-
Notifications
You must be signed in to change notification settings - Fork 238
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
openvswitch: ovs-system: deferred action limit reached, drop recirc action #153
Comments
Hi @syedammad83 , I also encountered the same problem, has your problem been solved, how to solve it. |
Could you provide output of |
It seems this problem was discussed before and never resolved? https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051353.html |
@hzhou8 The problem like this: #134 . |
I am seeing nothing in ovn-trace output |
Seeing the same issue, but also could be affecting performance. Tagging myself. Please let me know if any debug info i can provide. |
Hey folks,
I also encountered the same problem - In the past with Openstack Ussuri
(ovn 20.03 and ovs 2.13) and now with Openstack Yoga (ovn 22.03 and ovs
2.17).
@hzhou8 <https://github.com/hzhou8>, I believe we are talking about the
discussed and never resolved (SNAT/DNAT recirc issue)
https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051353.html,
and related issues #134
The central question seems to be understanding why the pkt doesn't match.
The pkt first goes through the OVS_ACTION_ATTR_CT action, looking for
conntrack/nat actions. If not found it re-injects the package skipping the
first table to look for the package path (recirculation is the use of
freezing to allow a frame to re-enter the datapath packet processing path
to achieve more flexible packet processing), and in this case, the pkt will
be placed in the queue, which has a limit of 10
(DEFERRED_ACTION_FIFO_SIZE). Some time ago I even thought about
increasing this queue limit because I'm not sure about the latency effects
of these recirculated packets.
An important note is that this issue can only be seen on gateway nodes.
Regards,
Roberto
… Message ID: ***@***.***>
--
_‘Esta mensagem é direcionada apenas para os endereços constantes no
cabeçalho inicial. Se você não está listado nos endereços constantes no
cabeçalho, pedimos-lhe que desconsidere completamente o conteúdo dessa
mensagem e cuja cópia, encaminhamento e/ou execução das ações citadas estão
imediatamente anuladas e proibidas’._
* **‘Apesar do Magazine Luiza tomar
todas as precauções razoáveis para assegurar que nenhum vírus esteja
presente nesse e-mail, a empresa não poderá aceitar a responsabilidade por
quaisquer perdas ou danos causados por esse e-mail ou por seus anexos’.*
|
Hi folks, thanks for your valuable information! Sorry that I didn't have time to look at this recently. I will try to reproduce it locally according to what you provided, and debug it next week or so. |
When a packet enters LR pipeline from a distributed gateway port with destination IP being a SNAT IP, it goes through the unSNAT stage and it is possible that the unSNAT fails to convert the dst IP when no conntrack entries are accociated with the packet. In this case, the packet is rerouted to the same DGP, and results in recirc loop in datapath. The packet would finally be dropped either due to ttl or the recirc limit, but it would have created unnecessary cost. To reproduce the problem, simply configure SNAT on a LR with the SNAT IP being the DGP's IP, and then send a packet from external (DGP's LS) to the SNAT IP. Kernel logs like below will be seen: openvswitch: ovs-system: deferred action limit reached, drop recirc action DP flow dump would also show plenty of flows related to this packet, each with a different ttl match, indicating the packet has been looped many times. Commit 802f927 (ovn-northd: Drop IP packets destined to router owned IPs (after NAT)) already added flows to drop packets failed unSNAT for Gateway Routers. It added flows with a low priority (2) to drop the packets that fail ARP resolve, to avoid triggering ARP request for the SNAT IPs. However, for the DGP case, to support E/W NAT, ARP resolve flows are added for thoses NAT IPs so that the packets can continue the pipeline and possibly redirect to redirect chassis. So, because of these ARP resolve flows, even the packets failed unSNAT would continue the pipeline and won't hit the low priority (2) flows, thus not get dropped. To fix the problem, for each of the ARP resolve flow added for the DGP NAT IPs, a higher priority (150) flow is added to check if the packet's inport is the DGP (same as the outport), then drop the packet directly. Test cases are updated to cover both Gateway Router and DGP scenarios, with packets from both directions (uplink and downlink). Reported-by: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Reported-at: https://patchwork.ozlabs.org/project/ovn/patch/20210816085206.69170-1-kklimonda@syntaxhighlighted.com/ Reported-by: Frode Nordahl <frode.nordahl@canonical.com> Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967718 Reported-by: Roberto Bartzen Acosta <rbartzen@gmail.com> Reported-at: ovn-org#134 Reported-by: Syed Ammad Ali <syedammad83@gmail.com> Reported-at: ovn-org#153 Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051340.html Signed-off-by: Han Zhou <hzhou@ovn.org> Signed-off-by: 0-day Robot <robot@bytheb.org>
