On 11/04/2015 03:52 PM, Russell Bryant wrote: > I mentioned before that I had some trouble getting DHCP working with OVN > ACLs enabled. I think I have finally gotten to the bottom of it. > > My first workaround was a brute force patch to bypass conntrack if the > packet was a DHCP request or response. That worked, but I wasn't able > to explain why it was needed. > > It turns out I was looking in the wrong place. I thought it had to do > with conntrack marking the odd looking DHCP requests as invalid. I was > actually getting confused by a bunch of IPv6 traffic getting marked as > invalid. It seems IPv6 neighbor discovery stuff is what's being marked > invalid (at least that's my guess of what those packets are). Once I > filtered all IPv6 out earlier in the flows, I got a clearer picture of > what was happening. I'll have to revisit IPv6 later. > > Here's the broadcast flow in table 33 (the beginning of the logical > egress pipeline) on my test environment. > > table=33, n_packets=1304, n_bytes=150792, > priority=100,reg7=0xffff,metadata=0x1 > actions=set_field:0x2->reg5,set_field:0x2->reg7,resubmit(,34),set_field:0x1->reg5,set_field:0x1->reg7,resubmit(,34),set_field:0x3->reg5,set_field:0x3->reg7,resubmit(,34),set_field:0x4->reg5,set_field:0x4->reg7,resubmit(,34),set_field:0xffff->reg7 > > So, we should see the packet resubmitted to table 34 for each logical > port on the network the DHCP request was broadcast to. The problem is > that it only hits table 34 once, for the first logical port, which is > *not* the DHCP server. In fact, this would probably explain why I've > seen inconsistent behavior, since the DHCP server could be listed first > sometimes. I only see this problem when the ct() action is being used, > so my guess is that this action causes the context to be lost: > > table=48, n_packets=2, n_bytes=660, priority=100,ip,metadata=0x1 > actions=ct(table=49,zone=NXM_NX_REG5[0..15]) > > Does this seem plausible? If so, would you consider that a bug in the > ct() action? >
Something I noticed after posting this message is that I have this in dmesg several times: > [ 8696.723763] openvswitch: ovs-system: deferred action limit reached, drop > recirc action Also, here's the full flow table from the above for reference: > OFPST_FLOW reply (OF1.3) (xid=0x2): > table=0, n_packets=128, n_bytes=15789, priority=100,in_port=1 > actions=set_field:0x1->reg5,set_field:0x1->metadata,set_field:0x1->reg6,resubmit(,16) > table=0, n_packets=30, n_bytes=2040, priority=100,in_port=2 > actions=set_field:0x2->reg5,set_field:0x1->metadata,set_field:0x2->reg6,resubmit(,16) > table=0, n_packets=2383, n_bytes=262146, priority=100,in_port=3 > actions=set_field:0x3->reg5,set_field:0x1->metadata,set_field:0x3->reg6,resubmit(,16) > table=0, n_packets=8, n_bytes=1128, priority=100,in_port=21 > actions=set_field:0x4->reg5,set_field:0x1->metadata,set_field:0x4->reg6,resubmit(,16) > table=16, n_packets=0, n_bytes=0, > priority=100,metadata=0x1,vlan_tci=0x1000/0x1000 actions=drop > table=16, n_packets=0, n_bytes=0, > priority=100,metadata=0x3,vlan_tci=0x1000/0x1000 actions=drop > table=16, n_packets=0, n_bytes=0, > priority=100,metadata=0x1,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 > actions=drop > table=16, n_packets=0, n_bytes=0, > priority=100,metadata=0x3,dl_src=01:00:00:00:00:00/01:00:00:00:00:00 > actions=drop > table=16, n_packets=128, n_bytes=15789, > priority=50,reg6=0x1,metadata=0x1,dl_src=fa:16:3e:ea:92:b1 > actions=resubmit(,17) > table=16, n_packets=30, n_bytes=2040, > priority=50,reg6=0x2,metadata=0x1,dl_src=fa:16:3e:0a:a0:ca > actions=resubmit(,17) > table=16, n_packets=0, n_bytes=0, > priority=50,reg6=0x1,metadata=0x3,dl_src=fa:16:3e:e4:36:b6 > actions=resubmit(,17) > table=16, n_packets=2383, n_bytes=262146, > priority=50,reg6=0x3,metadata=0x1,dl_src=fa:16:3e:0d:cf:ea > actions=resubmit(,17) > table=16, n_packets=8, n_bytes=1128, > priority=50,reg6=0x4,metadata=0x1,dl_src=fa:16:3e:b0:f9:f9 > actions=resubmit(,17) > table=17, n_packets=2, n_bytes=660, priority=100,ip,metadata=0x1 > actions=ct(table=18,zone=NXM_NX_REG5[0..15]) > table=17, n_packets=0, n_bytes=0, priority=100,ipv6,metadata=0x1 > actions=ct(table=18,zone=NXM_NX_REG5[0..15]) > table=17, n_packets=19, n_bytes=1898, priority=200,ipv6,metadata=0x1 > actions=drop > table=17, n_packets=1345, n_bytes=141210, priority=0,metadata=0x1 > actions=resubmit(,18) > table=17, n_packets=0, n_bytes=0, priority=0,metadata=0x3 > actions=resubmit(,18) > table=18, n_packets=0, n_bytes=0, > priority=65534,ct_state=+inv+trk,metadata=0x1 actions=drop > table=18, n_packets=0, n_bytes=0, > priority=65534,ct_state=-new+est-rel-inv+trk,metadata=0x1 > actions=resubmit(,19) > table=18, n_packets=0, n_bytes=0, > priority=65534,ct_state=-new-est+rel-inv+trk,metadata=0x1 > actions=resubmit(,19) > table=18, n_packets=0, n_bytes=0, > priority=2002,ct_state=+new+trk,ipv6,reg6=0x4,metadata=0x1 > actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,19) > table=18, n_packets=2, n_bytes=660, > priority=2002,ct_state=+new+trk,ip,reg6=0x4,metadata=0x1 > actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,19) > table=18, n_packets=0, n_bytes=0, priority=2001,ip,reg6=0x4,metadata=0x1 > actions=drop > table=18, n_packets=0, n_bytes=0, priority=2001,ipv6,reg6=0x4,metadata=0x1 > actions=drop > table=18, n_packets=0, n_bytes=0, priority=1,ipv6,metadata=0x1 > actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,19) > table=18, n_packets=0, n_bytes=0, priority=1,ip,metadata=0x1 > actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,19) > table=18, n_packets=1344, n_bytes=141100, priority=0,metadata=0x1 > actions=resubmit(,19) > table=18, n_packets=0, n_bytes=0, priority=0,metadata=0x3 > actions=resubmit(,19) > table=19, n_packets=1304, n_bytes=150792, > priority=100,metadata=0x1,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 > actions=set_field:0xffff->reg7,resubmit(,32) > table=19, n_packets=0, n_bytes=0, > priority=100,metadata=0x3,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 > actions=set_field:0xffff->reg7,resubmit(,32) > table=19, n_packets=41, n_bytes=3270, > priority=50,metadata=0x1,dl_dst=fa:16:3e:ea:92:b1 > actions=set_field:0x1->reg7,resubmit(,32) > table=19, n_packets=11, n_bytes=798, > priority=50,metadata=0x1,dl_dst=fa:16:3e:0a:a0:ca > actions=set_field:0x2->reg7,resubmit(,32) > table=19, n_packets=0, n_bytes=0, > priority=50,metadata=0x3,dl_dst=fa:16:3e:e4:36:b6 > actions=set_field:0x1->reg7,resubmit(,32) > table=19, n_packets=0, n_bytes=0, > priority=50,metadata=0x1,dl_dst=fa:16:3e:0d:cf:ea > actions=set_field:0x3->reg7,resubmit(,32) > table=19, n_packets=0, n_bytes=0, > priority=50,metadata=0x1,dl_dst=fa:16:3e:b0:f9:f9 > actions=set_field:0x4->reg7,resubmit(,32) > table=32, n_packets=1492, n_bytes=170973, priority=0 actions=resubmit(,33) > table=33, n_packets=41, n_bytes=3270, priority=100,reg7=0x1,metadata=0x1 > actions=set_field:0x1->reg5,resubmit(,34) > table=33, n_packets=11, n_bytes=798, priority=100,reg7=0x2,metadata=0x1 > actions=set_field:0x2->reg5,resubmit(,34) > table=33, n_packets=0, n_bytes=0, priority=100,reg7=0x3,metadata=0x1 > actions=set_field:0x3->reg5,resubmit(,34) > table=33, n_packets=1304, n_bytes=150792, > priority=100,reg7=0xffff,metadata=0x1 > actions=set_field:0x2->reg5,set_field:0x2->reg7,resubmit(,34),set_field:0x1->reg5,set_field:0x1->reg7,resubmit(,34),set_field:0x3->reg5,set_field:0x3->reg7,resubmit(,34),set_field:0x4->reg5,set_field:0x4->reg7,resubmit(,34),set_field:0xffff->reg7 > table=33, n_packets=0, n_bytes=0, priority=100,reg7=0x4,metadata=0x1 > actions=set_field:0x4->reg5,resubmit(,34) > table=34, n_packets=9, n_bytes=726, > priority=100,reg6=0x1,reg7=0x1,metadata=0x1 actions=drop > table=34, n_packets=10, n_bytes=864, > priority=100,reg6=0x2,reg7=0x2,metadata=0x1 actions=drop > table=34, n_packets=1234, n_bytes=135756, > priority=100,reg6=0x3,reg7=0x3,metadata=0x1 actions=drop > table=34, n_packets=0, n_bytes=0, > priority=100,reg6=0x4,reg7=0x4,metadata=0x1 actions=drop > table=34, n_packets=2798, n_bytes=325201, priority=0 > actions=set_field:0->reg0,set_field:0->reg1,set_field:0->reg2,set_field:0->reg3,set_field:0->reg4,resubmit(,48) > table=48, n_packets=0, n_bytes=0, priority=100,ipv6,metadata=0x1 > actions=ct(table=49,zone=NXM_NX_REG5[0..15]) > table=48, n_packets=2, n_bytes=660, priority=100,ip,metadata=0x1 > actions=ct(table=49,zone=NXM_NX_REG5[0..15]) > table=48, n_packets=2594, n_bytes=277348, priority=0,metadata=0x1 > actions=resubmit(,49) > table=48, n_packets=0, n_bytes=0, priority=0,metadata=0x3 > actions=resubmit(,49) > table=49, n_packets=0, n_bytes=0, > priority=65534,ct_state=-new-est+rel-inv+trk,metadata=0x1 > actions=resubmit(,50) > table=49, n_packets=0, n_bytes=0, > priority=65534,ct_state=-new+est-rel-inv+trk,metadata=0x1 > actions=resubmit(,50) > table=49, n_packets=0, n_bytes=0, > priority=65534,ct_state=+inv+trk,metadata=0x1 actions=drop > table=49, n_packets=0, n_bytes=0, > priority=2002,ct_state=+new+trk,tcp,reg7=0x4,metadata=0x1,tp_dst=22 > actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,50) > table=49, n_packets=0, n_bytes=0, > priority=2002,ct_state=+new+trk,icmp,reg7=0x4,metadata=0x1 > actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,50) > table=49, n_packets=0, n_bytes=0, > priority=2002,udp,reg7=0x4,metadata=0x1,nw_src=10.0.0.0/24,tp_src=67,tp_dst=68 > actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,50) > table=49, n_packets=0, n_bytes=0, priority=2001,ip,reg7=0x4,metadata=0x1 > actions=drop > table=49, n_packets=0, n_bytes=0, priority=2001,ipv6,reg7=0x4,metadata=0x1 > actions=drop > table=49, n_packets=2, n_bytes=660, priority=1,ip,metadata=0x1 > actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,50) > table=49, n_packets=0, n_bytes=0, priority=1,ipv6,metadata=0x1 > actions=ct(commit,zone=NXM_NX_REG5[0..15]),resubmit(,50) > table=49, n_packets=2594, n_bytes=277348, priority=0,metadata=0x1 > actions=resubmit(,50) > table=49, n_packets=0, n_bytes=0, priority=0,metadata=0x3 > actions=resubmit(,50) > table=50, n_packets=2610, n_bytes=305020, > priority=100,metadata=0x1,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 > actions=resubmit(,64) > table=50, n_packets=0, n_bytes=0, > priority=100,metadata=0x3,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00 > actions=resubmit(,64) > table=50, n_packets=41, n_bytes=3270, > priority=50,reg7=0x1,metadata=0x1,dl_dst=fa:16:3e:ea:92:b1 > actions=resubmit(,64) > table=50, n_packets=11, n_bytes=798, > priority=50,reg7=0x2,metadata=0x1,dl_dst=fa:16:3e:0a:a0:ca > actions=resubmit(,64) > table=50, n_packets=0, n_bytes=0, > priority=50,reg7=0x1,metadata=0x3,dl_dst=fa:16:3e:e4:36:b6 > actions=resubmit(,64) > table=50, n_packets=0, n_bytes=0, > priority=50,reg7=0x3,metadata=0x1,dl_dst=fa:16:3e:0d:cf:ea > actions=resubmit(,64) > table=50, n_packets=0, n_bytes=0, > priority=50,reg7=0x4,metadata=0x1,dl_dst=fa:16:3e:b0:f9:f9 > actions=resubmit(,64) > table=64, n_packets=1324, n_bytes=149376, priority=100,reg7=0x1,metadata=0x1 > actions=output:1 > table=64, n_packets=1298, n_bytes=150148, priority=100,reg7=0x2,metadata=0x1 > actions=output:2 > table=64, n_packets=40, n_bytes=9564, priority=100,reg7=0x3,metadata=0x1 > actions=output:3 > table=64, n_packets=0, n_bytes=0, priority=100,reg7=0x4,metadata=0x1 > actions=output:21 -- Russell Bryant _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
