[ovs-discuss] OVN duplicate records in conntrack with lsp type vtep
Odintsov Vladislav
VlOdintsov at croc.ru
Mon Feb 3 17:19:14 UTC 2020
Hello all,
I see strange behaviour with stateful ACLs when the traffic received from logical port with type “vtep”.
There are same conntrack records in different zones (0 and 9 in my example).
While pinging I dumped DP flows and found that packet goes through conntrack twice:
1. actions:ct,recirc(0x516b)
2. actions:ct(commit,label=0/0x1),ct(zone=9),recirc(0x5085)
ovs-dpctl dump-flows:
recirc_id(0),tunnel(tun_id=0x1,src=192.168.0.13,dst=192.168.0.9,flags(-df-csum+key)),in_port(13),eth(src=00:00:00:00:00:00/01:00:00:00:00:00),eth_type(0x0800),ipv4(proto=1,frag=no),icmp(type=8/0xf8), packets:0, bytes:0, used:never, actions:ct,recirc(0x516b)
recirc_id(0x516b),tunnel(tun_id=0x1,src=192.168.0.13,dst=192.168.0.9,flags(-df-csum+key)),in_port(13),ct_state(+new-est-rel-rpl-inv+trk),ct_label(0/0x1),eth(dst=0a:00:7b:2c:66:00),eth_type(0x0800),ipv4(proto=1,frag=no),icmp(type=8/0xf8), packets:0, bytes:0, used:never, actions:ct(commit,label=0/0x1),ct(zone=9),recirc(0x5085)
recirc_id(0x5085),tunnel(tun_id=0x1,src=192.168.0.13,dst=192.168.0.9,flags(-df-csum+key)),in_port(13),ct_state(+new-est-rel-rpl-inv+trk),ct_label(0/0x1),eth(dst=0a:00:7b:2c:66:00),eth_type(0x0800),ipv4(dst=172.31.0.5,proto=1,frag=no), packets:784, bytes:76832, used:0.078s, actions:ct(commit,zone=9,label=0/0x1),6
[root at dev ~]# grep 172.31.0 /proc/net/nf_conntrack
ipv4 2 icmp 1 29 src=172.31.0.3 dst=172.31.0.5 type=8 code=0 id=22627 [UNREPLIED] src=172.31.0.5 dst=172.31.0.3 type=0 code=0 id=22627 mark=0 zone=9 use=2
ipv4 2 icmp 1 29 src=172.31.0.3 dst=172.31.0.5 type=8 code=0 id=22627 [UNREPLIED] src=172.31.0.5 dst=172.31.0.3 type=0 code=0 id=22627 mark=0 zone=0 use=2
This VIF belongs to two port_groups with ACLs:
[root at dev ~]# ovn-nbctl acl-list sg_35342377
from-lport 1002 (inport == @sg_35342377 && ip4 && ip4.dst == 0.0.0.0/0) allow-related
to-lport 1002 (outport == @sg_35342377 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22) allow-related
to-lport 1002 (outport == @sg_35342377 && ip4 && ip4.src == 10.0.0.1/32 && icmp4) allow-related
to-lport 1002 (outport == @sg_35342377 && ip4 && ip4.src == 192.168.0.4/32 && icmp4) allow-related
[root at dev ~]# ovn-nbctl acl-list default_pg
from-lport 1002 (inport == @default_pg && ip4 && ip4.dst == 169.254.169.254 && tcp && tcp.dst == 80) allow-related
from-lport 1002 (inport == @default_pg && ip4 && udp && udp.src == 68 && udp.dst == 67) allow
from-lport 1001 (inport == @default_pg && ip) drop
to-lport 1002 (outport == @default_pg && ip4 && udp && udp.src == 67 && udp.dst == 68) allow
to-lport 1001 (outport == @default_pg && ip) drop
Is this behaviour expected/correct for such configuration?
You can find below the traces.
