 0x5e31
(incorrect -> 0x30da), seq 3215869181, ack 2571046511, win 28960, options
[mss 1460,sackOK,TS val 200018174 ecr 22740490,nop,wscale 7], length 0
21:59:49.526158 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP
(6), length 60)
    169.254.169.254.http > 10.0.0.6.34553: Flags [S.], cksum 0x5e31
(incorrect -> 0x2b4d), seq 3215869181, ack 2571046511, win 28960, options
[mss 1460,sackOK,TS val 200019595 ecr 22740490,nop,wscale 7], length 0
21:59:50.109732 IP (tos 0x0, ttl 64, id 61545, offset 0, flags [DF], proto
TCP (6), length 60)
    10.0.0.6.34553 > 169.254.169.254.http: Flags [S], cksum 0x5e31
(incorrect -> 0x822d), seq 2571046510, win 14020, options [mss
1402,sackOK,TS val 22741241 ecr 0,nop,wscale 2], length 0
21:59:50.109795 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP
(6), length 60)
    169.254.169.254.http > 10.0.0.6.34553: Flags [S.], cksum 0x5e31
(incorrect -> 0x2906), seq 3215869181, ack 2571046511, win 28960, options
[mss 1460,sackOK,TS val 200020178 ecr 22740490,nop,wscale 7], length 0
21:59:52.146800 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP
(6), length 60)
    169.254.169.254.http > 10.0.0.6.34553: Flags [S.], cksum 0x5e31
(incorrect -> 0x2110), seq 3215869181, ack 2571046511, win 28960, options
[mss 1460,sackOK,TS val 200022216 ecr 22740490,nop,wscale 7], length 0


Logical flows table in SB database:

_uuid               : 1797e859-8c8e-4ad5-8e83-bd5f3be6da24
actions             : "next;"
external_ids        : {source="ovn-northd.c:3186", stage-hint="c5fbf0b7",
stage-name=ls_in_acl}
logical_datapath    : 0cf12eb0-fdb3-4087-98b0-9c52cafd0bdf
match               : "inport == @pg_d237185f_733f_4a09_8832_bcee773722ef
&& ip4"
pipeline            : ingress
priority            : 2002
table_id            : 6
hash                : 0


ovn-sbctl lflow-list

  table=6 (ls_in_acl          ), priority=2002 , match=(inport ==
@pg_b1a572c6_2331_4cfb_a892_3d9d7b0af70c && ip4 && ip4.dst ==
{255.255.255.255, 10.0.0.0/26} && udp && udp.src == 68 && udp.dst == 67),
action=(next;)
  table=6 (ls_in_acl          ), priority=2002 , match=(inport ==
@pg_d237185f_733f_4a09_8832_bcee773722ef && ip4), action=(next;)
  table=6 (ls_in_acl          ), priority=2001 , match=(inport ==
@neutron_pg_drop && ip), action=(/* drop */)


These are the OpenFlow rules installed in table 14:

 cookie=0x0, duration=19223.716s, table=14, n_packets=0, n_bytes=0,
idle_age=19223,
priority=2002,udp,reg14=0x4,metadata=0x1,tp_src=68,tp_dst=67 actions=conju
nction(2,1/2)
 cookie=0x0, duration=19223.716s, table=14, n_packets=0, n_bytes=0,
idle_age=19223,
priority=2002,udp,metadata=0x1,nw_dst=255.255.255.255,tp_src=68,tp_dst=67
actions=conjunction(2,2/2)
 cookie=0xd41e70c, duration=19223.844s, table=14, n_packets=0, n_bytes=0,
idle_age=19223, priority=2001,ipv6,reg14=0x4,metadata=0x1 actions=drop
 cookie=0xd41e70c, duration=19223.844s, table=14, n_packets=0, n_bytes=0,
idle_age=19223, priority=2001,ip,reg14=0x4,metadata=0x1 actions=drop


@Han do you have any pointers as to what this could be failing?
Something you want me to check in this setup?


Thanks a lot,
Daniel
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20180618/63f2aa00/attachment.html>


More information about the discuss mailing list