Hi Justin (et all!), As we talked in the last ovn meeting, I took a look at the code that populates the logical rules for doing the icmp response. It is here [1], in ovn-northd.c, function build_lrouter_flows(). Thanks Russell for the valuable pointers!
Unlike ARP, I come to the thinking that less is more. In other words, by removing the match on inport we would get the responses to be generated as we need, and this is not an issue since that code path is only relevant when packets are part of the router datapath (i.e. eth.dst is one of the router's mac). There is a caveat in that TTL check is not done until later and that should be enforced to disallow cases when ping is for the router but it has TTL < 2. Not sure how important y'all think that is, and if so, further work may be needed to match on ip.ttl at the logical table. I also did not find a test unit that exercises the ICMP for LR, and that I can work on next if you do agree that "less is more". ;) All in all here is a first [2] pass on what I think is needed to make this issue resolved. As always, I could be overlooking something. ;) I will also do some test under my devstack setup. Thanks, -- flaviof [1]: https://github.com/openvswitch/ovs/blob/master/ovn/northd/ovn-northd.c#L1897 [2]: http://openvswitch.org/pipermail/dev/2016-May/071462.html On Thu, May 5, 2016 at 12:11 PM, Justin Pettit <jpet...@ovn.org> wrote: > > > > On May 3, 2016, at 1:02 PM, Flaviof <fla...@flaviof.com> wrote: > > > > [cc Justin] > > > > Hello OVS/OVN folks, > > > > Using devstack and a slightly modified version of the local.conf.sample [1], > > I create an all-in-one node with OVN. > > > > After stacking, I run a simple script [2] (attached) that creates 2 internal subnet+networks and a OVN-L3 router with interfaces on each one of them. > > > > It then creates a vm in each network, which makes it look like this: > > > > vm1 ---- net1 ---- rtr ---- net2 ---- vm2 > > 10.1.0.x 10.2.0.x > > > > The script adds an internal port to connect to net1 [br-int], so we get to vm1 > > w/out relying on dhcp namespace. With that, I can ping from vm1 to vm2 and > > also the interface of rtr on net1. However, I cannot ping [3] the rtr interface on > > net2 (i.e. 10.2.0.1) from vm1 (i.e. 10.1.0.3). > > > > Is that expected to work? I will dig into the flow rules to see if this is a known > > limitation, but would like to ask you guys to avoid wasting too much energy. :) > > I do understand that special rules have to be added so icmp replies [table17] > > are sent on behalf of the router interface. There was a similar issue [4] in > > ODL, which made some L3 tempest tests fail. It is possible that is the case still. > > That is consistent with my recollection of how pinging the router works: you can only ping the side that's adjacent to the sender. That would be nice to fix. > > --Justin > >
_______________________________________________ discuss mailing list discuss@openvswitch.org http://openvswitch.org/mailman/listinfo/discuss
