[ovs-discuss] Problems with DNAT and host static routes
Brendan Doyle
brendan.doyle at oracle.com
Sun May 3 15:47:05 UTC 2020
Hi,
I have a couple of questions/issues with DNAT and static host routes...
1) Can I dnat the destination address of a pkt that is being sent
out of the Logical network through a gateway.
From a VM in the Logical Network I want to send a pkt to
the Logical Network IP 192.16.1.106. But I want that IP
to be dnat'd to an external underlay IP of 253.255.0.33
2) It seems that local link routes are processed before
host routes. So if a VM in the Logical subnet 192.16.1.0/24
sends a pkt with dst IP 192.16.1.106 to the logical router
in that subnet, the Logical router wants to send it back out
on that subnet, even though the router has a specific host route
to forward that pkt to a gateway.
See toward the end of the email for North Bound DB config.
The routes and NATs I have defined are:
#ovn-nbctl lr-route-list lr_vcn3
IPv4 Routes
192.16.1.106 253.255.0.1 dst-ip lr_vcn3_gw-ls_external_vcn3
0.0.0.0/0 253.255.0.1 dst-ip lr_vcn3_gw-ls_external_vcn3
# ovn-nbctl lr-nat-list lr_vcn3
TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP EXTERNAL_MAC LOGICAL_PORT
dnat 253.255.0.33 192.16.1.106
snat 253.255.2.2 192.16.1.6
I'm pinging 192.16.1.106 from host 192.16.1.6. To work around the issue
I am having with proxy ARP, I put a static ARP entry on 192.16.1.6 to
direct the pkt to the subnet logical router lr_vcn3.
I had hoped that
a) The pkt would first be NAT'd by lr_vcn3 to 253.255.0.33, then
b) be sent to the gateway by the default route rule:
0.0.0.0/0 253.255.0.1 dst-ip lr_vcn3_gw-ls_external_vcn3
If it is NAT'd first I would not need the static route:
192.16.1.106 253.255.0.1 dst-ip lr_vcn3_gw-ls_external_vcn3
But it is not NAT'd, so then I had hoped that the static route
would send it to the gateway, where it would be NAT'd but it
does not, it seems that local link routes are processed first
so lr_vcn3 sends an ARP on 192.16.1.0/24 to try resolve a MAC for
192.16.1.106.
When we look at the flows generated for this small config, we can see
why. The question, is there a way around this, by manually inserting
flows into the south bound database?
Datapath: "lr_vcn3" (db21ed8c-16a5-4afb-aa51-5bbaae5bda29) Pipeline: ingress
table=0 (lr_in_admission ), priority=50 , match=(eth.dst ==
40:44:00:00:00:60 && inport == "lr_vcn3-vcn3_subnet1"), action=(next;)
So we go to table 1
table=1 (lr_in_lookup_neighbor), priority=0 , match=(1),
action=(reg9[3] = 1; next;)
So we go to table 2
table=2 (lr_in_learn_neighbor), priority=100 , match=(reg9[3] == 1
|| reg9[2] == 1), action=(next;)
table=3 (lr_in_ip_input ), priority=0 , match=(1), action=(next;)
table=4 (lr_in_defrag ), priority=0 , match=(1), action=(next;)
table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
table=7 (lr_in_nd_ra_options), priority=0 , match=(1), action=(next;)
table=8 (lr_in_nd_ra_response), priority=0 , match=(1), action=(next;)
Skip to table 9
table=9 (lr_in_ip_routing ), priority=449 , match=(ip4.dst ==
192.16.1.0/24), action=(ip.ttl--; reg8[0..15] = 0; reg0 = ip4.dst; reg1
= 192.16.1.1; eth.src = 40:44:00:00:00:60; outport =
"lr_vcn3-vcn3_subnet1"; flags.loopback = 1; next;)
table=9 (lr_in_ip_routing ), priority=65 , match=(ip4.dst ==
192.16.1.106/32), action=(ip.ttl--; reg8[0..15] = 0; reg0 = 253.255.0.1;
reg1 = 253.255.31.3; eth.src = 40:44:00:00:10:10; outport =
"lr_vcn3_gw-ls_external_vcn3"; flags.loopback = 1; next;)
Ah, I wanted that static host route to be done first!
And it would send us to:
Datapath: "lr_vcn3" (db21ed8c-16a5-4afb-aa51-5bbaae5bda29) Pipeline: egress
table=0 (lr_out_undnat ), priority=100 , match=(ip && ip4.src
== 192.16.1.106 && outport == "lr_vcn3_gw-ls_external_vcn3" &&
is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")), action=(ct_dnat;)
Where we dnat, but to what?
# My North Bound DB:
switch 6631a7a5-018f-496c-b8d3-af17d5e997ae (ls_external_vcn3)
port ln-ls_external_vcn3
type: localnet
addresses: ["unknown"]
port ls_external_vcn3-lr_vcn3_gw
type: router
router-port: lr_vcn3_gw-ls_external_vcn3
switch 2f8cce6f-b41c-4a90-8785-9f56d808ac14 (ls_vcn3)
port 284195d2-9280-4334-900e-571ecd00327a
addresses: ["52:54:00:02:55:96 192.16.1.6"]
port 269089c4-9464-41ec-9f63-6b3804b34b07
addresses: ["52:54:00:30:38:35 192.16.1.5"]
port vcn3_subnet1-lr_vcn3
type: router
addresses: ["40:44:00:00:00:60"]
router-port: lr_vcn3-vcn3_subnet1
router 36c64fdf-4842-4543-95bc-9bfe731af4d3 (lr_vcn3)
port lr_vcn3-vcn3_subnet1
mac: "40:44:00:00:00:60"
networks: ["192.16.1.1/24"]
port lr_vcn3_gw-ls_external_vcn3
mac: "40:44:00:00:10:10"
networks: ["253.255.31.3/16"]
gateway chassis: [ca-rain06 ca-rain05 ca-rain17]
nat 5e179df6-15c7-403e-99a7-1e453cbc0493
external ip: "253.255.2.2"
logical ip: "192.16.1.6"
type: "snat"
nat e4dab2ac-7be0-4127-818e-d24b71c14f4b
external ip: "253.255.0.33"
logical ip: "192.16.1.106"
type: "dnat"
ovn-trace
----------
ovn-trace --detailed ls_vcn3 'inport ==
"284195d2-9280-4334-900e-571ecd00327a" && eth.dst == 40:44:00:00:00:60
&& eth.src == 52:54:00:02:55:96 && ip4.src == 192.16.1.6 && ip4.dst ==
192.16.1.106 && ip.ttl == 64'
ip,reg14=0x1,vlan_tci=0x0000,dl_src=52:54:00:02:55:96,dl_dst=40:44:00:00:00:60,nw_src=192.16.1.6,nw_dst=192.16.1.106,nw_proto=0,nw_tos=0,nw_ecn=0,nw_ttl=64
ingress(dp="ls_vcn3", inport="284195")
--------------------------------------
0. ls_in_port_sec_l2 (ovn-northd.c:4554): inport == "284195", priority
50, uuid 51a977d4
next;
19. ls_in_l2_lkup (ovn-northd.c:6795): eth.dst == 40:44:00:00:00:60,
priority 50, uuid a113d3fa
outport = "vcn3_subnet1-lr_vcn3";
output;
egress(dp="ls_vcn3", inport="284195", outport="vcn3_subnet1-lr_vcn3")
---------------------------------------------------------------------
9. ls_out_port_sec_l2 (ovn-northd.c:4620): outport ==
"vcn3_subnet1-lr_vcn3", priority 50, uuid 3d8d93d9
output;
/* output to "vcn3_subnet1-lr_vcn3", type "patch" */
ingress(dp="lr_vcn3", inport="lr_vcn3-vcn3_subnet1")
----------------------------------------------------
0. lr_in_admission (ovn-northd.c:7899): eth.dst == 40:44:00:00:00:60
&& inport == "lr_vcn3-vcn3_subnet1", priority 50, uuid e2e7a16c
next;
1. lr_in_lookup_neighbor (ovn-northd.c:7948): 1, priority 0, uuid 233e1ed7
reg9[3] = 1;
next;
2. lr_in_learn_neighbor (ovn-northd.c:7954): reg9[3] == 1 || reg9[2]
== 1, priority 100, uuid 313658ec
next;
9. lr_in_ip_routing (ovn-northd.c:7523): ip4.dst == 192.16.1.0/24,
priority 449, uuid e11228da <--- Aragh seems to ignore the specific
static route and thinks this is local link!
ip.ttl--;
reg8[0..15] = 0;
reg0 = ip4.dst;
reg1 = 192.16.1.1;
eth.src = 40:44:00:00:00:60;
outport = "lr_vcn3-vcn3_subnet1";
flags.loopback = 1;
next;
10. lr_in_ip_routing_ecmp (ovn-northd.c:9510): reg8[0..15] == 0,
priority 150, uuid c72b3565
next;
12. lr_in_arp_resolve (ovn-northd.c:9990): ip4, priority 0, uuid 0a2fe63c
get_arp(outport, reg0);
/* No MAC binding. */
next;
16. lr_in_arp_request (ovn-northd.c:10183): eth.dst == 00:00:00:00:00:00
&& ip4, priority 100, uuid 07acd5d1
arp { eth.dst = ff:ff:ff:ff:ff:ff; arp.spa = reg1; arp.tpa = reg0;
arp.op = 1; output; };
arp
---
eth.dst = ff:ff:ff:ff:ff:ff;
arp.spa = reg1;
arp.tpa = reg0;
arp.op = 1;
output;
egress(dp="lr_vcn3", inport="lr_vcn3-vcn3_subnet1",
outport="lr_vcn3-vcn3_subnet1")
-----------------------------------------------------------------------------------
3. lr_out_delivery (ovn-northd.c:10236): outport ==
"lr_vcn3-vcn3_subnet1", priority 100, uuid febd649c
output;
/* output to "lr_vcn3-vcn3_subnet1", type "patch" */
ingress(dp="ls_vcn3", inport="vcn3_subnet1-lr_vcn3")
----------------------------------------------------
0. ls_in_port_sec_l2 (ovn-northd.c:4554): inport ==
"vcn3_subnet1-lr_vcn3", priority 50, uuid 02461868
next;
19. ls_in_l2_lkup (ovn-northd.c:5912): eth.src == { 40:44:00:00:00:60}
&& (arp.op == 1 || nd_ns), priority 80, uuid 415dbc44
outport = "_MC_flood";
output;
multicast(dp="ls_vcn3", mcgroup="_MC_flood")
--------------------------------------------
egress(dp="ls_vcn3", inport="vcn3_subnet1-lr_vcn3", outport="269089")
---------------------------------------------------------------------
9. ls_out_port_sec_l2 (ovn-northd.c:4643): eth.mcast, priority
100, uuid 3ece5edd
output;
/* output to "269089", type "" */
egress(dp="ls_vcn3", inport="vcn3_subnet1-lr_vcn3", outport="284195")
---------------------------------------------------------------------
