[ovs-discuss] OVN duplicate records in conntrack with lsp type vtep

Numan Siddique numans at ovn.org
Mon Feb 3 17:44:25 UTC 2020 

On Mon, Feb 3, 2020 at 10:49 PM Odintsov Vladislav <VlOdintsov at croc.ru> wrote:
>
> Hello all,
>
>
>
> I see strange behaviour with stateful ACLs when the traffic received from logical port with type “vtep”.
>
>
>
> There are same conntrack records in different zones (0 and 9 in my example).
>
> While pinging I dumped DP flows and found that packet goes through conntrack twice:
>
> actions:ct,recirc(0x516b)
> actions:ct(commit,label=0/0x1),ct(zone=9),recirc(0x5085)
>
>
>
> ovs-dpctl dump-flows:
>
>
>
> recirc_id(0),tunnel(tun_id=0x1,src=192.168.0.13,dst=192.168.0.9,flags(-df-csum+key)),in_port(13),eth(src=00:00:00:00:00:00/01:00:00:00:00:00),eth_type(0x0800),ipv4(proto=1,frag=no),icmp(type=8/0xf8), packets:0, bytes:0, used:never, actions:ct,recirc(0x516b)
>
>
>
> recirc_id(0x516b),tunnel(tun_id=0x1,src=192.168.0.13,dst=192.168.0.9,flags(-df-csum+key)),in_port(13),ct_state(+new-est-rel-rpl-inv+trk),ct_label(0/0x1),eth(dst=0a:00:7b:2c:66:00),eth_type(0x0800),ipv4(proto=1,frag=no),icmp(type=8/0xf8), packets:0, bytes:0, used:never, actions:ct(commit,label=0/0x1),ct(zone=9),recirc(0x5085)
>
>
>
> recirc_id(0x5085),tunnel(tun_id=0x1,src=192.168.0.13,dst=192.168.0.9,flags(-df-csum+key)),in_port(13),ct_state(+new-est-rel-rpl-inv+trk),ct_label(0/0x1),eth(dst=0a:00:7b:2c:66:00),eth_type(0x0800),ipv4(dst=172.31.0.5,proto=1,frag=no), packets:784, bytes:76832, used:0.078s, actions:ct(commit,zone=9,label=0/0x1),6
>
>
>
>
>
>
>
> [root at dev ~]# grep 172.31.0 /proc/net/nf_conntrack
>
> ipv4     2 icmp     1 29 src=172.31.0.3 dst=172.31.0.5 type=8 code=0 id=22627 [UNREPLIED] src=172.31.0.5 dst=172.31.0.3 type=0 code=0 id=22627 mark=0 zone=9 use=2
>
> ipv4     2 icmp     1 29 src=172.31.0.3 dst=172.31.0.5 type=8 code=0 id=22627 [UNREPLIED] src=172.31.0.5 dst=172.31.0.3 type=0 code=0 id=22627 mark=0 zone=0 use=2
>
>
>
>
>
> This VIF belongs to two port_groups with ACLs:
>
>
>
> [root at dev ~]# ovn-nbctl acl-list sg_35342377
>
> from-lport  1002 (inport == @sg_35342377 && ip4 && ip4.dst == 0.0.0.0/0) allow-related
>
>   to-lport  1002 (outport == @sg_35342377 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22) allow-related
>
>   to-lport  1002 (outport == @sg_35342377 && ip4 && ip4.src == 10.0.0.1/32 && icmp4) allow-related
>
>   to-lport  1002 (outport == @sg_35342377 && ip4 && ip4.src == 192.168.0.4/32 && icmp4) allow-related
>
> [root at dev ~]# ovn-nbctl acl-list default_pg
>
> from-lport  1002 (inport == @default_pg && ip4 && ip4.dst == 169.254.169.254 && tcp && tcp.dst == 80) allow-related
>
> from-lport  1002 (inport == @default_pg && ip4 && udp && udp.src == 68 && udp.dst == 67) allow
>
> from-lport  1001 (inport == @default_pg && ip) drop
>
>   to-lport  1002 (outport == @default_pg && ip4 && udp && udp.src == 67 && udp.dst == 68) allow
>
>   to-lport  1001 (outport == @default_pg && ip) drop
>
>
>
>
>
> Is this behaviour expected/correct for such configuration?

Yes. This is expected. In OVN each logical port is assigned a zone id.
I haven't used vtep at all, but I think there should
be a separate zone id for that too.

You can run "ovs-vsctl list bridge br-int" and see the zone id's
allocated. It will be stored in the external_ids column of
Bridge table.

