On Tue, Dec 12, 2023 at 11:27 AM Vincent Godin via discuss <[email protected]> wrote: > > Here they are : > > ovn-sbctl dump-flows lr-1 > > root@dc-1-hyp01:~# ovn-sbctl dump-flows > neutron-d3cbe671-46a9-4596-a3d3-95882ed318b7 > Datapath: "neutron-d3cbe671-46a9-4596-a3d3-95882ed318b7" aka "lr-1" > (8f5d574a-c41d-4fba-a835-b8375a96f7db) Pipeline: ingress > table=0 (lr_in_admission ), priority=100 , match=(vlan.present || > eth.src[40]), action=(drop;) > table=0 (lr_in_admission ), priority=50 , match=(eth.dst == > aa:aa:aa:aa:aa:01 && inport == "to-sw-ts" && > is_chassis_resident("cr-to-sw-ts")), action=(xreg0[0..47] = > aa:aa:aa:aa:aa:01; next;) > table=0 (lr_in_admission ), priority=50 , match=(eth.dst == > fa:16:3e:38:56:0b && inport == "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d" && > is_chassis_resident("cr-lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d")), > action=(xreg0[0..47] = fa:16:3e:38:56:0b; next;) > table=0 (lr_in_admission ), priority=50 , match=(eth.dst == > fa:16:3e:52:95:fd && inport == "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73"), > action=(xreg0[0..47] = fa:16:3e:52:95:fd; next;) > table=0 (lr_in_admission ), priority=50 , match=(eth.mcast && inport > == "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73"), action=(xreg0[0..47] = > fa:16:3e:52:95:fd; next;) > table=0 (lr_in_admission ), priority=50 , match=(eth.mcast && inport > == "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d"), action=(xreg0[0..47] = > fa:16:3e:38:56:0b; next;) > table=0 (lr_in_admission ), priority=50 , match=(eth.mcast && inport > == "to-sw-ts"), action=(xreg0[0..47] = aa:aa:aa:aa:aa:01; next;) > table=1 (lr_in_lookup_neighbor), priority=110 , match=(inport == > "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73" && arp.spa == 10.0.1.0/24 && > arp.tpa == 10.0.1.1 && arp.op == 1), action=(reg9[2] = lookup_arp(inport, > arp.spa, arp.sha); reg9[3] = 1; next;) > table=1 (lr_in_lookup_neighbor), priority=110 , match=(inport == > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d" && arp.spa == 172.16.10.0/24 && > arp.tpa == 172.16.10.181 && arp.op == 1 && > is_chassis_resident("cr-lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d")), > action=(reg9[2] = lookup_arp(inport, arp.spa, arp.sha); reg9[3] = 1; next;) > table=1 (lr_in_lookup_neighbor), priority=110 , match=(inport == > "to-sw-ts" && arp.spa == 169.254.100.0/24 && arp.tpa == 169.254.100.1 && > arp.op == 1 && is_chassis_resident("cr-to-sw-ts")), action=(reg9[2] = > lookup_arp(inport, arp.spa, arp.sha); reg9[3] = 1; next;) > table=1 (lr_in_lookup_neighbor), priority=110 , match=(nd_na && ip6.src == > fe80::/10 && ip6.dst == ff00::/8), action=(reg9[2] = lookup_nd(inport, > ip6.src, nd.tll); reg9[3] = lookup_nd_ip(inport, ip6.src); next;) > table=1 (lr_in_lookup_neighbor), priority=100 , match=(arp.op == 2), > action=(reg9[2] = lookup_arp(inport, arp.spa, arp.sha); reg9[3] = 1; next;) > table=1 (lr_in_lookup_neighbor), priority=100 , match=(inport == > "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73" && arp.spa == 10.0.1.0/24 && > arp.op == 1), action=(reg9[2] = lookup_arp(inport, arp.spa, arp.sha); reg9[3] > = lookup_arp_ip(inport, arp.spa); next;) > table=1 (lr_in_lookup_neighbor), priority=100 , match=(inport == > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d" && arp.spa == 172.16.10.0/24 && > arp.op == 1 && > is_chassis_resident("cr-lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d")), > action=(reg9[2] = lookup_arp(inport, arp.spa, arp.sha); reg9[3] = > lookup_arp_ip(inport, arp.spa); next;) > table=1 (lr_in_lookup_neighbor), priority=100 , match=(inport == > "to-sw-ts" && arp.spa == 169.254.100.0/24 && arp.op == 1 && > is_chassis_resident("cr-to-sw-ts")), action=(reg9[2] = lookup_arp(inport, > arp.spa, arp.sha); reg9[3] = lookup_arp_ip(inport, arp.spa); next;) > table=1 (lr_in_lookup_neighbor), priority=100 , match=(nd_na), > action=(reg9[2] = lookup_nd(inport, nd.target, nd.tll); reg9[3] = 1; next;) > table=1 (lr_in_lookup_neighbor), priority=100 , match=(nd_ns), > action=(reg9[2] = lookup_nd(inport, ip6.src, nd.sll); reg9[3] = > lookup_nd_ip(inport, ip6.src); next;) > table=1 (lr_in_lookup_neighbor), priority=0 , match=(1), action=(reg9[2] > = 1; next;) > table=2 (lr_in_learn_neighbor), priority=100 , match=(reg9[2] == 1 || > reg9[3] == 0), action=(next;) > table=2 (lr_in_learn_neighbor), priority=95 , match=(nd_na && nd.tll == > 0), action=(put_nd(inport, nd.target, eth.src); next;) > table=2 (lr_in_learn_neighbor), priority=95 , match=(nd_ns && (ip6.src == > 0 || nd.sll == 0)), action=(next;) > table=2 (lr_in_learn_neighbor), priority=90 , match=(arp), > action=(put_arp(inport, arp.spa, arp.sha); next;) > table=2 (lr_in_learn_neighbor), priority=90 , match=(nd_na), > action=(put_nd(inport, nd.target, nd.tll); next;) > table=2 (lr_in_learn_neighbor), priority=90 , match=(nd_ns), > action=(put_nd(inport, ip6.src, nd.sll); next;) > table=3 (lr_in_ip_input ), priority=100 , match=(ip4.src == {10.0.1.1, > 10.0.1.255} && reg9[0] == 0), action=(drop;) > table=3 (lr_in_ip_input ), priority=100 , match=(ip4.src == > {169.254.100.1, 169.254.100.255} && reg9[0] == 0), action=(drop;) > table=3 (lr_in_ip_input ), priority=100 , match=(ip4.src == > {172.16.10.181, 172.16.10.255} && reg9[0] == 0), action=(drop;) > table=3 (lr_in_ip_input ), priority=100 , match=(ip4.src_mcast > ||ip4.src == 255.255.255.255 || ip4.src == 127.0.0.0/8 || ip4.dst == > 127.0.0.0/8 || ip4.src == 0.0.0.0/8 || ip4.dst == 0.0.0.0/8), action=(drop;) > table=3 (lr_in_ip_input ), priority=100 , match=(ip6.dst == > fe80::a8aa:aaff:feaa:aa01 && udp.src == 547 && udp.dst == 546), action=(reg0 > = 0; handle_dhcpv6_reply;) > table=3 (lr_in_ip_input ), priority=100 , match=(ip6.dst == > fe80::f816:3eff:fe38:560b && udp.src == 547 && udp.dst == 546), action=(reg0 > = 0; handle_dhcpv6_reply;) > table=3 (lr_in_ip_input ), priority=100 , match=(ip6.dst == > fe80::f816:3eff:fe52:95fd && udp.src == 547 && udp.dst == 546), action=(reg0 > = 0; handle_dhcpv6_reply;) > table=3 (lr_in_ip_input ), priority=92 , match=(inport == > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d" && arp.op == 1 && arp.tpa == > 172.16.10.181 && is_chassis_resident("cr-to-sw-ts")), action=(eth.dst = > eth.src; eth.src = xreg0[0..47]; arp.op = 2; /* ARP reply */ arp.tha = > arp.sha; arp.sha = xreg0[0..47]; arp.tpa <-> arp.spa; outport = inport; > flags.loopback = 1; output;) > table=3 (lr_in_ip_input ), priority=92 , match=(inport == "to-sw-ts" > && arp.op == 1 && arp.tpa == 172.16.10.181 && > is_chassis_resident("cr-to-sw-ts")), action=(eth.dst = eth.src; eth.src = > xreg0[0..47]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = > xreg0[0..47]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; > output;) > table=3 (lr_in_ip_input ), priority=91 , match=(inport == > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d" && arp.op == 1 && arp.tpa == > 172.16.10.181), action=(drop;) > table=3 (lr_in_ip_input ), priority=91 , match=(inport == "to-sw-ts" > && arp.op == 1 && arp.tpa == 172.16.10.181), action=(drop;) > table=3 (lr_in_ip_input ), priority=90 , match=(arp.op == 1 && > arp.tpa == 172.16.10.181), action=(eth.dst = eth.src; eth.src = xreg0[0..47]; > arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[0..47]; > arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;) > table=3 (lr_in_ip_input ), priority=90 , match=(inport == > "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73" && arp.op == 1 && arp.tpa == > 10.0.1.1 && arp.spa == 10.0.1.0/24), action=(eth.dst = eth.src; eth.src = > xreg0[0..47]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = > xreg0[0..47]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; > output;) > table=3 (lr_in_ip_input ), priority=90 , match=(inport == > "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73" && ip6.dst == > {fe80::f816:3eff:fe52:95fd, ff02::1:ff52:95fd} && nd_ns && nd.target == > fe80::f816:3eff:fe52:95fd), action=(nd_na_router { eth.src = xreg0[0..47]; > ip6.src = nd.target; nd.tll = xreg0[0..47]; outport = inport; flags.loopback > = 1; output; };) > table=3 (lr_in_ip_input ), priority=90 , match=(inport == > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d" && arp.op == 1 && arp.tpa == > 172.16.10.181 && arp.spa == 172.16.10.0/24 && > is_chassis_resident("cr-lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d")), > action=(eth.dst = eth.src; eth.src = xreg0[0..47]; arp.op = 2; /* ARP reply > */ arp.tha = arp.sha; arp.sha = xreg0[0..47]; arp.tpa <-> arp.spa; outport = > inport; flags.loopback = 1; output;) > table=3 (lr_in_ip_input ), priority=90 , match=(inport == > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d" && ip6.dst == > {fe80::f816:3eff:fe38:560b, ff02::1:ff38:560b} && nd_ns && nd.target == > fe80::f816:3eff:fe38:560b && > is_chassis_resident("cr-lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d")), > action=(nd_na_router { eth.src = xreg0[0..47]; ip6.src = nd.target; nd.tll = > xreg0[0..47]; outport = inport; flags.loopback = 1; output; };) > table=3 (lr_in_ip_input ), priority=90 , match=(inport == "to-sw-ts" > && arp.op == 1 && arp.tpa == 169.254.100.1 && arp.spa == 169.254.100.0/24), > action=(eth.dst = eth.src; eth.src = xreg0[0..47]; arp.op = 2; /* ARP reply > */ arp.tha = arp.sha; arp.sha = xreg0[0..47]; arp.tpa <-> arp.spa; outport = > inport; flags.loopback = 1; output;) > table=3 (lr_in_ip_input ), priority=90 , match=(inport == "to-sw-ts" > && ip6.dst == {fe80::a8aa:aaff:feaa:aa01, ff02::1:ffaa:aa01} && nd_ns && > nd.target == fe80::a8aa:aaff:feaa:aa01 && > is_chassis_resident("cr-to-sw-ts")), action=(nd_na_router { eth.src = > xreg0[0..47]; ip6.src = nd.target; nd.tll = xreg0[0..47]; outport = inport; > flags.loopback = 1; output; };) > table=3 (lr_in_ip_input ), priority=90 , match=(ip4.dst == 10.0.1.1 > && icmp4.type == 8 && icmp4.code == 0), action=(ip4.dst <-> ip4.src; ip.ttl = > 255; icmp4.type = 0; flags.loopback = 1; next; ) > table=3 (lr_in_ip_input ), priority=90 , match=(ip4.dst == > 169.254.100.1 && icmp4.type == 8 && icmp4.code == 0), action=(ip4.dst <-> > ip4.src; ip.ttl = 255; icmp4.type = 0; flags.loopback = 1; next; ) > table=3 (lr_in_ip_input ), priority=90 , match=(ip4.dst == > 172.16.10.181 && icmp4.type == 8 && icmp4.code == 0), action=(ip4.dst <-> > ip4.src; ip.ttl = 255; icmp4.type = 0; flags.loopback = 1; next; ) > table=3 (lr_in_ip_input ), priority=90 , match=(ip6.dst == > fe80::a8aa:aaff:feaa:aa01 && icmp6.type == 128 && icmp6.code == 0), > action=(ip6.dst <-> ip6.src; ip.ttl = 255; icmp6.type = 129; flags.loopback = > 1; next; ) > table=3 (lr_in_ip_input ), priority=90 , match=(ip6.dst == > fe80::f816:3eff:fe38:560b && icmp6.type == 128 && icmp6.code == 0), > action=(ip6.dst <-> ip6.src; ip.ttl = 255; icmp6.type = 129; flags.loopback = > 1; next; ) > table=3 (lr_in_ip_input ), priority=90 , match=(ip6.dst == > fe80::f816:3eff:fe52:95fd && icmp6.type == 128 && icmp6.code == 0), > action=(ip6.dst <-> ip6.src; ip.ttl = 255; icmp6.type = 129; flags.loopback = > 1; next; ) > table=3 (lr_in_ip_input ), priority=85 , match=(arp || nd), > action=(drop;) > table=3 (lr_in_ip_input ), priority=84 , match=(nd_rs || nd_ra), > action=(next;) > table=3 (lr_in_ip_input ), priority=83 , match=(ip6.mcast_rsvd), > action=(drop;) > table=3 (lr_in_ip_input ), priority=82 , match=(ip4.mcast || > ip6.mcast), action=(drop;) > table=3 (lr_in_ip_input ), priority=60 , match=(ip4.dst == > {10.0.1.1}), action=(drop;) > table=3 (lr_in_ip_input ), priority=60 , match=(ip4.dst == > {169.254.100.1}), action=(drop;) > table=3 (lr_in_ip_input ), priority=60 , match=(ip6.dst == > {fe80::a8aa:aaff:feaa:aa01}), action=(drop;) > table=3 (lr_in_ip_input ), priority=60 , match=(ip6.dst == > {fe80::f816:3eff:fe38:560b}), action=(drop;) > table=3 (lr_in_ip_input ), priority=60 , match=(ip6.dst == > {fe80::f816:3eff:fe52:95fd}), action=(drop;) > table=3 (lr_in_ip_input ), priority=50 , match=(eth.bcast), > action=(drop;) > table=3 (lr_in_ip_input ), priority=32 , match=(ip.ttl == {0, 1} && > !ip.later_frag && (ip4.mcast || ip6.mcast)), action=(drop;) > table=3 (lr_in_ip_input ), priority=31 , match=(inport == > "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73" && ip4 && ip.ttl == {0, 1} && > !