When a packet enters LR pipeline from a distributed gateway port with destination IP being a SNAT IP, it goes through the unSNAT stage and it is possible that the unSNAT fails to convert the dst IP when no conntrack entries are accociated with the packet. In this case, the packet is rerouted to the same DGP, and results in recirc loop in datapath. The packet would finally be dropped either due to ttl or the recirc limit, but it would have created unnecessary cost. To reproduce the problem, simply configure SNAT on a LR with the SNAT IP being the DGP's IP, and then send a packet from external (DGP's LS) to the SNAT IP. Kernel logs like below will be seen: openvswitch: ovs-system: deferred action limit reached, drop recirc action DP flow dump would also show plenty of flows related to this packet, each with a different ttl match, indicating the packet has been looped many times. Commit 802f927 (ovn-northd: Drop IP packets destined to router owned IPs (after NAT)) already added flows to drop packets failed unSNAT for Gateway Routers. It added flows with a low priority (2) to drop the packets that fail ARP resolve, to avoid triggering ARP request for the SNAT IPs. However, for the DGP case, to support E/W NAT, ARP resolve flows are added for thoses NAT IPs so that the packets can continue the pipeline and possibly redirect to redirect chassis. So, because of these ARP resolve flows, even the packets failed unSNAT would continue the pipeline and won't hit the low priority (2) flows, thus not get dropped. To fix the problem, for each of the ARP resolve flow added for the DGP NAT IPs, a higher priority (150) flow is added to check if the packet's inport is the DGP (same as the outport), then drop the packet directly. Test cases are updated to cover both Gateway Router and DGP scenarios, with packets from both directions (uplink and downlink). Reported-by: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Reported-at: https://patchwork.ozlabs.org/project/ovn/patch/20210816085206.69170-1-kklimonda@syntaxhighlighted.com/ Reported-by: Frode Nordahl <frode.nordahl@canonical.com> Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967718 Reported-by: Roberto Bartzen Acosta <rbartzen@gmail.com> Reported-at: ovn-org#134 Reported-by: Syed Ammad Ali <syedammad83@gmail.com> Reported-at: ovn-org#153 Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051340.html Signed-off-by: Han Zhou <hzhou@ovn.org> Signed-off-by: 0-day Robot <robot@bytheb.org>
When a packet enters LR pipeline from a distributed gateway port with destination IP being a SNAT IP, it goes through the unSNAT stage and it is possible that the unSNAT fails to convert the dst IP when no conntrack entries are accociated with the packet. In this case, the packet is rerouted to the same DGP, and results in recirc loop in datapath. The packet would finally be dropped either due to ttl or the recirc limit, but it would have created unnecessary cost. To reproduce the problem, simply configure SNAT on a LR with the SNAT IP being the DGP's IP, and then send a packet from external (DGP's LS) to the SNAT IP. Kernel logs like below will be seen: openvswitch: ovs-system: deferred action limit reached, drop recirc action DP flow dump would also show plenty of flows related to this packet, each with a different ttl match, indicating the packet has been looped many times. Commit 802f927 (ovn-northd: Drop IP packets destined to router owned IPs (after NAT)) already added flows to drop packets failed unSNAT for Gateway Routers. It added flows with a low priority (2) to drop the packets that fail ARP resolve, to avoid triggering ARP request for the SNAT IPs. However, for the DGP case, to support E/W NAT, ARP resolve flows are added for thoses NAT IPs so that the packets can continue the pipeline and possibly redirect to redirect chassis. So, because of these ARP resolve flows, even the packets failed unSNAT would continue the pipeline and won't hit the low priority (2) flows, thus not get dropped. To fix the problem, for each of the ARP resolve flow added for the DGP NAT IPs, a higher priority (150) flow is added to check if the packet's inport is the DGP (same as the outport), then drop the packet directly. Test cases are updated to cover both Gateway Router and DGP scenarios, with packets from both directions (uplink and downlink). Reported-by: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Reported-at: https://patchwork.ozlabs.org/project/ovn/patch/20210816085206.69170-1-kklimonda@syntaxhighlighted.com/ Reported-by: Frode Nordahl <frode.nordahl@canonical.com> Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967718 Reported-by: Roberto Bartzen Acosta <rbartzen@gmail.com> Reported-at: ovn-org#134 Reported-by: Syed Ammad Ali <syedammad83@gmail.com> Reported-at: ovn-org#153 Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051340.html Signed-off-by: Han Zhou <hzhou@ovn.org>