9. ls_out_port_sec_l2 (ovn-northd.c:4643): eth.mcast, priority
100, uuid 3ece5edd
output;
/* output to "284195", type "" */
egress(dp="ls_vcn3", inport="vcn3_subnet1-lr_vcn3",
outport="vcn3_subnet1-lr_vcn3")
-----------------------------------------------------------------------------------
/* omitting output because inport == outport && !flags.loopback */
[root at ca-rain01 ~]#
South Bound flows:
--------------------
Datapath: "ls_external_vcn3" (3581a7f7-467c-4476-8774-855a88fa198f)
Pipeline: ingress
table=0 (ls_in_port_sec_l2 ), priority=100 , match=(eth.src[40]),
action=(drop;)
table=0 (ls_in_port_sec_l2 ), priority=100 , match=(vlan.present),
action=(drop;)
table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport ==
"ln-ls_external_vcn3"), action=(next;)
table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport ==
"ls_external_vcn3-lr_vcn3_gw"), action=(next;)
table=1 (ls_in_port_sec_ip ), priority=0 , match=(1), action=(next;)
table=2 (ls_in_port_sec_nd ), priority=0 , match=(1), action=(next;)
table=3 (ls_in_pre_acl ), priority=110 , match=(eth.dst ==
9e:c3:df:e2:c8:d7), action=(next;)
table=3 (ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
table=4 (ls_in_pre_lb ), priority=110 , match=(eth.dst ==
9e:c3:df:e2:c8:d7), action=(next;)
table=4 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs ||
nd_ra || icmp4.type == 3 ||icmp6.type == 1 || (tcp && tcp.flags == 20)),
action=(next;)
table=4 (ls_in_pre_lb ), priority=0 , match=(1), action=(next;)
table=5 (ls_in_pre_stateful ), priority=100 , match=(reg0[0] == 1),
action=(ct_next;)
table=5 (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)
table=6 (ls_in_acl ), priority=34000, match=(eth.dst ==
9e:c3:df:e2:c8:d7), action=(next;)
table=6 (ls_in_acl ), priority=0 , match=(1), action=(next;)
table=7 (ls_in_qos_mark ), priority=0 , match=(1), action=(next;)
table=8 (ls_in_qos_meter ), priority=0 , match=(1), action=(next;)
table=9 (ls_in_lb ), priority=0 , match=(1), action=(next;)
table=10(ls_in_stateful ), priority=100 , match=(reg0[1] == 1),
action=(ct_commit(ct_label=0/1); next;)
table=10(ls_in_stateful ), priority=100 , match=(reg0[2] == 1),
action=(ct_lb;)
table=10(ls_in_stateful ), priority=0 , match=(1), action=(next;)
table=11(ls_in_pre_hairpin ), priority=0 , match=(1), action=(next;)
table=12(ls_in_hairpin ), priority=1 , match=(reg0[6] == 1),
action=(eth.dst <-> eth.src;outport = inport;flags.loopback = 1;output;)
table=12(ls_in_hairpin ), priority=0 , match=(1), action=(next;)
table=13(ls_in_arp_rsp ), priority=100 , match=(arp.tpa ==
253.255.31.3 && arp.op == 1 && inport == "ls_external_vcn3-lr_vcn3_gw"),
action=(next;)
table=13(ls_in_arp_rsp ), priority=100 , match=(inport ==
"ln-ls_external_vcn3"), action=(next;)
table=13(ls_in_arp_rsp ), priority=100 , match=(nd_ns &&
ip6.dst == {fe80::4244:ff:fe00:1010, ff02::1:ff00:1010} && nd.target ==
fe80::4244:ff:fe00:1010 && inport == "ls_external_vcn3-lr_vcn3_gw"),
action=(next;)
table=13(ls_in_arp_rsp ), priority=50 , match=(arp.tpa ==
253.255.31.3 && arp.op == 1), action=(eth.dst = eth.src; eth.src =
40:44:00:00:10:10; arp.op = 2; /* ARP reply */ arp.tha = arp.sha;
arp.sha = 40:44:00:00:10:10; arp.tpa = arp.spa; arp.spa = 253.255.31.3;
outport = inport; flags.loopback = 1; output;)
table=13(ls_in_arp_rsp ), priority=50 , match=(nd_ns &&
ip6.dst == {fe80::4244:ff:fe00:1010, ff02::1:ff00:1010} && nd.target ==
fe80::4244:ff:fe00:1010), action=(nd_na_router { eth.src =
40:44:00:00:10:10; ip6.src = fe80::4244:ff:fe00:1010; nd.target =
fe80::4244:ff:fe00:1010; nd.tll = 40:44:00:00:10:10; outport = inport;
flags.loopback = 1; output; };)
table=13(ls_in_arp_rsp ), priority=0 , match=(1), action=(next;)
table=14(ls_in_dhcp_options ), priority=0 , match=(1), action=(next;)
table=15(ls_in_dhcp_response), priority=0 , match=(1), action=(next;)
table=16(ls_in_dns_lookup ), priority=0 , match=(1), action=(next;)
table=17(ls_in_dns_response ), priority=0 , match=(1), action=(next;)
table=18(ls_in_external_port), priority=0 , match=(1), action=(next;)
table=19(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
9e:c3:df:e2:c8:d7), action=(handle_svc_check(inport);)
table=19(ls_in_l2_lkup ), priority=80 , match=(eth.src == {
40:44:00:00:10:10} && (arp.op == 1 || nd_ns)), action=(outport =
"_MC_flood"; output;)
table=19(ls_in_l2_lkup ), priority=75 , match=(flags[1] == 0
&& arp.op == 1 && arp.tpa == { 253.255.31.3, 253.255.0.33}),
action=(clone { outport = "ln-ls_external_vcn3"; output; }; outport =
"ls_external_vcn3-lr_vcn3_gw"; output;)