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time > exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = ip4.src; > ip4.src = 10.0.1.1 ; ip.ttl = 254; outport = > "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73"; flags.loopback = 1; output; };) > table=3 (lr_in_ip_input ), priority=31 , match=(inport == > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d" && ip4 && ip.ttl == {0, 1} && > !ip.later_frag), action=(icmp4 {eth.dst <-> eth.src; icmp4.type = 11; /* Time > exceeded */ icmp4.code = 0; /* TTL exceeded in transit */ ip4.dst = ip4.src; > ip4.src = 172.16.10.181 ; ip.ttl = 254; outport = > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d"; flags.loopback = 1; output; };) > table=3 (lr_in_ip_input ), priority=31 , match=(inport == "to-sw-ts" > && ip4 && ip.ttl == {0, 1} && !ip.later_frag), action=(icmp4 {eth.dst <-> > eth.src; icmp4.type = 11; /* Time exceeded */ icmp4.code = 0; /* TTL exceeded > in transit */ ip4.dst <-> ip4.src ; ip.ttl = 254; outport = "to-sw-ts"; > flags.loopback = 1; output; };) > table=3 (lr_in_ip_input ), priority=30 , match=(ip.ttl == {0, 1}), > action=(drop;) > table=3 (lr_in_ip_input ), priority=0 , match=(1), action=(next;) > table=4 (lr_in_unsnat ), priority=0 , match=(1), action=(next;) > table=5 (lr_in_defrag ), priority=0 , match=(1), action=(next;) > table=6 (lr_in_dnat ), priority=0 , match=(1), action=(next;) > table=7 (lr_in_ecmp_stateful), priority=0 , match=(1), action=(next;) > table=8 (lr_in_nd_ra_options), priority=0 , match=(1), action=(next;) > table=9 (lr_in_nd_ra_response), priority=0 , match=(1), action=(next;) > table=10(lr_in_ip_routing_pre), priority=0 , match=(1), action=(reg7 = > 0; next;) > table=11(lr_in_ip_routing ), priority=10550, match=(nd_rs || nd_ra), > action=(drop;) > table=11(lr_in_ip_routing ), priority=194 , match=(inport == > "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73" && ip6.dst == fe80::/64), > action=(ip.ttl--; reg8[0..15] = 0; xxreg0 = ip6.dst; xxreg1 = > fe80::f816:3eff:fe52:95fd; eth.src = fa:16:3e:52:95:fd; outport = > "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73"; flags.loopback = 1; next;) > table=11(lr_in_ip_routing ), priority=194 , match=(inport == > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d" && ip6.dst == fe80::/64), > action=(ip.ttl--; reg8[0..15] = 0; xxreg0 = ip6.dst; xxreg1 = > fe80::f816:3eff:fe38:560b; eth.src = fa:16:3e:38:56:0b; outport = > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d"; flags.loopback = 1; next;) > table=11(lr_in_ip_routing ), priority=194 , match=(inport == "to-sw-ts" > && ip6.dst == fe80::/64), action=(ip.ttl--; reg8[0..15] = 0; xxreg0 = > ip6.dst; xxreg1 = fe80::a8aa:aaff:feaa:aa01; eth.src = aa:aa:aa:aa:aa:01; > outport = "to-sw-ts"; flags.loopback = 1; next;) > table=11(lr_in_ip_routing ), priority=74 , match=(ip4.dst == > 10.0.1.0/24), action=(ip.ttl--; reg8[0..15] = 0; reg0 = ip4.dst; reg1 = > 10.0.1.1; eth.src = fa:16:3e:52:95:fd; outport = > "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73"; flags.loopback = 1; next;) > table=11(lr_in_ip_routing ), priority=74 , match=(ip4.dst == > 169.254.100.0/24), action=(ip.ttl--; reg8[0..15] = 0; reg0 = ip4.dst; reg1 = > 169.254.100.1; eth.src = aa:aa:aa:aa:aa:01; outport = "to-sw-ts"; > flags.loopback = 1; next;) > table=11(lr_in_ip_routing ), priority=74 , match=(ip4.dst == > 172.16.10.0/24), action=(ip.ttl--; reg8[0..15] = 0; reg0 = ip4.dst; reg1 = > 172.16.10.181; eth.src = fa:16:3e:38:56:0b; outport = > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d"; flags.loopback = 1; next;) > table=11(lr_in_ip_routing ), priority=73 , match=(reg7 == 0 && ip4.dst > == 10.0.2.0/24), action=(ip.ttl--; reg8[0..15] = 0; reg0 = 169.254.100.2; > reg1 = 169.254.100.1; eth.src = aa:aa:aa:aa:aa:01; outport = "to-sw-ts"; > flags.loopback = 1; next;) > table=11(lr_in_ip_routing ), priority=1 , match=(reg7 == 0 && ip4.dst > == 0.0.0.0/0), action=(ip.ttl--; reg8[0..15] = 0; reg0 = 172.16.10.1; reg1 = > 172.16.10.181; eth.src = fa:16:3e:38:56:0b; outport = > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d"; flags.loopback = 1; next;) > table=12(lr_in_ip_routing_ecmp), priority=150 , match=(reg8[0..15] == 0), > action=(next;) > table=13(lr_in_policy ), priority=0 , match=(1), > action=(reg8[0..15] = 0; next;) > table=14(lr_in_policy_ecmp ), priority=150 , match=(reg8[0..15] == 0), > action=(next;) > table=15(lr_in_arp_resolve ), priority=500 , match=(ip4.mcast || > ip6.mcast), action=(next;) > table=15(lr_in_arp_resolve ), priority=100 , match=(outport == > "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73" && reg0 == 10.0.1.188), > action=(eth.dst = fa:16:3e:c4:b1:69; next;) > table=15(lr_in_arp_resolve ), priority=100 , match=(outport == > "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73" && reg0 == 10.0.1.2), > action=(eth.dst = fa:16:3e:51:5a:4d; next;) > table=15(lr_in_arp_resolve ), priority=100 , match=(outport == > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d" && reg0 == 172.16.10.100), > action=(eth.dst = fa:16:3e:70:82:6e; next;) > table=15(lr_in_arp_resolve ), priority=100 , match=(outport == "to-sw-ts" > && reg0 == 169.254.100.2), action=(eth.dst = aa:aa:aa:aa:aa:02; next;) > table=15(lr_in_arp_resolve ), priority=1 , match=(ip4.dst == > {172.16.10.181}), action=(drop;) > table=15(lr_in_arp_resolve ), priority=0 , match=(ip4), > action=(get_arp(outport, reg0); next;) > table=15(lr_in_arp_resolve ), priority=0 , match=(ip6), > action=(get_nd(outport, xxreg0); next;) > table=16(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;) > table=17(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;) > table=18(lr_in_gw_redirect ), priority=50 , match=(outport == > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d"), action=(outport = > "cr-lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d"; next;) > table=18(lr_in_gw_redirect ), priority=50 , match=(outport == > "to-sw-ts"), action=(outport = "cr-to-sw-ts"; next;) > table=18(lr_in_gw_redirect ), priority=0 , match=(1), action=(next;) > table=19(lr_in_arp_request ), priority=100 , match=(eth.dst == > 00:00:00:00:00:00 && ip4), action=(arp { eth.dst = ff:ff:ff:ff:ff:ff; arp.spa > = reg1; arp.tpa = reg0; arp.op = 1; output; };) > table=19(lr_in_arp_request ), priority=100 , match=(eth.dst == > 00:00:00:00:00:00 && ip6), action=(nd_ns { nd.target = xxreg0; output; };) > table=19(lr_in_arp_request ), priority=0 , match=(1), action=(output;) > Datapath: "neutron-d3cbe671-46a9-4596-a3d3-95882ed318b7" aka "lr-1" > (8f5d574a-c41d-4fba-a835-b8375a96f7db) Pipeline: egress > table=0 (lr_out_chk_dnat_local), priority=0 , match=(1), action=(reg9[4] > = 0; next;) > table=1 (lr_out_undnat ), priority=0 , match=(1), action=(next;) > table=2 (lr_out_post_undnat ), priority=0 , match=(1), action=(next;) > table=3 (lr_out_snat ), priority=120 , match=(nd_ns), action=(next;) > table=3 (lr_out_snat ), priority=0 , match=(1), action=(next;) > table=4 (lr_out_post_snat ), priority=0 , match=(1), action=(next;) > table=5 (lr_out_egr_loop ), priority=0 , match=(1), action=(next;) > table=6 (lr_out_delivery ), priority=100 , match=(outport == > "lrp-4eac4d9c-7de5-4f81-a73d-1bf44e312f73"), action=(output;) > table=6 (lr_out_delivery ), priority=100 , match=(outport == > "lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d"), action=(output;) > table=6 (lr_out_delivery ), priority=100 , match=(outport == > "to-sw-ts"), action=(output;) > >
Looks ovn-northd is not able to figure out which logical port to use for the NATs. Can you please check the ovn-northd logs and see any warnings ? I'm pretty sure there should be some. Also since the logical router has multiple gateway router ports in your case, you need to set the gateway_port for each NAT entry. But you seem to be missing a column "gateway_port" in the NAT table. Which means you're using an older version. Check this commit out this commit - https://github.com/ovn-org/ovn/commit/2d942be7db1799f2778492331513ae2b5a556b92 You need to use OVN version 22.06 or higher to have NAT support in the logical routers which have multiple gateway ports. Once you've it, you can set the gateway_port for the NAT as ovn-nbctl set NAT 612c64ff-a593-42eb-bce4-b99f38c442c4 gateway_port=<uuid_of_lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d> or ovn-nbctl --gateway-port=lrp-a96d7d78-c3a6-487e-91bc-10e97ccb3d9d lr-nat-add lr-1 snat 172.16.10.181 10.0.1.0/24 Thanks Numan > ovn-nbctl list logical_router lr-1 > > root@dc-1-hyp01:~# ovn-nbctl list logical_router > neutron-d3cbe671-46a9-4596-a3d3-95882ed318b7 > _uuid : 45178303-bd0e-40f1-b0db-b6508d6a491e > copp : [] > enabled : true > external_ids : {"neutron:availability_zone_hints"="", > "neutron:gw_network_id"="fd415705-6cd5-4ea0-9864-d4b1dd9f789d", > "neutron:gw_port_id"="a96d7d78-c3a6-487e-91bc-10e97ccb3d9d", > "neutron:revision_number"="8", "neutron:router_name"=lr-1} > load_balancer : [] > load_balancer_group : [] > name : neutron-d3cbe671-46a9-4596-a3d3-95882ed318b7 > nat : [612c64ff-a593-42eb-bce4-b99f38c442c4] > options : {always_learn_from_arp_request="false", > dynamic_neigh_routers="true"} > policies : [] > ports : [13790dbe-d9bd-44ad-8aa2-03734d4e7509, > 43bf5ede-62f5-40bd-b623-49aaf6a6b765, 7429480d-98a7-48d3-8a03-70b5cb8cd76a] > static_routes : [22114c67-e3c3-4a14-bd42-9e53a00e94dd, > 5d1d9a3b-b5a1-4474-a4b0-70d00d4917f5] > > > ovn-nbctl list NAT > > root@dc-1-hyp01:~# ovn-nbctl list NAT > _uuid : 612c64ff-a593-42eb-bce4-b99f38c442c4 > allowed_ext_ips : [] > exempted_ext_ips : [] > external_ids : {} > external_ip : "172.16.10.181" > external_mac : [] > external_port_range : "" > logical_ip : "10.0.1.0/24" > logical_port : [] > options : {} > type : snat > > By the way, is there a command to check the status of geneve tunnel ? I'd > like to be sure (on a other PoC) that tunnels are in good state. With > "ovs-vsctl show", sometime i have a BFD status and sometime none > > root@dc-1-net02:~# ovs-vsctl show > 725dd5be-d4f6-4f02-986a-66ecd11e04e6 > Manager "ptcp:6640:127.0.0.1" > is_connected: true > Bridge br-ex > Port patch-provnet-a384e581-3e54-4e75-8219-193f8fcdcd70-to-br-int > Interface > patch-provnet-a384e581-3e54-4e75-8219-193f8fcdcd70-to-br-int > type: patch > options: > {peer=patch-br-int-to-provnet-a384e581-3e54-4e75-8219-193f8fcdcd70} > Port br-ex > Interface br-ex > type: internal > Port enp2s0 > Interface enp2s0 > Bridge br-int > fail_mode: secure > datapath_type: system > Port ovn-9e9101-1 > Interface ovn-9e9101-1 > type: geneve > options: {csum="true", key=flow, remote_ip="172.16.11.2"} > Port br-int > Interface br-int > type: internal > Port ovn-0527de-1 > Interface ovn-0527de-1 > type: geneve > options: {csum="true", key=flow, remote_ip="172.16.21.3"} > Port tap8d388975-10 > Interface tap8d388975-10 > Port ovn-9e963a-1 > Interface ovn-9e963a-1 > type: geneve > options: {csum="true", key=flow, remote_ip="172.16.11.3"} > bfd_status: {diagnostic="No Diagnostic", flap_count="1", > forwarding="true", remote_diagnostic="No Diagnostic", remote_state=up, > state=up} > Port patch-br-int-to-provnet-a384e581-3e54-4e75-8219-193f8fcdcd70 > Interface > patch-br-int-to-provnet-a384e581-3e54-4e75-8219-193f8fcdcd70 > type: patch > options: > {peer=patch-provnet-a384e581-3e54-4e75-8219-193f8fcdcd70-to-br-int} > Port tap8b0fa59b-96 > Interface tap8b0fa59b-96 > ovs_version: "2.17.8" > > I have a bfd_status for the tunnel to 172.16.11.3 and nothing for the one to > 172.16.11.2 or 172.16.21.3 > > Vincent > > > Le mar. 12 déc. 2023 à 16:56, Numan Siddique <[email protected]> a écrit : >> >> Thanks for sharing the logs. Looks like there are no NATs configured. >> >> Can you please share the o/p of "ovn-sbctl dump-flows lr-1", >> "ovn-nbctl list logical_router lr-1" and "ovn-nbctl list NAT" >> >> >> Thanks >> Numan >> >> On Tue, Dec 12, 2023 at 8:11 AM Vincent Godin via discuss >> <[email protected]> wrote: >> > >> > Thank you very much Numan ! >> > >> > I will try with HA Chassis Group >> > >> > For the snat problem, let me give you more informations : >> > >> > on lr-1 : >> > >> > root@dc-1-hyp01:~# ovn-nbctl lr-route-list >> > neutron-d3cbe671-46a9-4596-a3d3-95882ed318b7 >> > IPv4 Routes >> > Route Table <main>: >> > 10.0.2.0/24 169.254.100.2 dst-ip >> > 0.0.0.0/0 172.16.10.1 dst-ip >> > >> > root@dc-1-hyp01:~# ovn-nbctl lr-nat-list >> > neutron-d3cbe671-46a9-4596-a3d3-95882ed318b7 >> > TYPE EXTERNAL_IP EXTERNAL_PORT LOGICAL_IP >> > EXTERNAL_MAC LOGICAL_PORT >> > snat 172.16.10.181 10.0.1.0/24 >> > >> > on lr-2 : >> > >> > root@dc-2-hyp01:~# ovn-nbctl lr-route-list >> > neutron-b761e5e4-7327-4cdf-b1d0-97c267fd52d7 >> > IPv4 Routes >> > Route Table <main>: >> > 10.0.1.0/24 169.254.100.1 dst-ip >> > 0.0.0.0/0 172.16.20.1 dst-ip >> > >> > If i trace a icmp echo from the vm-1 (10.0.1.188) to the external gateway >> > (172.16.10.1) >> > >> > root@dc-1-hyp01:~# ovn-trace --detail >> > neutron-8d388975-101b-4c6f-8ae4-1f6f429c22f6 'inport == >> > "8b0fa59b-962d-4848-96e8-6b64bb483a56" && eth.src == fa:16:3e:c4:b1:69 && >> > eth.dst == fa:16:3e:52:95:fd && ip4.src == 10.0.1.188 && ip4.dst == >> > 172.16.10.1 && ip.ttl == 32 && icmp4.type == 8' >> > # >> > icmp,reg14=0x3,vlan_tci=0x0000,dl_src=fa:16:3e:c4:b1:69,dl_dst=fa:16:3e:52:95:fd,nw_src=10.0.1.188,nw_dst=172.16.10.1,nw_tos=0,nw_ecn=0,nw_ttl=32,nw_frag=no,icmp_type=8,icmp_code=0 >> > >> > ingress(dp="net-1", inport="8b0fa5") >> > ------------------------------------ >> > 0. ls_in_port_sec_l2 (northd.c:5652): inport == "8b0fa5" && eth.src == >> > {fa:16:3e:c4:b1:69}, priority 50, uuid 6b1602aa >> > next; >> > 1. ls_in_port_sec_ip (northd.c:5285): inport == "8b0fa5" && eth.src == >> > fa:16:3e:c4:b1:69 && ip4.src == {10.0.1.188}, priority 90, uuid 95750115 >> > next; >> > 5. ls_in_pre_acl (northd.c:5915): ip, priority 100, uuid 95d1a153 >> > reg0[0] = 1; >> > next; >> > 7. ls_in_pre_stateful (northd.c:6095): reg0[0] == 1, priority 100, uuid >> > c49352e8 >> > ct_next; >> > >> > ct_next(ct_state=est|trk /* default (use --ct to customize) */) >> > --------------------------------------------------------------- >> > 8. ls_in_acl_hint (northd.c:6183): !ct.new && ct.est && !ct.rpl && >> > ct_label.blocked == 0, priority 4, uuid 5ca5c0f2 >> > reg0[8] = 1; >> > reg0[10] = 1; >> > next; >> > 9. ls_in_acl (northd.c:6425): reg0[8] == 1 && (inport == >> > @pg_b607165d_a4f0_4e04_adf3_20e37b08d39b && ip4 && ip4.dst == 0.0.0.0/0), >> > priority 2002, uuid 140ab284 >> > next; >> > 24. ls_in_l2_lkup (northd.c:8697): eth.dst == fa:16:3e:52:95:fd, priority >> > 50, uuid aff910da >> > outport = "4eac4d"; >> > output; >> > >> > egress(dp="net-1", inport="8b0fa5", outport="4eac4d") >> > ----------------------------------------------------- >> > 0. ls_out_pre_acl (northd.c:5802): ip && outport == "4eac4d", priority >> > 110, uuid f40a6c28 >> > next; >> > 1. ls_out_pre_lb (northd.c:5802): ip && outport == "4eac4d", priority >> > 110, uuid 62d9a6b5 >> > next; >> > 3. ls_out_acl_hint (northd.c:6183): !ct.new && ct.est && !ct.rpl && >> > ct_label.blocked == 0, priority 4, uuid e20482b0 >> > reg0[8] = 1; >> > reg0[10] = 1; >> > next; >> > 9. ls_out_port_sec_l2 (northd.c:5749): outport == "4eac4d", priority 50, >> > uuid 2a82f83d >> > output; >> > /* output to "4eac4d", type "patch" */ >> > >> > ingress(dp="lr-1", inport="lrp-4eac4d") >> > --------------------------------------- >> > 0. lr_in_admission (northd.c:10984): eth.dst == fa:16:3e:52:95:fd && >> > inport == "lrp-4eac4d", priority 50, uuid 980d0e4c >> > xreg0[0..47] = fa:16:3e:52:95:fd; >> > next; >> > 1. lr_in_lookup_neighbor (northd.c:11147): 1, priority 0, uuid 9a8072c7 >> > reg9[2] = 1; >> > next; >> > 2. lr_in_learn_neighbor (northd.c:11156): reg9[2] == 1 || reg9[3] == 0, >> > priority 100, uuid 00d01e41 >> > next; >> > 10. lr_in_ip_routing_pre (northd.c:11382): 1, priority 0, uuid ea5d4e99 >> > reg7 = 0; >> > next; >> > 11. lr_in_ip_routing (northd.c:9861): ip4.dst == 172.16.10.0/24, priority >> > 74, uuid d7f6b4a7 >> > ip.ttl--; >> > reg8[0..15] = 0; >> > reg0 = ip4.dst; >> > reg1 = 172.16.10.181; >> > eth.src = fa:16:3e:38:56:0b; >> > outport = "lrp-a96d7d"; >> > flags.loopback = 1; >> > next; >> > 12. lr_in_ip_routing_ecmp (northd.c:11458): reg8[0..15] == 0, priority >> > 150, uuid c21651eb >> > next; >> > 13. lr_in_policy (northd.c:11592): 1, priority 0, uuid 9f549b6b >> > reg8[0..15] = 0; >> > next; >> > 14. lr_in_policy_ecmp (northd.c:11594): reg8[0..15] == 0, priority 150, >> > uuid e4edbcc2 >> > next; >> > 15. lr_in_arp_resolve (northd.c:11628): ip4, priority 0, uuid 9f8d9d70 >> > get_arp(outport, reg0); >> > /* MAC binding to 52:54:00:7c:33:5f. */ >> > next; >> > 18. lr_in_gw_redirect (northd.c:12195): outport == "lrp-a96d7d", priority >> > 50, uuid e44a4ccc >> > outport = "cr-lrp-a96d7d"; >> > next; >> > 19. lr_in_arp_request (northd.c:12312): 1, priority 0, uuid 42bc76bc >> > output; >> > /* Replacing type "chassisredirect" outport "cr-lrp-a96d7d" with >> > distributed port "lrp-a96d7d". */ >> > >> > egress(dp="lr-1", inport="lrp-4eac4d", outport="lrp-a96d7d") >> > ------------------------------------------------------------ >> > 0. lr_out_chk_dnat_local (northd.c:13552): 1, priority 0, uuid a357b242 >> > reg9[4] = 0; >> > next; >> > 6. lr_out_delivery (northd.c:12359): outport == "lrp-a96d7d", priority >> > 100, uuid 4e4c0628 >> > output; >> > /* output to "lrp-a96d7d", type "patch" */ >> > >> > ingress(dp="provider-1", inport="a96d7d") >> > ----------------------------------------- >> > 0. ls_in_port_sec_l2 (northd.c:5652): inport == "a96d7d", priority 50, >> > uuid 864a69e7 >> > next; >> > 6. ls_in_pre_lb (northd.c:5799): ip && inport == "a96d7d", priority 110, >> > uuid db7797ba >> > next; >> > 24. ls_in_l2_lkup (northd.c:7895): 1, priority 0, uuid d363bed8 >> > outport = get_fdb(eth.dst); >> > next; >> > 25. ls_in_l2_unknown (northd.c:7899): outport == "none", priority 50, uuid >> > b38c4866 >> > outport = "_MC_unknown"; >> > output; >> > >> > multicast(dp="provider-1", mcgroup="_MC_unknown") >> > ------------------------------------------------- >> > >> > egress(dp="provider-1", inport="a96d7d", outport="provnet-a384e5") >> > ------------------------------------------------------------------ >> > 1. ls_out_pre_lb (northd.c:5802): ip && outport == >> > "provnet-a384e5", priority 110, uuid 54759c1d >> > next; >> > 9. ls_out_port_sec_l2 (northd.c:5749): outport == >> > "provnet-a384e5", priority 50, uuid 7ddf1120 >> > output; >> > /* output to "provnet-a384e5", type "localnet" */ >> > >> > The paquet is well send to the external interface but no snat applied ! >> > >> > Vincent >> > >> > _______________________________________________ >> > discuss mailing list >> > [email protected] >> > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss > > _______________________________________________ > discuss mailing list > [email protected] > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss _______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