When a packet enters LR pipeline from a distributed gateway port with destination IP being a SNAT IP, it goes through the unSNAT stage and it is possible that the unSNAT fails to convert the dst IP when no conntrack entries are accociated with the packet. In this case, the packet is rerouted to the same DGP, and results in recirc loop in datapath. The packet would finally be dropped either due to ttl or the recirc limit, but it would have created unnecessary cost. To reproduce the problem, simply configure SNAT on a LR with the SNAT IP being the DGP's IP, and then send a packet from external (DGP's LS) to the SNAT IP. Kernel logs like below will be seen: openvswitch: ovs-system: deferred action limit reached, drop recirc action DP flow dump would also show plenty of flows related to this packet, each with a different ttl match, indicating the packet has been looped many times. Commit 802f927 (ovn-northd: Drop IP packets destined to router owned IPs (after NAT)) already added flows to drop packets failed unSNAT for Gateway Routers. It added flows with a low priority (2) to drop the packets that fail ARP resolve, to avoid triggering ARP request for the SNAT IPs. However, for the DGP case, to support E/W NAT, ARP resolve flows are added for thoses NAT IPs so that the packets can continue the pipeline and possibly redirect to redirect chassis. So, because of these ARP resolve flows, even the packets failed unSNAT would continue the pipeline and won't hit the low priority (2) flows, thus not get dropped. To fix the problem, for each of the ARP resolve flow added for the DGP NAT IPs, a higher priority (150) flow is added to check if the packet's inport is the DGP (same as the outport), then drop the packet directly. Test cases are updated to cover both Gateway Router and DGP scenarios, with packets from both directions (uplink and downlink). Reported-by: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Reported-at: https://patchwork.ozlabs.org/project/ovn/patch/20210816085206.69170-1-kklimonda@syntaxhighlighted.com/ Reported-by: Frode Nordahl <frode.nordahl@canonical.com> Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967718 Reported-by: Roberto Bartzen Acosta <rbartzen@gmail.com> Reported-at: #134 Reported-by: Syed Ammad Ali <syedammad83@gmail.com> Reported-at: #153 Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051340.html Signed-off-by: Han Zhou <hzhou@ovn.org> Acked-by: Dumitru Ceara <dceara@redhat.com>
When a packet enters LR pipeline from a distributed gateway port with destination IP being a SNAT IP, it goes through the unSNAT stage and it is possible that the unSNAT fails to convert the dst IP when no conntrack entries are accociated with the packet. In this case, the packet is rerouted to the same DGP, and results in recirc loop in datapath. The packet would finally be dropped either due to ttl or the recirc limit, but it would have created unnecessary cost. To reproduce the problem, simply configure SNAT on a LR with the SNAT IP being the DGP's IP, and then send a packet from external (DGP's LS) to the SNAT IP. Kernel logs like below will be seen: openvswitch: ovs-system: deferred action limit reached, drop recirc action DP flow dump would also show plenty of flows related to this packet, each with a different ttl match, indicating the packet has been looped many times. Commit 802f927 (ovn-northd: Drop IP packets destined to router owned IPs (after NAT)) already added flows to drop packets failed unSNAT for Gateway Routers. It added flows with a low priority (2) to drop the packets that fail ARP resolve, to avoid triggering ARP request for the SNAT IPs. However, for the DGP case, to support E/W NAT, ARP resolve flows are added for thoses NAT IPs so that the packets can continue the pipeline and possibly redirect to redirect chassis. So, because of these ARP resolve flows, even the packets failed unSNAT would continue the pipeline and won't hit the low priority (2) flows, thus not get dropped. To fix the problem, for each of the ARP resolve flow added for the DGP NAT IPs, a higher priority (150) flow is added to check if the packet's inport is the DGP (same as the outport), then drop the packet directly. Test cases are updated to cover both Gateway Router and DGP scenarios, with packets from both directions (uplink and downlink). Reported-by: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Reported-at: https://patchwork.ozlabs.org/project/ovn/patch/20210816085206.69170-1-kklimonda@syntaxhighlighted.com/ Reported-by: Frode Nordahl <frode.nordahl@canonical.com> Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967718 Reported-by: Roberto Bartzen Acosta <rbartzen@gmail.com> Reported-at: #134 Reported-by: Syed Ammad Ali <syedammad83@gmail.com> Reported-at: #153 Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051340.html Signed-off-by: Han Zhou <hzhou@ovn.org> Acked-by: Dumitru Ceara <dceara@redhat.com> (cherry picked from commit 8c341b9)