table=19(ls_in_l2_lkup ), priority=75 , match=(flags[1] == 0
&& nd_ns && nd.target == { fe80::4244:ff:fe00:1010}), action=(clone {
outport = "ln-ls_external_vcn3"; output; }; outport =
"ls_external_vcn3-lr_vcn3_gw"; output;)
table=19(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
table=19(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
40:44:00:00:10:10 &&
is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")), action=(outport
= "ls_external_vcn3-lr_vcn3_gw"; output;)
table=19(ls_in_l2_lkup ), priority=0 , match=(1),
action=(outport = "_MC_unknown"; output;)
Datapath: "ls_external_vcn3" (3581a7f7-467c-4476-8774-855a88fa198f)
Pipeline: egress
table=0 (ls_out_pre_lb ), priority=110 , match=(eth.src ==
9e:c3:df:e2:c8:d7), action=(next;)
table=0 (ls_out_pre_lb ), priority=110 , match=(nd || nd_rs ||
nd_ra || icmp4.type == 3 ||icmp6.type == 1 || (tcp && tcp.flags == 20)),
action=(next;)
table=0 (ls_out_pre_lb ), priority=0 , match=(1), action=(next;)
table=1 (ls_out_pre_acl ), priority=110 , match=(eth.src ==
9e:c3:df:e2:c8:d7), action=(next;)
table=1 (ls_out_pre_acl ), priority=0 , match=(1), action=(next;)
table=2 (ls_out_pre_stateful), priority=100 , match=(reg0[0] == 1),
action=(ct_next;)
table=2 (ls_out_pre_stateful), priority=0 , match=(1), action=(next;)
table=3 (ls_out_lb ), priority=0 , match=(1), action=(next;)
table=4 (ls_out_acl ), priority=34000, match=(eth.src ==
9e:c3:df:e2:c8:d7), action=(next;)
table=4 (ls_out_acl ), priority=0 , match=(1), action=(next;)
table=5 (ls_out_qos_mark ), priority=0 , match=(1), action=(next;)
table=6 (ls_out_qos_meter ), priority=0 , match=(1), action=(next;)
table=7 (ls_out_stateful ), priority=100 , match=(reg0[1] == 1),
action=(ct_commit(ct_label=0/1); next;)
table=7 (ls_out_stateful ), priority=100 , match=(reg0[2] == 1),
action=(ct_lb;)
table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;)
table=8 (ls_out_port_sec_ip ), priority=0 , match=(1), action=(next;)
table=9 (ls_out_port_sec_l2 ), priority=100 , match=(eth.mcast),
action=(output;)
table=9 (ls_out_port_sec_l2 ), priority=50 , match=(outport ==
"ln-ls_external_vcn3"), action=(output;)
table=9 (ls_out_port_sec_l2 ), priority=50 , match=(outport ==
"ls_external_vcn3-lr_vcn3_gw"), action=(output;)
Datapath: "ls_vcn3" (6e61b3f2-6481-497f-819e-b39c98c50be6) Pipeline: ingress
table=0 (ls_in_port_sec_l2 ), priority=100 , match=(eth.src[40]),
action=(drop;)
table=0 (ls_in_port_sec_l2 ), priority=100 , match=(vlan.present),
action=(drop;)
table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport ==
"269089c4-9464-41ec-9f63-6b3804b34b07"), action=(next;)
table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport ==
"284195d2-9280-4334-900e-571ecd00327a"), action=(next;)
table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport ==
"vcn3_subnet1-lr_vcn3"), action=(next;)
table=1 (ls_in_port_sec_ip ), priority=0 , match=(1), action=(next;)
table=2 (ls_in_port_sec_nd ), priority=0 , match=(1), action=(next;)
table=3 (ls_in_pre_acl ), priority=110 , match=(eth.dst ==
9e:c3:df:e2:c8:d7), action=(next;)
table=3 (ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
table=4 (ls_in_pre_lb ), priority=110 , match=(eth.dst ==
9e:c3:df:e2:c8:d7), action=(next;)
table=4 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs ||
nd_ra || icmp4.type == 3 ||icmp6.type == 1 || (tcp && tcp.flags == 20)),
action=(next;)
table=4 (ls_in_pre_lb ), priority=0 , match=(1), action=(next;)
table=5 (ls_in_pre_stateful ), priority=100 , match=(reg0[0] == 1),
action=(ct_next;)
table=5 (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)
table=6 (ls_in_acl ), priority=34000, match=(eth.dst ==
9e:c3:df:e2:c8:d7), action=(next;)
table=6 (ls_in_acl ), priority=0 , match=(1), action=(next;)
table=7 (ls_in_qos_mark ), priority=0 , match=(1), action=(next;)
table=8 (ls_in_qos_meter ), priority=0 , match=(1), action=(next;)
table=9 (ls_in_lb ), priority=0 , match=(1), action=(next;)
table=10(ls_in_stateful ), priority=100 , match=(reg0[1] == 1),
action=(ct_commit(ct_label=0/1); next;)
table=10(ls_in_stateful ), priority=100 , match=(reg0[2] == 1),
action=(ct_lb;)
table=10(ls_in_stateful ), priority=0 , match=(1), action=(next;)
table=11(ls_in_pre_hairpin ), priority=0 , match=(1), action=(next;)
table=12(ls_in_hairpin ), priority=1 , match=(reg0[6] == 1),
action=(eth.dst <-> eth.src;outport = inport;flags.loopback = 1;output;)
table=12(ls_in_hairpin ), priority=0 , match=(1), action=(next;)
table=13(ls_in_arp_rsp ), priority=100 , match=(arp.tpa ==
192.16.1.5 && arp.op == 1 && inport ==
"269089c4-9464-41ec-9f63-6b3804b34b07"), action=(next;)
table=13(ls_in_arp_rsp ), priority=100 , match=(arp.tpa ==
192.16.1.6 && arp.op == 1 && inport ==
"284195d2-9280-4334-900e-571ecd00327a"), action=(next;)
table=13(ls_in_arp_rsp ), priority=50 , match=(arp.tpa ==
192.16.1.5 && arp.op == 1), action=(eth.dst = eth.src; eth.src =
52:54:00:30:38:35; arp.op = 2; /* ARP reply */ arp.tha = arp.sha;
arp.sha = 52:54:00:30:38:35; arp.tpa = arp.spa; arp.spa = 192.16.1.5;
outport = inport; flags.loopback = 1; output;)
table=13(ls_in_arp_rsp ), priority=50 , match=(arp.tpa ==
192.16.1.6 && arp.op == 1), action=(eth.dst = eth.src; eth.src =
52:54:00:02:55:96; arp.op = 2; /* ARP reply */ arp.tha = arp.sha;
arp.sha = 52:54:00:02:55:96; arp.tpa = arp.spa; arp.spa = 192.16.1.6;
outport = inport; flags.loopback = 1; output;)
table=13(ls_in_arp_rsp ), priority=0 , match=(1), action=(next;)
table=14(ls_in_dhcp_options ), priority=0 , match=(1), action=(next;)
table=15(ls_in_dhcp_response), priority=0 , match=(1), action=(next;)
table=16(ls_in_dns_lookup ), priority=0 , match=(1), action=(next;)
table=17(ls_in_dns_response ), priority=0 , match=(1), action=(next;)
table=18(ls_in_external_port), priority=0 , match=(1), action=(next;)
table=19(ls_in_l2_lkup ), priority=110 , match=(eth.dst ==
9e:c3:df:e2:c8:d7), action=(handle_svc_check(inport);)
table=19(ls_in_l2_lkup ), priority=80 , match=(eth.src == {
40:44:00:00:00:60} && (arp.op == 1 || nd_ns)), action=(outport =
"_MC_flood"; output;)
table=19(ls_in_l2_lkup ), priority=75 , match=(flags[1] == 0
&& arp.op == 1 && arp.tpa == { 253.255.0.33, 192.16.1.1}),
action=(outport = "vcn3_subnet1-lr_vcn3"; output;)
table=19(ls_in_l2_lkup ), priority=75 , match=(flags[1] == 0
&& nd_ns && nd.target == { fe80::4244:ff:fe00:60}), action=(outport =
"vcn3_subnet1-lr_vcn3"; output;)
table=19(ls_in_l2_lkup ), priority=70 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
table=19(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
40:44:00:00:00:60), action=(outport = "vcn3_subnet1-lr_vcn3"; output;)
table=19(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
52:54:00:02:55:96), action=(outport =
"284195d2-9280-4334-900e-571ecd00327a"; output;)
table=19(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
52:54:00:30:38:35), action=(outport =
"269089c4-9464-41ec-9f63-6b3804b34b07"; output;)
Datapath: "ls_vcn3" (6e61b3f2-6481-497f-819e-b39c98c50be6) Pipeline: egress
table=0 (ls_out_pre_lb ), priority=110 , match=(eth.src ==
9e:c3:df:e2:c8:d7), action=(next;)
table=0 (ls_out_pre_lb ), priority=110 , match=(nd || nd_rs ||
nd_ra || icmp4.type == 3 ||icmp6.type == 1 || (tcp && tcp.flags == 20)),
action=(next;)
table=0 (ls_out_pre_lb ), priority=0 , match=(1), action=(next;)
table=1 (ls_out_pre_acl ), priority=110 , match=(eth.src ==
9e:c3:df:e2:c8:d7), action=(next;)
table=1 (ls_out_pre_acl ), priority=0 , match=(1), action=(next;)
table=2 (ls_out_pre_stateful), priority=100 , match=(reg0[0] == 1),
action=(ct_next;)
table=2 (ls_out_pre_stateful), priority=0 , match=(1), action=(next;)
table=3 (ls_out_lb ), priority=0 , match=(1), action=(next;)
table=4 (ls_out_acl ), priority=34000, match=(eth.src ==
9e:c3:df:e2:c8:d7), action=(next;)
table=4 (ls_out_acl ), priority=0 , match=(1), action=(next;)
table=5 (ls_out_qos_mark ), priority=0 , match=(1), action=(next;)
table=6 (ls_out_qos_meter ), priority=0 , match=(1), action=(next;)
table=7 (ls_out_stateful ), priority=100 , match=(reg0[1] == 1),
action=(ct_commit(ct_label=0/1); next;)
table=7 (ls_out_stateful ), priority=100 , match=(reg0[2] == 1),
action=(ct_lb;)
table=7 (ls_out_stateful ), priority=0 , match=(1), action=(next;)
table=8 (ls_out_port_sec_ip ), priority=0 , match=(1), action=(next;)
table=9 (ls_out_port_sec_l2 ), priority=100 , match=(eth.mcast),
action=(output;)
table=9 (ls_out_port_sec_l2 ), priority=50 , match=(outport ==
"269089c4-9464-41ec-9f63-6b3804b34b07"), action=(output;)
table=9 (ls_out_port_sec_l2 ), priority=50 , match=(outport ==
"284195d2-9280-4334-900e-571ecd00327a"), action=(output;)
table=9 (ls_out_port_sec_l2 ), priority=50 , match=(outport ==
"vcn3_subnet1-lr_vcn3"), action=(output;)
Datapath: "lr_vcn3" (db21ed8c-16a5-4afb-aa51-5bbaae5bda29) Pipeline: ingress
table=0 (lr_in_admission ), priority=100 , match=(vlan.present ||
eth.src[40]), action=(drop;)
table=0 (lr_in_admission ), priority=50 , match=(eth.dst ==
40:44:00:00:00:60 && inport == "lr_vcn3-vcn3_subnet1"), action=(next;)
table=0 (lr_in_admission ), priority=50 , match=(eth.dst ==
40:44:00:00:10:10 && inport == "lr_vcn3_gw-ls_external_vcn3" &&
is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")), action=(next;)
table=0 (lr_in_admission ), priority=50 , match=(eth.mcast &&
inport == "lr_vcn3-vcn3_subnet1"), action=(next;)
table=0 (lr_in_admission ), priority=50 , match=(eth.mcast &&
inport == "lr_vcn3_gw-ls_external_vcn3"), action=(next;)
table=1 (lr_in_lookup_neighbor), priority=100 , match=(arp.op == 2),
action=(reg9[2] = lookup_arp(inport, arp.spa, arp.sha); next;)
table=1 (lr_in_lookup_neighbor), priority=100 , match=(inport ==
"lr_vcn3-vcn3_subnet1" && arp.spa == 192.16.1.0/24 && arp.op == 1),
action=(reg9[2] = lookup_arp(inport, arp.spa, arp.sha); next;)
table=1 (lr_in_lookup_neighbor), priority=100 , match=(inport ==
"lr_vcn3_gw-ls_external_vcn3" && arp.spa == 253.255.0.0/16 && arp.op ==
1 && is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")),
action=(reg9[2] = lookup_arp(inport, arp.spa, arp.sha); next;)
table=1 (lr_in_lookup_neighbor), priority=100 , match=(nd_na),
action=(reg9[2] = lookup_nd(inport, nd.target, nd.tll); next;)
table=1 (lr_in_lookup_neighbor), priority=100 , match=(nd_ns),
action=(reg9[2] = lookup_nd(inport, ip6.src, nd.sll); next;)
table=1 (lr_in_lookup_neighbor), priority=0 , match=(1),
action=(reg9[3] = 1; next;)
table=2 (lr_in_learn_neighbor), priority=100 , match=(reg9[3] == 1
|| reg9[2] == 1), action=(next;)
table=2 (lr_in_learn_neighbor), priority=90 , match=(arp),
action=(put_arp(inport, arp.spa, arp.sha); next;)
table=2 (lr_in_learn_neighbor), priority=90 , match=(nd_na),
action=(put_nd(inport, nd.target, nd.tll); next;)
table=2 (lr_in_learn_neighbor), priority=90 , match=(nd_ns),
action=(put_nd(inport, ip6.src, nd.sll); next;)
table=3 (lr_in_ip_input ), priority=120 , match=(inport ==
"lr_vcn3_gw-ls_external_vcn3" && ip4.src == 253.255.2.2), action=(next;)
table=3 (lr_in_ip_input ), priority=100 , match=(ip4.src ==
{192.16.1.1, 192.16.1.255} && reg9[0] == 0), action=(drop;)
table=3 (lr_in_ip_input ), priority=100 , match=(ip4.src ==
{253.255.31.3, 253.255.255.255} && reg9[0] == 0), action=(drop;)
table=3 (lr_in_ip_input ), priority=100 , match=(ip4.src_mcast
||ip4.src == 255.255.255.255 || ip4.src == 127.0.0.0/8 || ip4.dst ==
127.0.0.0/8 || ip4.src == 0.0.0.0/8 || ip4.dst == 0.0.0.0/8), action=(drop;)
table=3 (lr_in_ip_input ), priority=100 , match=(ip6.dst ==
fe80::4244:ff:fe00:1010 && udp.src == 547 && udp.dst == 546),
action=(reg0 = 0; handle_dhcpv6_reply;)
table=3 (lr_in_ip_input ), priority=100 , match=(ip6.dst ==
fe80::4244:ff:fe00:60 && udp.src == 547 && udp.dst == 546), action=(reg0
= 0; handle_dhcpv6_reply;)
table=3 (lr_in_ip_input ), priority=90 , match=(inport ==
"lr_vcn3-vcn3_subnet1" && arp.spa == 192.16.1.0/24 && arp.tpa ==
192.16.1.1 && arp.op == 1), action=(eth.dst = eth.src; eth.src =
40:44:00:00:00:60; arp.op = 2; /* ARP reply */ arp.tha = arp.sha;
arp.sha = 40:44:00:00:00:60; arp.tpa = arp.spa; arp.spa = 192.16.1.1;
outport = "lr_vcn3-vcn3_subnet1"; flags.loopback = 1; output;)
table=3 (lr_in_ip_input ), priority=90 , match=(inport ==
"lr_vcn3-vcn3_subnet1" && arp.tpa == 253.255.0.33 && arp.op == 1),
action=(eth.dst = eth.src; arp.op = 2; /* ARP reply */ arp.tha =
arp.sha; eth.src = 40:44:00:00:00:60; arp.sha = 40:44:00:00:00:60;
arp.tpa = arp.spa; arp.spa = 253.255.0.33; outport =
"lr_vcn3-vcn3_subnet1"; flags.loopback = 1; output;)
table=3 (lr_in_ip_input ), priority=90 , match=(inport ==
"lr_vcn3-vcn3_subnet1" && nd_ns && ip6.dst == {fe80::4244:ff:fe00:60,
ff02::1:ff00:60} && nd.target == fe80::4244:ff:fe00:60),
action=(nd_na_router { eth.src = 40:44:00:00:00:60; ip6.src =
fe80::4244:ff:fe00:60; nd.target = fe80::4244:ff:fe00:60; nd.tll =
40:44:00:00:00:60; outport = inport; flags.loopback = 1; output; };)
table=3 (lr_in_ip_input ), priority=90 , match=(inport ==
"lr_vcn3_gw-ls_external_vcn3" && arp.spa == 253.255.0.0/16 && arp.tpa ==
253.255.31.3 && arp.op == 1 &&
is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")), action=(eth.dst
= eth.src; eth.src = 40:44:00:00:10:10; arp.op = 2; /* ARP reply */
arp.tha = arp.sha; arp.sha = 40:44:00:00:10:10; arp.tpa = arp.spa;
arp.spa = 253.255.31.3; outport = "lr_vcn3_gw-ls_external_vcn3";
flags.loopback = 1; output;)
table=3 (lr_in_ip_input ), priority=90 , match=(inport ==
"lr_vcn3_gw-ls_external_vcn3" && arp.tpa == 253.255.0.33 && arp.op == 1
&& is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")),
action=(eth.dst = eth.src; arp.op = 2; /* ARP reply */ arp.tha =
arp.sha; eth.src = 40:44:00:00:10:10; arp.sha = 40:44:00:00:10:10;
