|
 |
bbaaef |
From be5b458778abfc6dd3d30c0f520c77186935f9b2 Mon Sep 17 00:00:00 2001
|
|
|
bbaaef |
From: Numan Siddique <numans@ovn.org>
|
|
|
bbaaef |
Date: Tue, 19 Nov 2019 17:52:01 +0530
|
|
|
bbaaef |
Subject: [PATCH 2/2] Skip IPv6 NS packets in router egress SNAT pipeline
|
|
|
bbaaef |
|
|
|
bbaaef |
When ovn-controller injects IPv6 NS packet to learn the mac, in some
|
|
|
bbaaef |
setups it is observed that the packet is dropped by ovs-vswitchd. We see
|
|
|
bbaaef |
below logs
|
|
|
bbaaef |
|
|
|
bbaaef |
2019-11-18T10:42:17.973Z|00001|ofproto_dpif_upcall(handler6)|INFO|received packet on unassociated datapath port 4294967295
|
|
|
bbaaef |
2019-11-18T10:42:18.221Z|00001|ofproto_dpif_upcall(revalidator8)|WARN|Failed to acquire udpif_key corresponding to unexpected flow (Invalid argument): ufid:9ba1081f-a692-4c1c-a79b-d1cf04175f7d
|
|
|
bbaaef |
|
|
|
bbaaef |
Upon further debugging I noticed that, xlate_lookup() fails when there is upcall
|
|
|
bbaaef |
from kernel datapath because of ct related actions. When ovn-controller injects
|
|
|
bbaaef |
the packet it sets inport=CONTROLLER.
|
|
|
bbaaef |
|
|
|
bbaaef |
This patch addresses this issue by avoiding the IPv6 NS packets to be
|
|
|
bbaaef |
sent to conntrack in the router egress pipeline.
|
|
|
bbaaef |
|
|
|
bbaaef |
This should be ideally fixed in ovs-vswitchd.
|
|
|
bbaaef |
|
|
|
bbaaef |
Reported-by: Russell Bryant <russell@ovn.org>
|
|
|
bbaaef |
Signed-off-by: Numan Siddique <numans@ovn.org>
|
|
|
bbaaef |
---
|
|
|
bbaaef |
ovn/northd/ovn-northd.8.xml | 9 +++++++++
|
|
|
bbaaef |
ovn/northd/ovn-northd.c | 5 +++++
|
|
|
bbaaef |
2 files changed, 14 insertions(+)
|
|
|
bbaaef |
|
|
|
bbaaef |
diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
|
|
|
bbaaef |
index 0fac02340..8f8fd5c01 100644
|
|
|
bbaaef |
--- a/ovn/northd/ovn-northd.8.xml
|
|
|
bbaaef |
+++ b/ovn/northd/ovn-northd.8.xml
|
|
|
bbaaef |
@@ -2704,6 +2704,15 @@ nd_ns {
|
|
|
bbaaef |
changed based on the configuration in the OVN Northbound database.
|
|
|
bbaaef |
|
|
|
bbaaef |
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+ A priority-120 flow to advance the IPv6 Neighbor solicitation packet
|
|
|
bbaaef |
+ to next table to skip SNAT. In the case where ovn-controller injects
|
|
|
bbaaef |
+ an IPv6 Neighbor Solicitation packet (for nd_ns action)
|
|
|
bbaaef |
+ we don't want the packet to go throught conntrack.
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+
|
|
|
bbaaef |
Egress Table 1: SNAT on Gateway Routers
|
|
|
bbaaef |
|
|
|
bbaaef |
|
|
|
bbaaef |
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
|
|
|
bbaaef |
index bcadcca3d..d94276b1e 100644
|
|
|
bbaaef |
--- a/ovn/northd/ovn-northd.c
|
|
|
bbaaef |
+++ b/ovn/northd/ovn-northd.c
|
|
|
bbaaef |
@@ -7394,6 +7394,11 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,
|
|
|
bbaaef |
ovn_lflow_add(lflows, od, S_ROUTER_OUT_UNDNAT, 0, "1", "next;");
|
|
|
bbaaef |
ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;");
|
|
|
bbaaef |
|
|
|
bbaaef |
+ /* Send the IPv6 NS packets to next table. When ovn-controller
|
|
|
bbaaef |
+ * generates IPv6 NS (for the action - nd_ns{}), the injected
|
|
|
bbaaef |
+ * packet would go through conntrack - which is not required. */
|
|
|
bbaaef |
+ ovn_lflow_add(lflows, od, S_ROUTER_OUT_SNAT, 120, "nd_ns", "next;");
|
|
|
bbaaef |
+
|
|
|
bbaaef |
/* NAT rules are only valid on Gateway routers and routers with
|
|
|
bbaaef |
* l3dgw_port (router has a port with "redirect-chassis"
|
|
|
bbaaef |
* specified). */
|
|
|
bbaaef |
--
|
|
|
bbaaef |
2.23.0
|
|
|
bbaaef |
|