The above fix is merged to main and branch-22.12. Close the issue. |
When a packet enters LR pipeline from a distributed gateway port with destination IP being a SNAT IP, it goes through the unSNAT stage and it is possible that the unSNAT fails to convert the dst IP when no conntrack entries are accociated with the packet. In this case, the packet is rerouted to the same DGP, and results in recirc loop in datapath. The packet would finally be dropped either due to ttl or the recirc limit, but it would have created unnecessary cost. To reproduce the problem, simply configure SNAT on a LR with the SNAT IP being the DGP's IP, and then send a packet from external (DGP's LS) to the SNAT IP. Kernel logs like below will be seen: openvswitch: ovs-system: deferred action limit reached, drop recirc action DP flow dump would also show plenty of flows related to this packet, each with a different ttl match, indicating the packet has been looped many times. Commit 802f927 (ovn-northd: Drop IP packets destined to router owned IPs (after NAT)) already added flows to drop packets failed unSNAT for Gateway Routers. It added flows with a low priority (2) to drop the packets that fail ARP resolve, to avoid triggering ARP request for the SNAT IPs. However, for the DGP case, to support E/W NAT, ARP resolve flows are added for thoses NAT IPs so that the packets can continue the pipeline and possibly redirect to redirect chassis. So, because of these ARP resolve flows, even the packets failed unSNAT would continue the pipeline and won't hit the low priority (2) flows, thus not get dropped. To fix the problem, for each of the ARP resolve flow added for the DGP NAT IPs, a higher priority (150) flow is added to check if the packet's inport is the DGP (same as the outport), then drop the packet directly. Test cases are updated to cover both Gateway Router and DGP scenarios, with packets from both directions (uplink and downlink). Reported-by: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Reported-at: https://patchwork.ozlabs.org/project/ovn/patch/20210816085206.69170-1-kklimonda@syntaxhighlighted.com/ Reported-by: Frode Nordahl <frode.nordahl@canonical.com> Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967718 Reported-by: Roberto Bartzen Acosta <rbartzen@gmail.com> Reported-at: ovn-org/ovn#134 Reported-by: Syed Ammad Ali <syedammad83@gmail.com> Reported-at: ovn-org/ovn#153 Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051340.html Signed-off-by: Han Zhou <hzhou@ovn.org> Acked-by: Dumitru Ceara <dceara@redhat.com>
When a packet enters LR pipeline from a distributed gateway port with destination IP being a SNAT IP, it goes through the unSNAT stage and it is possible that the unSNAT fails to convert the dst IP when no conntrack entries are accociated with the packet. In this case, the packet is rerouted to the same DGP, and results in recirc loop in datapath. The packet would finally be dropped either due to ttl or the recirc limit, but it would have created unnecessary cost. To reproduce the problem, simply configure SNAT on a LR with the SNAT IP being the DGP's IP, and then send a packet from external (DGP's LS) to the SNAT IP. Kernel logs like below will be seen: openvswitch: ovs-system: deferred action limit reached, drop recirc action DP flow dump would also show plenty of flows related to this packet, each with a different ttl match, indicating the packet has been looped many times. Commit 802f927 (ovn-northd: Drop IP packets destined to router owned IPs (after NAT)) already added flows to drop packets failed unSNAT for Gateway Routers. It added flows with a low priority (2) to drop the packets that fail ARP resolve, to avoid triggering ARP request for the SNAT IPs. However, for the DGP case, to support E/W NAT, ARP resolve flows are added for thoses NAT IPs so that the packets can continue the pipeline and possibly redirect to redirect chassis. So, because of these ARP resolve flows, even the packets failed unSNAT would continue the pipeline and won't hit the low priority (2) flows, thus not get dropped. To fix the problem, for