Thanks
Numan

>
>
>
>
>
> You can find below the traces.
>
>
>
> Flow: recirc_id=0x53bb,ct_state=new|trk,eth,icmp,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0
>
>
>
> bridge("br-int")
>
> ----------------
>
> thaw
>
> Resuming from table 14
>
> 14. ct_state=-est+trk,ip,metadata=0x1, priority 1, cookie 0xa498a95b
>
> load:0x1->NXM_NX_XXREG0[97]
>
> resubmit(,15)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
>
>   * Logical flow: table=6 (ls_in_acl), priority=1, match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), actions=(reg0[1] = 1; next;)
>
> 15. metadata=0x1, priority 0, cookie 0x693e7563
>
> resubmit(,16)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
>
>   * Logical flow: table=7 (ls_in_qos_mark), priority=0, match=(1), actions=(next;)
>
> 16. metadata=0x1, priority 0, cookie 0x80ca7fc4
>
> resubmit(,17)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
>
>   * Logical flow: table=8 (ls_in_qos_meter), priority=0, match=(1), actions=(next;)
>
> 17. metadata=0x1, priority 0, cookie 0x3b1204f6
>
> resubmit(,18)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
>
>   * Logical flow: table=9 (ls_in_lb), priority=0, match=(1), actions=(next;)
>
> 18. ip,reg0=0x2/0x2,metadata=0x1, priority 100, cookie 0x8002c806
>
> ct(commit,zone=NXM_NX_REG13[0..15],exec(load:0->NXM_NX_CT_LABEL[0]))
>
> load:0->NXM_NX_CT_LABEL[0]
>
> -> Sets the packet to an untracked state, and clears all the conntrack fields.
>
> resubmit(,19)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
>
>   * Logical flow: table=10 (ls_in_stateful), priority=100, match=(reg0[1] == 1), actions=(ct_commit(ct_label=0/1); next;)
>
> 19. reg14=0x6,metadata=0x1, priority 100, cookie 0xc776ec32
>
> resubmit(,20)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
>
>   * Logical flow: table=11 (ls_in_arp_rsp), priority=100, match=(inport == "vnet2-br0-eth1-vlan10), actions=(next;)
>
> 20. metadata=0x1, priority 0, cookie 0xa54585b2
>
> resubmit(,21)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
>
>   * Logical flow: table=12 (ls_in_dhcp_options), priority=0, match=(1), actions=(next;)
>
> 21. metadata=0x1, priority 0, cookie 0x84fcc739
>
> resubmit(,22)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
>
>   * Logical flow: table=13 (ls_in_dhcp_response), priority=0, match=(1), actions=(next;)
>
> 22. metadata=0x1, priority 0, cookie 0x52f7d494
>
> resubmit(,23)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
>
>   * Logical flow: table=14 (ls_in_dns_lookup), priority=0, match=(1), actions=(next;)
>
> 23. metadata=0x1, priority 0, cookie 0x9b28ff8e
>
> resubmit(,24)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
>
>   * Logical flow: table=15 (ls_in_dns_response), priority=0, match=(1), actions=(next;)
>
> 24. metadata=0x1, priority 0, cookie 0x861b6f52
>
> resubmit(,25)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
>
>   * Logical flow: table=16 (ls_in_external_port), priority=0, match=(1), actions=(next;)
>
> 25. metadata=0x1,dl_dst=0a:00:7b:2c:66:00, priority 50, cookie 0x2b4193f
>
> set_field:0x8->reg15
>
> resubmit(,32)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress]
>
>   * Logical flow: table=17 (ls_in_l2_lkup), priority=50, match=(eth.dst == 0a:00:7b:2c:66:00), actions=(outport = "vnet2-9407C6A0-vif0"; output;)
>
> 32. reg10=0x2/0x2, priority 150
>
> resubmit(,33)
>
> 33. reg15=0x8,metadata=0x1, priority 100
>
> set_field:0x9->reg13
>
> set_field:0x6->reg11
>
> set_field:0xe->reg12
>
> resubmit(,34)
>
> 34. priority 0
>
> set_field:0->reg0
>
> set_field:0->reg1
>
> set_field:0->reg2
>
> set_field:0->reg3
>
> set_field:0->reg4
>
> set_field:0->reg5
>
> set_field:0->reg6
>
> set_field:0->reg7
>
> set_field:0->reg8
>
> set_field:0->reg9
>
> resubmit(,40)
>
> 40. metadata=0x1, priority 0, cookie 0x76dab24b
>
> resubmit(,41)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
>
>   * Logical flow: table=0 (ls_out_pre_lb), priority=0, match=(1), actions=(next;)
>
> 41. ip,metadata=0x1, priority 100, cookie 0x41b2b9d8
>
> load:0x1->NXM_NX_XXREG0[96]
>
> resubmit(,42)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
>
>   * Logical flow: table=1 (ls_out_pre_acl), priority=100, match=(ip), actions=(reg0[0] = 1; next;)
>
