[ovs-discuss] Recirculation context in dpdk-ovs

Lam, Tiago tiago.lam at intel.com
Tue Nov 27 17:44:45 UTC 2018 

Hi,

A few comments in-line.

On 27/11/2018 13:20, 张萌 wrote:
>          Hi,
> 
>        I`m using “ovs-appctl ofproto/trace “ to trace the flows in ovs-dpdk.
> 
>        When integrated with conntrack, the ovs rule ended in the
> table=10, which will record the ct as the flowing flow:
> 
>              
> 
> -------------------------------------------------------------------------------------------------------------------------------------
> 
> [root at zm ~]# ovs-ofctl dump-flows br0 -O openflow15 table=10
> 
> OFPST_FLOW reply (OF1.5) (xid=0x2):
> 
> cookie=0x156ad2f7efd2d389, duration=15058.242s, table=10, n_packets=0,
> n_bytes=0, priority=3000,ip,nw_frag=later actions=goto_table:20
> 
> cookie=0x156ad2f7efd2d333, duration=15058.249s, table=10, n_packets=737,
> n_bytes=72226, priority=2000,icmp
> actions=ct(table=15,zone=NXM_NX_REG6[0..15])
> 
> cookie=0x156ad2f7efd2d337, duration=15058.249s, table=10,
> n_packets=4992, n_bytes=380540, priority=2000,udp
> actions=ct(table=15,zone=NXM_NX_REG6[0..15])
> 
> cookie=0x156ad2f7efd2d367, duration=15058.245s, table=10,
> n_packets=2028037440, n_bytes=183176086711, priority=2000,tcp
> actions=ct(table=15,zone=NXM_NX_REG6[0..15])
> 
> -------------------------------------------------------------------------------------------------------------------------------------
> 
>  
> 
>  
> 
>  
> 
>        And when I mock a packet using ofproto/trace, ovs recorded the
> contrack, and prints:
> 
>  
> 
> -------------------------------------------------------------------------------------------------------------------------------------      
> 
> 
> [root@ zm ~]# ovs-appctl ofproto/trace br0
> tcp,in_port=25,nw_dst=172.19.11.6,tp_dst=320,dl_dst=fa:16:3e:03:39:5f,dl_src=fa:16:3e:e5:cb:2c              
>                
> 
> Flow:
> tcp,in_port=25,vlan_tci=0x0000,dl_src=fa:16:3e:e5:cb:2c,dl_dst=fa:16:3e:03:39:5f,nw_src=0.0.0.0,nw_dst=172.19.11.6,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=0,tp_dst=320,tcp_flags=0
> 
>  
> 
> bridge("br0")
> 
> -------------
> 
>  0. in_port=25, priority 100, cookie 0x156ad2f7efd2d4fb
> 
>     set_field:0x29->reg5
> 
>     set_field:0x19->reg6
> 
>     write_metadata:0x2900000001
> 
>     goto_table:5
> 
>  5. ip,in_port=25,dl_src=fa:16:3e:e5:cb:2c, priority 100, cookie
> 0x156ad2f7efd2d51f
> 
>     goto_table:10
> 
> 10. tcp, priority 2000, cookie 0x156ad2f7efd2d367
> 
>     ct(table=15,zone=NXM_NX_REG6[0..15])
> 
>     drop
> 
>  
> 
> Final flow:
> tcp,reg5=0x29,reg6=0x19,metadata=0x2900000001,in_port=25,vlan_tci=0x0000,dl_src=fa:16:3e:e5:cb:2c,dl_dst=fa:16:3e:03:39:5f,nw_src=0.0.0.0,nw_dst=172.19.11.6,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=0,tp_dst=320,tcp_flags=0
> 
> Megaflow:
> recirc_id=0,tcp,in_port=25,dl_src=fa:16:3e:e5:cb:2c,nw_dst=172.0.0.0/6,nw_frag=no
> 
> Datapath actions: ct(zone=25),recirc(0x4123)   
> 
> -------------------------------------------------------------------------------------------------------------------------------------
> 
>  
> 
>        Bug when I set the recirc_id in the flow, ovs puts:
> 
> -------------------------------------------------------------------------------------------------------------------------------------
> 
> [root at zm ~]# ovs-appctl ofproto/trace br0
> recirc_id=0x4123,ct_state=new,tcp,in_port=25,nw_dst=172.19.11.6,tp_dst=320,dl_dst=fa:16:3e:03:39:5f,dl_src=fa:16:3e:e5:cb:2c
> 
> Flow:
> recirc_id=0x4123,ct_state=new,tcp,in_port=25,vlan_tci=0x0000,dl_src=fa:16:3e:e5:cb:2c,dl_dst=fa:16:3e:03:39:5f,nw_src=0.0.0.0,nw_dst=172.19.11.6,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=0,tp_dst=320,tcp_flags=0
> 
>  
> 
> bridge("br0")
> 
> -------------
> 
>      >>>> Recirculation context not found for ID 4123 <<<<
> 
>  
> 
> Final flow: unchanged
> 
> Megaflow: recirc_id=0x4123,ip,in_port=25,nw_frag=no
> 
> Datapath actions: drop
> 
> Translation failed (No recirculation context), packet is dropped.
> 

I believe you're getting the above message because by the time you issue
the command the re-circulation context is already gone.

>  
> 
> -------------------------------------------------------------------------------------------------------------------------------------
> 
>  
> 
>        And when dump the contracks in ovs:
> 
> -------------------------------------------------------------------------------------------------------------------------------------
> 
>              
> 
> [root at A04-R08-I137-204-9320C72 ~]# ovs-dpctl dump-conntrack ovs-netdev 
> 
> 2018-11-27T05:01:30Z|00001|dpif_netlink|WARN|Generic Netlink family
> 'ovs_datapath' does not exist. The Open vSwitch kernel module is
> probably not loaded.
> 
> ovs-dpctl: opening datapath (No such file or directory)
> 

Use the one below instead. That should give you more information

$ovs-appctl dpctl/dump-conntrack

> -------------------------------------------------------------------------------------------------------------------------------------
> 
>  
> 
>        Can anyone tells how to mock a packet can pass the ct in dpdk-ovs
> 

What are you trying to do? Your first mocked packet above is already
passing into the ct() action and being dropped. Your flow above:

> priority=2000,tcp actions=ct(table=15,zone=NXM_NX_REG6[0..15])
Is saying that the traffic, in order to be allowed in, must match the
zone defined in "NXM_NX_REG6[0..15]" (according to ofproto/trace that
seems to be 25). Is reg6 being set to 25 before hand?

The following guide is a good one to get started on such issues:
https://docs.openstack.org/neutron/pike/contributor/internals/openvswitch_firewall.html#rules-example-with-explanation

Hope this helps,

Tiago.

More information about the discuss mailing list