each of the ARP resolve flow added for the DGP NAT IPs, a higher priority (150) flow is added to check if the packet's inport is the DGP (same as the outport), then drop the packet directly. Test cases are updated to cover both Gateway Router and DGP scenarios, with packets from both directions (uplink and downlink). Reported-by: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Reported-at: https://patchwork.ozlabs.org/project/ovn/patch/20210816085206.69170-1-kklimonda@syntaxhighlighted.com/ Reported-by: Frode Nordahl <frode.nordahl@canonical.com> Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967718 Reported-by: Roberto Bartzen Acosta <rbartzen@gmail.com> Reported-at: #134 Reported-by: Syed Ammad Ali <syedammad83@gmail.com> Reported-at: #153 Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051340.html Signed-off-by: Han Zhou <hzhou@ovn.org> Acked-by: Dumitru Ceara <dceara@redhat.com>
When a packet enters LR pipeline from a distributed gateway port with destination IP being a SNAT IP, it goes through the unSNAT stage and it is possible that the unSNAT fails to convert the dst IP when no conntrack entries are accociated with the packet. In this case, the packet is rerouted to the same DGP, and results in recirc loop in datapath. The packet would finally be dropped either due to ttl or the recirc limit, but it would have created unnecessary cost. To reproduce the problem, simply configure SNAT on a LR with the SNAT IP being the DGP's IP, and then send a packet from external (DGP's LS) to the SNAT IP. Kernel logs like below will be seen: openvswitch: ovs-system: deferred action limit reached, drop recirc action DP flow dump would also show plenty of flows related to this packet, each with a different ttl match, indicating the packet has been looped many times. Commit 802f927 (ovn-northd: Drop IP packets destined to router owned IPs (after NAT)) already added flows to drop packets failed unSNAT for Gateway Routers. It added flows with a low priority (2) to drop the packets that fail ARP resolve, to avoid triggering ARP request for the SNAT IPs. However, for the DGP case, to support E/W NAT, ARP resolve flows are added for thoses NAT IPs so that the packets can continue the pipeline and possibly redirect to redirect chassis. So, because of these ARP resolve flows, even the packets failed unSNAT would continue the pipeline and won't hit the low priority (2) flows, thus not get dropped. To fix the problem, for each of the ARP resolve flow added for the DGP NAT IPs, a higher priority (150) flow is added to check if the packet's inport is the DGP (same as the outport), then drop the packet directly. Test cases are updated to cover both Gateway Router and DGP scenarios, with packets from both directions (uplink and downlink). Reported-by: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Reported-at: https://patchwork.ozlabs.org/project/ovn/patch/20210816085206.69170-1-kklimonda@syntaxhighlighted.com/ Reported-by: Frode Nordahl <frode.nordahl@canonical.com> Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967718 Reported-by: Roberto Bartzen Acosta <rbartzen@gmail.com> Reported-at: #134 Reported-by: Syed Ammad Ali <syedammad83@gmail.com> Reported-at: #153 Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051340.html Signed-off-by: Han Zhou <hzhou@ovn.org> Acked-by: Dumitru Ceara <dceara@redhat.com>
When a packet enters LR pipeline from a distributed gateway port with destination IP being a SNAT IP, it goes through the unSNAT stage and it is possible that the unSNAT fails to convert the dst IP when no conntrack entries are accociated with the packet. In this case, the packet is rerouted to the same DGP, and results in recirc loop in datapath. The packet would finally be dropped either due to ttl or the recirc limit, but it would have created unnecessary cost. To reproduce the problem, simply configure SNAT on a LR with the SNAT IP being the DGP's IP, and then send a packet from external (DGP's LS) to the SNAT IP. Kernel logs like below will be seen: openvswitch: ovs-system: deferred action limit reached, drop recirc action DP flow dump would also show plenty of flows related to this packet, each with a different ttl match, indicating the packet has been looped many times. Commit 802f927 (ovn-northd: Drop IP packets destined to router owned IPs (after NAT)) already added flows to drop packets failed unSNAT for Gateway Routers. It added flows with a low priority (2) to drop the packets that fail ARP resolve, to avoid triggering ARP request for the SNAT IPs. However, for the DGP case, to support E/W NAT, ARP resolve flows are added for thoses NAT IPs so that the packets can continue the pipeline and possibly redirect to redirect chassis. So, because of these ARP resolve flows, even