[ovs-discuss] [OVN] Vlan transparency issue

Slawek Kaplonski skaplons at redhat.com
Fri Dec 18 13:05:38 UTC 2020 

Hi,

Some time ago, Ihar made patch [1] which allows Neutron to use transparency vlan
networks with the OVN backend.
This works fine with most of the cases but we found out that it's not working in
case when port_security is enabled in Neutron (so conntrack is used) and there
is Neutron vlan network used. So effectively we have vlan in vlan in such case
comming to the compute node.
In that case when we ping vm1 -> vm2 icmp requests are properly delivered to vm2
but replies are dropped in br-int due to rule:

cookie=0x1a1c569, duration=1421.304s, table=15, n_packets=1007, n_bytes=102714, priority=65535,ct_state=+inv+trk,metadata=0x3 actions=drop

With Daniel we spent some time investigating why packets are treated as invalid
in conntrack and our understanding is that for some reason incomming packets
(icmp request from vm1 -> vm2) don't match rule:

    cookie=0x93de161, duration=1524.892s, table=41, n_packets=0, n_bytes=0, priority=100,ip,metadata=0x3 actions=load:0x1->NXM_NX_XXREG0[96],resubmit(,42)
which corresponds to the logical flow:
    uuid=0x093de161, table=1 (ls_out_pre_acl     ), priority=100  , match=(ip), action=(reg0[0] = 1; next;)

and then it also don't match rules:
    cookie=0x619723d4, duration=1559.433s, table=42, n_packets=0, n_bytes=0, priority=100,ip,reg0=0x1/0x1,metadata=0x3 actions=ct(table=43,zone=NXM_NX_REG13[0..15])
Logical Flow:
    uuid=0x619723d4, table=2 (ls_out_pre_stateful), priority=100  , match=(reg0[0] == 1), action=(ct_next;)

and:
    cookie=0x835ca96b, duration=1576.728s, table=48, n_packets=0, n_bytes=0, priority=100,ip,reg0=0x2/0x2,metadata=0x3 actions=ct(commit,zone=NXM_NX_REG13[0..15],exec(load:0->NXM_NX_CT_LABEL[0])),resubmit(,49)
Logical Flow:
    uuid=0x835ca96b, table=8 (ls_out_stateful    ), priority=100  , match=(reg0[1] == 1), action=(ct_commit { ct_label.blocked = 0; }; next;)


As a result of that, conntrack entry isn't created so reply is treated as
invalid conntrack packet.

>From Neutron perspective such vlan tagged packets should be just passed to the
VM without any SG filtering but I don't know what is wrong or what we are
missing in that rules to do it.

[1] https://patchwork.ozlabs.org/project/ovn/patch/20201110023449.194642-1-ihrachys@redhat.com/

-- 
Slawek Kaplonski
Principal Software Engineer
Red Hat

More information about the discuss mailing list