Flow: recirc_id=0x53bb,ct_state=new|trk,eth,icmp,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0
bridge("br-int")
----------------
thaw
Resuming from table 14
14. ct_state=-est+trk,ip,metadata=0x1, priority 1, cookie 0xa498a95b
load:0x1->NXM_NX_XXREG0[97]
resubmit(,15)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
* Logical flow: table=6 (ls_in_acl), priority=1, match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), actions=(reg0[1] = 1; next;)
15. metadata=0x1, priority 0, cookie 0x693e7563
resubmit(,16)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
* Logical flow: table=7 (ls_in_qos_mark), priority=0, match=(1), actions=(next;)
16. metadata=0x1, priority 0, cookie 0x80ca7fc4
resubmit(,17)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
* Logical flow: table=8 (ls_in_qos_meter), priority=0, match=(1), actions=(next;)
17. metadata=0x1, priority 0, cookie 0x3b1204f6
resubmit(,18)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
* Logical flow: table=9 (ls_in_lb), priority=0, match=(1), actions=(next;)
18. ip,reg0=0x2/0x2,metadata=0x1, priority 100, cookie 0x8002c806
ct(commit,zone=NXM_NX_REG13[0..15],exec(load:0->NXM_NX_CT_LABEL[0]))
load:0->NXM_NX_CT_LABEL[0]
-> Sets the packet to an untracked state, and clears all the conntrack fields.
resubmit(,19)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
* Logical flow: table=10 (ls_in_stateful), priority=100, match=(reg0[1] == 1), actions=(ct_commit(ct_label=0/1); next;)
19. reg14=0x6,metadata=0x1, priority 100, cookie 0xc776ec32
resubmit(,20)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
* Logical flow: table=11 (ls_in_arp_rsp), priority=100, match=(inport == "vnet2-br0-eth1-vlan10), actions=(next;)
20. metadata=0x1, priority 0, cookie 0xa54585b2
resubmit(,21)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
* Logical flow: table=12 (ls_in_dhcp_options), priority=0, match=(1), actions=(next;)
21. metadata=0x1, priority 0, cookie 0x84fcc739
resubmit(,22)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
* Logical flow: table=13 (ls_in_dhcp_response), priority=0, match=(1), actions=(next;)
22. metadata=0x1, priority 0, cookie 0x52f7d494
resubmit(,23)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
* Logical flow: table=14 (ls_in_dns_lookup), priority=0, match=(1), actions=(next;)
23. metadata=0x1, priority 0, cookie 0x9b28ff8e
resubmit(,24)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
* Logical flow: table=15 (ls_in_dns_response), priority=0, match=(1), actions=(next;)
24. metadata=0x1, priority 0, cookie 0x861b6f52
resubmit(,25)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
* Logical flow: table=16 (ls_in_external_port), priority=0, match=(1), actions=(next;)
25. metadata=0x1,dl_dst=0a:00:7b:2c:66:00, priority 50, cookie 0x2b4193f
set_field:0x8->reg15
resubmit(,32)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
* Logical flow: table=17 (ls_in_l2_lkup), priority=50, match=(eth.dst == 0a:00:7b:2c:66:00), actions=(outport = "vnet2-9407C6A0-vif0"; output;)
32. reg10=0x2/0x2, priority 150
resubmit(,33)
33. reg15=0x8,metadata=0x1, priority 100
set_field:0x9->reg13
set_field:0x6->reg11
set_field:0xe->reg12
resubmit(,34)
34. priority 0
set_field:0->reg0
set_field:0->reg1
set_field:0->reg2
set_field:0->reg3
set_field:0->reg4
set_field:0->reg5
set_field:0->reg6
set_field:0->reg7
set_field:0->reg8
set_field:0->reg9
resubmit(,40)
40. metadata=0x1, priority 0, cookie 0x76dab24b
resubmit(,41)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
* Logical flow: table=0 (ls_out_pre_lb), priority=0, match=(1), actions=(next;)
41. ip,metadata=0x1, priority 100, cookie 0x41b2b9d8
load:0x1->NXM_NX_XXREG0[96]
resubmit(,42)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
* Logical flow: table=1 (ls_out_pre_acl), priority=100, match=(ip), actions=(reg0[0] = 1; next;)
42. ip,reg0=0x1/0x1,metadata=0x1, priority 100, cookie 0xa2599d7c
ct(table=43,zone=NXM_NX_REG13[0..15])
drop
-> A clone of the packet is forked to recirculate. The forked pipeline will be resumed at table 43.
-> Sets the packet to an untracked state, and clears all the conntrack fields.
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
* Logical flow: table=2 (ls_out_pre_stateful), priority=100, match=(reg0[0] == 1), actions=(ct_next;)
Final flow: recirc_id=0x53bb,eth,icmp,reg0=0x1,reg10=0x2,reg11=0x6,reg12=0xe,reg13=0x9,reg14=0x6,reg15=0x8,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,metadata=0x1,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0
Megaflow: recirc_id=0x53bb,ct_state=+new-est-rel-rpl-inv+trk,ct_label=0/0x1,eth,icmp,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_tos=0,tun_flags=-df-csum+key,in_port=85,dl_dst=0a:00:7b:2c:66:00,nw_frag=no,icmp_type=0x8/0xf8
Datapath actions: ct(commit,label=0/0x1),ct(zone=9),recirc(0x5085)
===============================================================================
recirc(0x5085) - resume conntrack with default ct_state=trk|new (use --ct-next to customize)
===============================================================================
Flow: recirc_id=0x5085,ct_state=new|trk,ct_zone=9,eth,icmp,reg0=0x1,reg10=0x2,reg11=0x6,reg12=0xe,reg13=0x9,reg14=0x6,reg15=0x8,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,metadata=0x1,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0
bridge("br-int")
----------------
thaw
Resuming from table 43
43. metadata=0x1, priority 0, cookie 0x325bbfe9
resubmit(,44)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
* Logical flow: table=3 (ls_out_lb), priority=0, match=(1), actions=(next;)
44. ct_state=+new-est+trk,icmp,reg15=0x8,metadata=0x1, priority 2002, cookie 0x965c0004
load:0x1->NXM_NX_XXREG0[97]
resubmit(,45)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
* Logical flow: table=4 (ls_out_acl), priority=2002, match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (outport == @sg_9AB2C278 && ip4 && ip4.src == 0.0.0.0/0 && icmp4)), actions=(reg0[1] = 1; next;)
* ACL: to-lport, priority=1002, match=(outport == @sg_9AB2C278 && ip4 && ip4.src == 0.0.0.0/0 && icmp4), allow-related
45. metadata=0x1, priority 0, cookie 0x263a710f
resubmit(,46)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
* Logical flow: table=5 (ls_out_qos_mark), priority=0, match=(1), actions=(next;)
46. metadata=0x1, priority 0, cookie 0xea0ef852
resubmit(,47)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
* Logical flow: table=6 (ls_out_qos_meter), priority=0, match=(1), actions=(next;)
47. ip,reg0=0x2/0x2,metadata=0x1, priority 100, cookie 0x27a0a760
ct(commit,zone=NXM_NX_REG13[0..15],exec(load:0->NXM_NX_CT_LABEL[0]))
load:0->NXM_NX_CT_LABEL[0]
-> Sets the packet to an untracked state, and clears all the conntrack fields.
resubmit(,48)
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
* Logical flow: table=7 (ls_out_stateful), priority=100, match=(reg0[1] == 1), actions=(ct_commit(ct_label=0/1); next;)
48. ip,reg15=0x8,metadata=0x1,dl_dst=0a:00:7b:2c:66:00, priority 80, cookie 0xbf0b3744
drop
* Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
* Logical flow: table=8 (ls_out_port_sec_ip), priority=80, match=(outport == "vnet2-9407C6A0-vif0" && eth.dst == 0a:00:7b:2c:66:00 && ip), actions=(drop;)
Final flow: recirc_id=0x5085,eth,icmp,reg0=0x3,reg10=0x2,reg11=0x6,reg12=0xe,reg13=0x9,reg14=0x6,reg15=0x8,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,metadata=0x1,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0
Megaflow: recirc_id=0x5085,ct_state=+new-est-rel-rpl-inv+trk,ct_label=0/0x1,eth,icmp,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_tos=0,tun_flags=-df-csum+key,in_port=85,dl_dst=0a:00:7b:2c:66:00,nw_dst=0.0.0.0/1,nw_frag=no
Datapath actions: ct(commit,zone=9,label=0/0x1)
Regards,
Vladislav Odintsov
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20200203/4f368295/attachment-0001.html>
More information about the discuss
mailing list