> 42. ip,reg0=0x1/0x1,metadata=0x1, priority 100, cookie 0xa2599d7c
>
> ct(table=43,zone=NXM_NX_REG13[0..15])
>
> drop
>
> -> A clone of the packet is forked to recirculate. The forked pipeline will be resumed at table 43.
>
> -> Sets the packet to an untracked state, and clears all the conntrack fields.
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
>
>   * Logical flow: table=2 (ls_out_pre_stateful), priority=100, match=(reg0[0] == 1), actions=(ct_next;)
>
>
>
> Final flow: recirc_id=0x53bb,eth,icmp,reg0=0x1,reg10=0x2,reg11=0x6,reg12=0xe,reg13=0x9,reg14=0x6,reg15=0x8,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,metadata=0x1,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0
>
> Megaflow: recirc_id=0x53bb,ct_state=+new-est-rel-rpl-inv+trk,ct_label=0/0x1,eth,icmp,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_tos=0,tun_flags=-df-csum+key,in_port=85,dl_dst=0a:00:7b:2c:66:00,nw_frag=no,icmp_type=0x8/0xf8
>
> Datapath actions: ct(commit,label=0/0x1),ct(zone=9),recirc(0x5085)
>
>
>
> ===============================================================================
>
> recirc(0x5085) - resume conntrack with default ct_state=trk|new (use --ct-next to customize)
>
> ===============================================================================
>
>
>
> Flow: recirc_id=0x5085,ct_state=new|trk,ct_zone=9,eth,icmp,reg0=0x1,reg10=0x2,reg11=0x6,reg12=0xe,reg13=0x9,reg14=0x6,reg15=0x8,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,metadata=0x1,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0
>
>
>
> bridge("br-int")
>
> ----------------
>
> thaw
>
> Resuming from table 43
>
> 43. metadata=0x1, priority 0, cookie 0x325bbfe9
>
> resubmit(,44)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
>
>   * Logical flow: table=3 (ls_out_lb), priority=0, match=(1), actions=(next;)
>
> 44. ct_state=+new-est+trk,icmp,reg15=0x8,metadata=0x1, priority 2002, cookie 0x965c0004
>
> load:0x1->NXM_NX_XXREG0[97]
>
> resubmit(,45)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
>
>   * Logical flow: table=4 (ls_out_acl), priority=2002, match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (outport == @sg_9AB2C278 && ip4 && ip4.src == 0.0.0.0/0 && icmp4)), actions=(reg0[1] = 1; next;)
>
>     * ACL: to-lport, priority=1002, match=(outport == @sg_9AB2C278 && ip4 && ip4.src == 0.0.0.0/0 && icmp4), allow-related
>
> 45. metadata=0x1, priority 0, cookie 0x263a710f
>
> resubmit(,46)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
>
>   * Logical flow: table=5 (ls_out_qos_mark), priority=0, match=(1), actions=(next;)
>
> 46. metadata=0x1, priority 0, cookie 0xea0ef852
>
> resubmit(,47)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
>
>   * Logical flow: table=6 (ls_out_qos_meter), priority=0, match=(1), actions=(next;)
>
> 47. ip,reg0=0x2/0x2,metadata=0x1, priority 100, cookie 0x27a0a760
>
> ct(commit,zone=NXM_NX_REG13[0..15],exec(load:0->NXM_NX_CT_LABEL[0]))
>
> load:0->NXM_NX_CT_LABEL[0]
>
> -> Sets the packet to an untracked state, and clears all the conntrack fields.
>
> resubmit(,48)
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
>
>   * Logical flow: table=7 (ls_out_stateful), priority=100, match=(reg0[1] == 1), actions=(ct_commit(ct_label=0/1); next;)
>
> 48. ip,reg15=0x8,metadata=0x1,dl_dst=0a:00:7b:2c:66:00, priority 80, cookie 0xbf0b3744
>
> drop
>
>   * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress]
>
>   * Logical flow: table=8 (ls_out_port_sec_ip), priority=80, match=(outport == "vnet2-9407C6A0-vif0" && eth.dst == 0a:00:7b:2c:66:00 && ip), actions=(drop;)
>
>
>
> Final flow: recirc_id=0x5085,eth,icmp,reg0=0x3,reg10=0x2,reg11=0x6,reg12=0xe,reg13=0x9,reg14=0x6,reg15=0x8,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,metadata=0x1,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0
>
> Megaflow: recirc_id=0x5085,ct_state=+new-est-rel-rpl-inv+trk,ct_label=0/0x1,eth,icmp,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_tos=0,tun_flags=-df-csum+key,in_port=85,dl_dst=0a:00:7b:2c:66:00,nw_dst=0.0.0.0/1,nw_frag=no
>
> Datapath actions: ct(commit,zone=9,label=0/0x1)
>
>
>
>
>
>
>
> Regards,
>
> Vladislav Odintsov
>
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

More information about the discuss mailing list