the packets failed unSNAT would continue the pipeline and won't hit the low priority (2) flows, thus not get dropped. To fix the problem, for each of the ARP resolve flow added for the DGP NAT IPs, a higher priority (150) flow is added to check if the packet's inport is the DGP (same as the outport), then drop the packet directly. Test cases are updated to cover both Gateway Router and DGP scenarios, with packets from both directions (uplink and downlink). Reported-by: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Reported-at: https://patchwork.ozlabs.org/project/ovn/patch/20210816085206.69170-1-kklimonda@syntaxhighlighted.com/ Reported-by: Frode Nordahl <frode.nordahl@canonical.com> Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967718 Reported-by: Roberto Bartzen Acosta <rbartzen@gmail.com> Reported-at: #134 Reported-by: Syed Ammad Ali <syedammad83@gmail.com> Reported-at: #153 Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051340.html Signed-off-by: Han Zhou <hzhou@ovn.org> Acked-by: Dumitru Ceara <dceara@redhat.com>
When a packet enters LR pipeline from a distributed gateway port with destination IP being a SNAT IP, it goes through the unSNAT stage and it is possible that the unSNAT fails to convert the dst IP when no conntrack entries are accociated with the packet. In this case, the packet is rerouted to the same DGP, and results in recirc loop in datapath. The packet would finally be dropped either due to ttl or the recirc limit, but it would have created unnecessary cost. To reproduce the problem, simply configure SNAT on a LR with the SNAT IP being the DGP's IP, and then send a packet from external (DGP's LS) to the SNAT IP. Kernel logs like below will be seen: openvswitch: ovs-system: deferred action limit reached, drop recirc action DP flow dump would also show plenty of flows related to this packet, each with a different ttl match, indicating the packet has been looped many times. Commit 802f927 (ovn-northd: Drop IP packets destined to router owned IPs (after NAT)) already added flows to drop packets failed unSNAT for Gateway Routers. It added flows with a low priority (2) to drop the packets that fail ARP resolve, to avoid triggering ARP request for the SNAT IPs. However, for the DGP case, to support E/W NAT, ARP resolve flows are added for thoses NAT IPs so that the packets can continue the pipeline and possibly redirect to redirect chassis. So, because of these ARP resolve flows, even the packets failed unSNAT would continue the pipeline and won't hit the low priority (2) flows, thus not get dropped. To fix the problem, for each of the ARP resolve flow added for the DGP NAT IPs, a higher priority (150) flow is added to check if the packet's inport is the DGP (same as the outport), then drop the packet directly. Test cases are updated to cover both Gateway Router and DGP scenarios, with packets from both directions (uplink and downlink). Reported-by: Krzysztof Klimonda <kklimonda@syntaxhighlighted.com> Reported-at: https://patchwork.ozlabs.org/project/ovn/patch/20210816085206.69170-1-kklimonda@syntaxhighlighted.com/ Reported-by: Frode Nordahl <frode.nordahl@canonical.com> Reported-at: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/1967718 Reported-by: Roberto Bartzen Acosta <rbartzen@gmail.com> Reported-at: #134 Reported-by: Syed Ammad Ali <syedammad83@gmail.com> Reported-at: #153 Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2021-August/051340.html Signed-off-by: Han Zhou <hzhou@ovn.org> Acked-by: Dumitru Ceara <dceara@redhat.com>
Hi,
I am using OVN 22.03 with OVS 2.17.2 on ubuntu 22.04. The OVN is integrated with OpenStack neutron and using 20.2 yoga release.
I am getting below mentioned logs in dmesg logs of gateway chassis.
[Wed Sep 21 16:54:59 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
[Wed Sep 21 16:55:05 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
[Wed Sep 21 16:55:09 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
[Wed Sep 21 16:55:14 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
[Wed Sep 21 16:55:17 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
[Wed Sep 21 16:55:19 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
[Wed Sep 21 16:55:22 2022] openvswitch: ovs-system: deferred action limit reached, drop recirc action
There are alot of messages I am seeing. Digging it further the issue can be reproduced by hitting any kind of traffic to logical router's external gateway port IP address (which is SNAT IP address of router). When ever I put the SNAT IP in browser and press enter, the logs starts to show up.
Is this an issue OR will it cause any trouble in traffic ?
I am happy to provide any further details needed.
Ammad
The text was updated successfully, but these errors were encountered: