[ovs-discuss] OVN duplicate records in conntrack with lsp type vtep

Odintsov Vladislav VlOdintsov at croc.ru
Mon Feb 3 17:19:14 UTC 2020


Hello all,



I see strange behaviour with stateful ACLs when the traffic received from logical port with type “vtep”.



There are same conntrack records in different zones (0 and 9 in my example).

While pinging I dumped DP flows and found that packet goes through conntrack twice:

  1.  actions:ct,recirc(0x516b)
  2.  actions:ct(commit,label=0/0x1),ct(zone=9),recirc(0x5085)



ovs-dpctl dump-flows:



recirc_id(0),tunnel(tun_id=0x1,src=192.168.0.13,dst=192.168.0.9,flags(-df-csum+key)),in_port(13),eth(src=00:00:00:00:00:00/01:00:00:00:00:00),eth_type(0x0800),ipv4(proto=1,frag=no),icmp(type=8/0xf8), packets:0, bytes:0, used:never, actions:ct,recirc(0x516b)



recirc_id(0x516b),tunnel(tun_id=0x1,src=192.168.0.13,dst=192.168.0.9,flags(-df-csum+key)),in_port(13),ct_state(+new-est-rel-rpl-inv+trk),ct_label(0/0x1),eth(dst=0a:00:7b:2c:66:00),eth_type(0x0800),ipv4(proto=1,frag=no),icmp(type=8/0xf8), packets:0, bytes:0, used:never, actions:ct(commit,label=0/0x1),ct(zone=9),recirc(0x5085)



recirc_id(0x5085),tunnel(tun_id=0x1,src=192.168.0.13,dst=192.168.0.9,flags(-df-csum+key)),in_port(13),ct_state(+new-est-rel-rpl-inv+trk),ct_label(0/0x1),eth(dst=0a:00:7b:2c:66:00),eth_type(0x0800),ipv4(dst=172.31.0.5,proto=1,frag=no), packets:784, bytes:76832, used:0.078s, actions:ct(commit,zone=9,label=0/0x1),6







[root at dev ~]# grep 172.31.0 /proc/net/nf_conntrack

ipv4     2 icmp     1 29 src=172.31.0.3 dst=172.31.0.5 type=8 code=0 id=22627 [UNREPLIED] src=172.31.0.5 dst=172.31.0.3 type=0 code=0 id=22627 mark=0 zone=9 use=2

ipv4     2 icmp     1 29 src=172.31.0.3 dst=172.31.0.5 type=8 code=0 id=22627 [UNREPLIED] src=172.31.0.5 dst=172.31.0.3 type=0 code=0 id=22627 mark=0 zone=0 use=2





This VIF belongs to two port_groups with ACLs:



[root at dev ~]# ovn-nbctl acl-list sg_35342377

from-lport  1002 (inport == @sg_35342377 && ip4 && ip4.dst == 0.0.0.0/0) allow-related

  to-lport  1002 (outport == @sg_35342377 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22) allow-related

  to-lport  1002 (outport == @sg_35342377 && ip4 && ip4.src == 10.0.0.1/32 && icmp4) allow-related

  to-lport  1002 (outport == @sg_35342377 && ip4 && ip4.src == 192.168.0.4/32 && icmp4) allow-related

[root at dev ~]# ovn-nbctl acl-list default_pg

from-lport  1002 (inport == @default_pg && ip4 && ip4.dst == 169.254.169.254 && tcp && tcp.dst == 80) allow-related

from-lport  1002 (inport == @default_pg && ip4 && udp && udp.src == 68 && udp.dst == 67) allow

from-lport  1001 (inport == @default_pg && ip) drop

  to-lport  1002 (outport == @default_pg && ip4 && udp && udp.src == 67 && udp.dst == 68) allow

  to-lport  1001 (outport == @default_pg && ip) drop





Is this behaviour expected/correct for such configuration?





You can find below the traces.



Flow: recirc_id=0x53bb,ct_state=new|trk,eth,icmp,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0



bridge("br-int")

----------------

thaw

Resuming from table 14

14. ct_state=-est+trk,ip,metadata=0x1, priority 1, cookie 0xa498a95b

load:0x1->NXM_NX_XXREG0[97]

resubmit(,15)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]

  * Logical flow: table=6 (ls_in_acl), priority=1, match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), actions=(reg0[1] = 1; next;)

15. metadata=0x1, priority 0, cookie 0x693e7563

resubmit(,16)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]

  * Logical flow: table=7 (ls_in_qos_mark), priority=0, match=(1), actions=(next;)

16. metadata=0x1, priority 0, cookie 0x80ca7fc4

resubmit(,17)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]

  * Logical flow: table=8 (ls_in_qos_meter), priority=0, match=(1), actions=(next;)

17. metadata=0x1, priority 0, cookie 0x3b1204f6

resubmit(,18)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]

  * Logical flow: table=9 (ls_in_lb), priority=0, match=(1), actions=(next;)

18. ip,reg0=0x2/0x2,metadata=0x1, priority 100, cookie 0x8002c806

ct(commit,zone=NXM_NX_REG13[0..15],exec(load:0->NXM_NX_CT_LABEL[0]))

load:0->NXM_NX_CT_LABEL[0]

-> Sets the packet to an untracked state, and clears all the conntrack fields.

resubmit(,19)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]

  * Logical flow: table=10 (ls_in_stateful), priority=100, match=(reg0[1] == 1), actions=(ct_commit(ct_label=0/1); next;)

19. reg14=0x6,metadata=0x1, priority 100, cookie 0xc776ec32

resubmit(,20)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]

  * Logical flow: table=11 (ls_in_arp_rsp), priority=100, match=(inport == "vnet2-br0-eth1-vlan10), actions=(next;)

20. metadata=0x1, priority 0, cookie 0xa54585b2

resubmit(,21)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]

  * Logical flow: table=12 (ls_in_dhcp_options), priority=0, match=(1), actions=(next;)

21. metadata=0x1, priority 0, cookie 0x84fcc739

resubmit(,22)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]

  * Logical flow: table=13 (ls_in_dhcp_response), priority=0, match=(1), actions=(next;)

22. metadata=0x1, priority 0, cookie 0x52f7d494

resubmit(,23)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]

  * Logical flow: table=14 (ls_in_dns_lookup), priority=0, match=(1), actions=(next;)

23. metadata=0x1, priority 0, cookie 0x9b28ff8e

resubmit(,24)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]

  * Logical flow: table=15 (ls_in_dns_response), priority=0, match=(1), actions=(next;)

24. metadata=0x1, priority 0, cookie 0x861b6f52

resubmit(,25)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]

  * Logical flow: table=16 (ls_in_external_port), priority=0, match=(1), actions=(next;)

25. metadata=0x1,dl_dst=0a:00:7b:2c:66:00, priority 50, cookie 0x2b4193f

set_field:0x8->reg15

resubmit(,32)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]

  * Logical flow: table=17 (ls_in_l2_lkup), priority=50, match=(eth.dst == 0a:00:7b:2c:66:00), actions=(outport = "vnet2-9407C6A0-vif0"; output;)

32. reg10=0x2/0x2, priority 150

resubmit(,33)

33. reg15=0x8,metadata=0x1, priority 100

set_field:0x9->reg13

set_field:0x6->reg11

set_field:0xe->reg12

resubmit(,34)

34. priority 0

set_field:0->reg0

set_field:0->reg1

set_field:0->reg2

set_field:0->reg3

set_field:0->reg4

set_field:0->reg5

set_field:0->reg6

set_field:0->reg7

set_field:0->reg8

set_field:0->reg9

resubmit(,40)

40. metadata=0x1, priority 0, cookie 0x76dab24b

resubmit(,41)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]

  * Logical flow: table=0 (ls_out_pre_lb), priority=0, match=(1), actions=(next;)

41. ip,metadata=0x1, priority 100, cookie 0x41b2b9d8

load:0x1->NXM_NX_XXREG0[96]

resubmit(,42)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]

  * Logical flow: table=1 (ls_out_pre_acl), priority=100, match=(ip), actions=(reg0[0] = 1; next;)

42. ip,reg0=0x1/0x1,metadata=0x1, priority 100, cookie 0xa2599d7c

ct(table=43,zone=NXM_NX_REG13[0..15])

drop

-> A clone of the packet is forked to recirculate. The forked pipeline will be resumed at table 43.

-> Sets the packet to an untracked state, and clears all the conntrack fields.

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]

  * Logical flow: table=2 (ls_out_pre_stateful), priority=100, match=(reg0[0] == 1), actions=(ct_next;)



Final flow: recirc_id=0x53bb,eth,icmp,reg0=0x1,reg10=0x2,reg11=0x6,reg12=0xe,reg13=0x9,reg14=0x6,reg15=0x8,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,metadata=0x1,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0

Megaflow: recirc_id=0x53bb,ct_state=+new-est-rel-rpl-inv+trk,ct_label=0/0x1,eth,icmp,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_tos=0,tun_flags=-df-csum+key,in_port=85,dl_dst=0a:00:7b:2c:66:00,nw_frag=no,icmp_type=0x8/0xf8

Datapath actions: ct(commit,label=0/0x1),ct(zone=9),recirc(0x5085)



===============================================================================

recirc(0x5085) - resume conntrack with default ct_state=trk|new (use --ct-next to customize)

===============================================================================



Flow: recirc_id=0x5085,ct_state=new|trk,ct_zone=9,eth,icmp,reg0=0x1,reg10=0x2,reg11=0x6,reg12=0xe,reg13=0x9,reg14=0x6,reg15=0x8,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,metadata=0x1,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0



bridge("br-int")

----------------

thaw

Resuming from table 43

43. metadata=0x1, priority 0, cookie 0x325bbfe9

resubmit(,44)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]

  * Logical flow: table=3 (ls_out_lb), priority=0, match=(1), actions=(next;)

44. ct_state=+new-est+trk,icmp,reg15=0x8,metadata=0x1, priority 2002, cookie 0x965c0004

load:0x1->NXM_NX_XXREG0[97]

resubmit(,45)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]

  * Logical flow: table=4 (ls_out_acl), priority=2002, match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (outport == @sg_9AB2C278 && ip4 && ip4.src == 0.0.0.0/0 && icmp4)), actions=(reg0[1] = 1; next;)

    * ACL: to-lport, priority=1002, match=(outport == @sg_9AB2C278 && ip4 && ip4.src == 0.0.0.0/0 && icmp4), allow-related

45. metadata=0x1, priority 0, cookie 0x263a710f

resubmit(,46)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]

  * Logical flow: table=5 (ls_out_qos_mark), priority=0, match=(1), actions=(next;)

46. metadata=0x1, priority 0, cookie 0xea0ef852

resubmit(,47)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]

  * Logical flow: table=6 (ls_out_qos_meter), priority=0, match=(1), actions=(next;)

47. ip,reg0=0x2/0x2,metadata=0x1, priority 100, cookie 0x27a0a760

ct(commit,zone=NXM_NX_REG13[0..15],exec(load:0->NXM_NX_CT_LABEL[0]))

load:0->NXM_NX_CT_LABEL[0]

-> Sets the packet to an untracked state, and clears all the conntrack fields.

resubmit(,48)

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]

  * Logical flow: table=7 (ls_out_stateful), priority=100, match=(reg0[1] == 1), actions=(ct_commit(ct_label=0/1); next;)

48. ip,reg15=0x8,metadata=0x1,dl_dst=0a:00:7b:2c:66:00, priority 80, cookie 0xbf0b3744

drop

  * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]

  * Logical flow: table=8 (ls_out_port_sec_ip), priority=80, match=(outport == "vnet2-9407C6A0-vif0" && eth.dst == 0a:00:7b:2c:66:00 && ip), actions=(drop;)



Final flow: recirc_id=0x5085,eth,icmp,reg0=0x3,reg10=0x2,reg11=0x6,reg12=0xe,reg13=0x9,reg14=0x6,reg15=0x8,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,metadata=0x1,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0

Megaflow: recirc_id=0x5085,ct_state=+new-est-rel-rpl-inv+trk,ct_label=0/0x1,eth,icmp,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_tos=0,tun_flags=-df-csum+key,in_port=85,dl_dst=0a:00:7b:2c:66:00,nw_dst=0.0.0.0/1,nw_frag=no

Datapath actions: ct(commit,zone=9,label=0/0x1)



Regards,

Vladislav Odintsov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20200203/4f368295/attachment-0001.html>


More information about the discuss mailing list