Hi,
we’ve faced an issue where asymmetric-routed traffic is used. Please help
understand what options do we have to allow such traffic.
Topology is next:
client lsp (10.0.0.1/24)
|
ls-external
/ \
lsp router vm1 eth0: 10.0.0.2/24 lsp router vm2 eth0: 10.0.0.3/24
lsp router vm1 eth1: 192.168.0.1/24 lsp router vm2 eth1: 192.168.0.2/24
\ /
ls-internal
|
server lsp (192.168.0.10/24)
All LSPs have port_security configured with "<mac> 0.0.0.0/0 ::/0" and belong
to port group pg1.
There are two ACLs within this PG:
from-lport 0.0.0.0/0 allow-related
to-lport 0.0.0.0/0 allow-related
The problem is when traffic from client to server goes through router vm1 and
returns through router vm2, there is no connectivity. I see reply traffic on
the server interface, which is going to router vm2 mac address, but I don't see
it on the router vm2 interface.
I guess the reason for this is that conntrack first time sees packet for the
connection and ACK+SYN flags are set and treats this packet as invalid, right?
If yes, is there any option how to use asymmetric-routed topologies inside OVN
with stateful ACLs?
I found there is an ability to replace ct.inv field check:
https://github.com/ovn-org/ovn/commit/3bb91366a6b0d60df5ce8f9c7f6427f7d37dfdd4
Is it good idea to use this option to solve the issue or this is intended
specifically to use with smart NICs without invalid state support and can be
removed in future?
Thanks.
Regards,
Vladislav Odintsov
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