arp.tpa = arp.spa; arp.spa = 253.255.0.33; outport =
"lr_vcn3_gw-ls_external_vcn3"; flags.loopback = 1; output;)
table=3 (lr_in_ip_input ), priority=90 , match=(inport ==
"lr_vcn3_gw-ls_external_vcn3" && nd_ns && ip6.dst ==
{fe80::4244:ff:fe00:1010, ff02::1:ff00:1010} && nd.target ==
fe80::4244:ff:fe00:1010 &&
is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")),
action=(nd_na_router { eth.src = 40:44:00:00:10:10; ip6.src =
fe80::4244:ff:fe00:1010; nd.target = fe80::4244:ff:fe00:1010; nd.tll =
40:44:00:00:10:10; outport = inport; flags.loopback = 1; output; };)
table=3 (lr_in_ip_input ), priority=90 , match=(ip4.dst ==
192.16.1.1 && icmp4.type == 8 && icmp4.code == 0), action=(ip4.dst <->
ip4.src; ip.ttl = 255; icmp4.type = 0; flags.loopback = 1; next; )
table=3 (lr_in_ip_input ), priority=90 , match=(ip4.dst ==
253.255.31.3 && icmp4.type == 8 && icmp4.code == 0), action=(ip4.dst <->
ip4.src; ip.ttl = 255; icmp4.type = 0; flags.loopback = 1; next; )
table=3 (lr_in_ip_input ), priority=90 , match=(ip6.dst ==
fe80::4244:ff:fe00:1010 && icmp6.type == 128 && icmp6.code == 0),
action=(ip6.dst <-> ip6.src; ip.ttl = 255; icmp6.type = 129;
flags.loopback = 1; next; )
table=3 (lr_in_ip_input ), priority=90 , match=(ip6.dst ==
fe80::4244:ff:fe00:60 && icmp6.type == 128 && icmp6.code == 0),
action=(ip6.dst <-> ip6.src; ip.ttl = 255; icmp6.type = 129;
flags.loopback = 1; next; )
table=3 (lr_in_ip_input ), priority=85 , match=(arp || nd),
action=(drop;)
table=3 (lr_in_ip_input ), priority=84 , match=(nd_rs ||
nd_ra), action=(next;)
table=3 (lr_in_ip_input ), priority=83 ,
match=(ip6.mcast_rsvd), action=(drop;)
table=3 (lr_in_ip_input ), priority=82 , match=(ip4.mcast ||
ip6.mcast), action=(drop;)
table=3 (lr_in_ip_input ), priority=60 , match=(ip4.dst ==
{192.16.1.1} || ip6.dst == {fe80::4244:ff:fe00:60}), action=(drop;)
table=3 (lr_in_ip_input ), priority=60 , match=(ip4.dst ==
{253.255.31.3} || ip6.dst == {fe80::4244:ff:fe00:1010}), action=(drop;)
table=3 (lr_in_ip_input ), priority=50 , match=(eth.bcast),
action=(drop;)
table=3 (lr_in_ip_input ), priority=40 , match=(inport ==
"lr_vcn3-vcn3_subnet1" && ip4 && ip.ttl == {0, 1} && !ip.later_frag),
action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time exceeded */
icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = ip4.src; ip4.src
= 192.16.1.1; ip.ttl = 255; next; };)
table=3 (lr_in_ip_input ), priority=40 , match=(inport ==
"lr_vcn3_gw-ls_external_vcn3" && ip4 && ip.ttl == {0, 1} &&
!ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /*
Time exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst =
ip4.src; ip4.src = 253.255.31.3; ip.ttl = 255; next; };)
table=3 (lr_in_ip_input ), priority=30 , match=(ip4 && ip.ttl
== {0, 1}), action=(drop;)
table=3 (lr_in_ip_input ), priority=0 , match=(1), action=(next;)
table=4 (lr_in_defrag ), priority=0 , match=(1), action=(next;)
table=5 (lr_in_unsnat ), priority=100 , match=(ip && ip4.dst
== 253.255.2.2 && inport == "lr_vcn3_gw-ls_external_vcn3" &&
is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")), action=(ct_snat;)
table=5 (lr_in_unsnat ), priority=0 , match=(1), action=(next;)
table=6 (lr_in_dnat ), priority=100 , match=(ip && ip4.dst
== 253.255.0.33 && inport == "lr_vcn3_gw-ls_external_vcn3" &&
is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")),
action=(ct_dnat(192.16.1.106);)
table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;)
table=7 (lr_in_nd_ra_options), priority=0 , match=(1), action=(next;)
table=8 (lr_in_nd_ra_response), priority=0 , match=(1), action=(next;)
table=9 (lr_in_ip_routing ), priority=550 , match=(nd_rs ||
nd_ra), action=(drop;)
table=9 (lr_in_ip_routing ), priority=529 , match=(inport ==
"lr_vcn3-vcn3_subnet1" && ip6.dst == fe80::/64), action=(ip.ttl--;
reg8[0..15] = 0; xxreg0 = ip6.dst; xxreg1 = fe80::4244:ff:fe00:60;
eth.src = 40:44:00:00:00:60; outport = "lr_vcn3-vcn3_subnet1";
flags.loopback = 1; next;)
table=9 (lr_in_ip_routing ), priority=449 , match=(ip4.dst ==
192.16.1.0/24), action=(ip.ttl--; reg8[0..15] = 0; reg0 = ip4.dst; reg1
= 192.16.1.1; eth.src = 40:44:00:00:00:60; outport =
"lr_vcn3-vcn3_subnet1"; flags.loopback = 1; next;)
table=9 (lr_in_ip_routing ), priority=129 , match=(inport ==
"lr_vcn3_gw-ls_external_vcn3" && ip6.dst == fe80::/64),
action=(ip.ttl--; reg8[0..15] = 0; xxreg0 = ip6.dst; xxreg1 =
fe80::4244:ff:fe00:1010; eth.src = 40:44:00:00:10:10; outport =
"lr_vcn3_gw-ls_external_vcn3"; flags.loopback = 1; next;)
table=9 (lr_in_ip_routing ), priority=65 , match=(ip4.dst ==
192.16.1.106/32), action=(ip.ttl--; reg8[0..15] = 0; reg0 = 253.255.0.1;
reg1 = 253.255.31.3; eth.src = 40:44:00:00:10:10; outport =
"lr_vcn3_gw-ls_external_vcn3"; flags.loopback = 1; next;)
table=9 (lr_in_ip_routing ), priority=33 , match=(ip4.dst ==
253.255.0.0/16), action=(ip.ttl--; reg8[0..15] = 0; reg0 = ip4.dst; reg1
= 253.255.31.3; eth.src = 40:44:00:00:10:10; outport =
"lr_vcn3_gw-ls_external_vcn3"; flags.loopback = 1; next;)
table=9 (lr_in_ip_routing ), priority=1 , match=(ip4.dst ==
0.0.0.0/0), action=(ip.ttl--; reg8[0..15] = 0; reg0 = 253.255.0.1; reg1
= 253.255.31.3; eth.src = 40:44:00:00:10:10; outport =
"lr_vcn3_gw-ls_external_vcn3"; flags.loopback = 1; next;)
table=10(lr_in_ip_routing_ecmp), priority=150 , match=(reg8[0..15]
== 0), action=(next;)
table=11(lr_in_policy ), priority=0 , match=(1), action=(next;)
table=12(lr_in_arp_resolve ), priority=500 , match=(ip4.mcast ||
ip6.mcast), action=(next;)
table=12(lr_in_arp_resolve ), priority=100 , match=(outport ==
"lr_vcn3-vcn3_subnet1" && reg0 == 192.16.1.5), action=(eth.dst =
52:54:00:30:38:35; next;)
table=12(lr_in_arp_resolve ), priority=100 , match=(outport ==
"lr_vcn3-vcn3_subnet1" && reg0 == 192.16.1.6), action=(eth.dst =
52:54:00:02:55:96; next;)
table=12(lr_in_arp_resolve ), priority=100 , match=(outport ==
"lr_vcn3_gw-ls_external_vcn3" && reg0 == 253.255.0.33), action=(eth.dst
= 40:44:00:00:10:10; next;)
table=12(lr_in_arp_resolve ), priority=100 , match=(outport ==
"lr_vcn3_gw-ls_external_vcn3" && reg0 == 253.255.2.2), action=(eth.dst =
40:44:00:00:10:10; next;)
table=12(lr_in_arp_resolve ), priority=0 , match=(ip4),
action=(get_arp(outport, reg0); next;)
table=12(lr_in_arp_resolve ), priority=0 , match=(ip6),
action=(get_nd(outport, xxreg0); next;)
table=13(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;)
table=14(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;)
table=15(lr_in_gw_redirect ), priority=150 , match=(outport ==
"lr_vcn3_gw-ls_external_vcn3" && eth.dst == 00:00:00:00:00:00),
action=(outport = "cr-lr_vcn3_gw-ls_external_vcn3"; next;)
table=15(lr_in_gw_redirect ), priority=50 , match=(outport ==
"lr_vcn3_gw-ls_external_vcn3"), action=(outport =
"cr-lr_vcn3_gw-ls_external_vcn3"; next;)
table=15(lr_in_gw_redirect ), priority=0 , match=(1), action=(next;)
table=16(lr_in_arp_request ), priority=100 , match=(eth.dst ==
00:00:00:00:00:00 && ip4), action=(arp { eth.dst = ff:ff:ff:ff:ff:ff;
arp.spa = reg1; arp.tpa = reg0; arp.op = 1; output; };)
table=16(lr_in_arp_request ), priority=100 , match=(eth.dst ==
00:00:00:00:00:00 && ip6), action=(nd_ns { nd.target = xxreg0; output; };)
table=16(lr_in_arp_request ), priority=0 , match=(1),
action=(output;)
Datapath: "lr_vcn3" (db21ed8c-16a5-4afb-aa51-5bbaae5bda29) Pipeline: egress
table=0 (lr_out_undnat ), priority=100 , match=(ip && ip4.src
== 192.16.1.106 && outport == "lr_vcn3_gw-ls_external_vcn3" &&
is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")), action=(ct_dnat;)
table=0 (lr_out_undnat ), priority=0 , match=(1), action=(next;)
table=1 (lr_out_snat ), priority=161 , match=(ip && ip4.src
== 192.16.1.6 && outport == "lr_vcn3_gw-ls_external_vcn3" &&
is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")),
action=(ct_snat(253.255.2.2);)
table=1 (lr_out_snat ), priority=120 , match=(nd_ns),
action=(next;)
table=1 (lr_out_snat ), priority=0 , match=(1), action=(next;)
table=2 (lr_out_egr_loop ), priority=100 , match=(ip4.dst ==
253.255.0.33 && outport == "lr_vcn3_gw-ls_external_vcn3" &&
is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")), action=(clone {
ct_clear; inport = outport; outport = ""; flags = 0; flags.loopback = 1;
reg0 = 0; reg1 = 0; reg2 = 0; reg3 = 0; reg4 = 0; reg5 = 0; reg6 = 0;
reg7 = 0; reg8 = 0; reg9 = 0; reg9[0] = 1; next(pipeline=ingress,
table=0); };)
table=2 (lr_out_egr_loop ), priority=100 , match=(ip4.dst ==
253.255.2.2 && outport == "lr_vcn3_gw-ls_external_vcn3" &&
is_chassis_resident("cr-lr_vcn3_gw-ls_external_vcn3")), action=(clone {
ct_clear; inport = outport; outport = ""; flags = 0; flags.loopback = 1;
reg0 = 0; reg1 = 0; reg2 = 0; reg3 = 0; reg4 = 0; reg5 = 0; reg6 = 0;
reg7 = 0; reg8 = 0; reg9 = 0; reg9[0] = 1; next(pipeline=ingress,
table=0); };)
table=2 (lr_out_egr_loop ), priority=0 , match=(1), action=(next;)
table=3 (lr_out_delivery ), priority=100 , match=(outport ==
"lr_vcn3-vcn3_subnet1"), action=(output;)
table=3 (lr_out_delivery ), priority=100 , match=(outport ==
"lr_vcn3_gw-ls_external_vcn3"), action=(output;)
More information about the discuss
mailing list