Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
northd: Drop packets destined to router owned NAT IP for DGP.
When a packet enters LR pipeline from a distributed gateway port with destination IP being a SNAT IP, it goes through the unSNAT stage and it is possible that the unSNAT fails to convert the dst IP when no conntrack entries are accociated with the packet. In this case, the packet is rerouted to the same DGP, and results in recirc loop in datapath. The packet would finally be dropped either due to ttl or the recirc limit, but it would have created unnecessary cost. To reproduce the problem, simply configure SNAT on a LR with the SNAT IP being the DGP's IP, and then send a packet from external (DGP's LS) to the SNAT IP. Kernel logs like below will be seen: openvswitch: ovs-system: deferred action limit reached, drop recirc action DP flow dump would also show plenty of flows related to this packet, each with a different ttl match, indicating the packet has been looped many times. Commit 802f927 (ovn-northd: Drop IP packets destined to router owned IPs (after NAT)) already added flows to drop packets failed unSNAT for Gateway Routers. It added flows with a low priority (2) to drop the packets that fail ARP resolve, to avoid triggering ARP request for the SNAT IPs. However, for the DGP case, to support E/W NAT, ARP resolve flows are added for thoses NAT IPs so that the packets can continue the pipeline and possibly redirect to redirect chassis. So, because of these ARP resolve flows, even the packets failed unSNAT would continue the pipeline and won't hit the low priority (2) flows, thus not get dropped. To fix the problem, for each of the ARP resolve flow added for the DGP NAT IPs, a higher priority (150) flow is added to check if the packet's inport is the DGP (same as the outport), then drop the packet directly. Test cases are updated to cover both Gateway Router and DGP scenarios, with packets from both directions (uplink and downlink). Reported-by: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Reported-at: https://patchwork.ozlabs.org/project/ovn/patch/20210816085206.69170-1-kklimonda@syntaxhighlighted.com/ Reported-by: Frode Nordahl <frode.nordahl@canonical.com> Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967718 Reported-by: Roberto Bartzen Acosta <rbartzen@gmail.com> Reported-at: #134 Reported-by: Syed Ammad Ali <syedammad83@gmail.com> Reported-at: #153 Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051340.html Signed-off-by: Han Zhou <hzhou@ovn.org> Acked-by: Dumitru Ceara <dceara@redhat.com>
- Loading branch information
Showing
3 changed files
with
116 additions
and
22 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters