On 12 Mar 2024, at 4:16, Zhangweiwei via discuss wrote:
> Hi, > I send an ICMP echo request packet from port tapVm71( IP: 1.1.70.1) to > tapVm72( IP: 1.1.70.2) with CT, and there are two ICMP reply packets which > are captured on tapVm72. We can see the ICMP reply packet sent by tapVm72 is > mirrored twice within recirc_id(0) and recirc_id(0xe). This issue is caused > by patch (ofproto-dpif-upcall: Mirror packets that are modified, > https://github.com/openvswitch/ovs/commit/feed7f6775056b3dd55249596a7e587bc9c5fd4a). > The patch resets the mirrors every time when a packet is modified. In my > pipline, the NXM_NX_REG4[31] is modified,thus the ICMP reply packet is > mirrored again in recirc_id(0xe). > The condition for resetting the mirror in reset_mirror_ctx() seems not strict > enough, which can lead to duplicated mirror during recirclation. Mike can you take a look at this? It was introduced after your patch. > 1、ovs version: 3.2.1 > > 2、dpcls > [root@localhost ~]# ovs-appctl dpctl/dump-flows -m > flow-dump from pmd on cpu core: 1 > ufid:bc206dc0-dcfb-4396-894a-695656ffe6cc, > recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(tapVm72),skb_mark(0/0),ct_state(0/0x20),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=52:54:00:9a:bf:ed,dst=52:54:00:67:d5:61/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=1.1.70.2,dst=1.1.70.1/0.0.0.0,proto=1,tos=0/0,ttl=64/0,frag=no),icmp(type=0/0,code=0/0), > packets:449, bytes:44002, used:0.086s, dp:ovs, > actions:mitapVm72,ct(zone=6),recirc(0xe), dp-extra-info:miniflow_bits(5,2) > ufid:fbd3db23-9e12-4f6b-826e-5672d33856ae, > recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(tapVm71),skb_mark(0/0),ct_state(0/0x3f),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=52:54:00:67:d5:61,dst=52:54:00:9a:bf:ed),eth_type(0x0800),ipv4(src=1.1.70.1,dst=1.1.70.2/255.255.192.0,proto=1,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), > packets:449, bytes:44002, used:0.086s, dp:ovs, > actions:ct(zone=6),recirc(0xd), dp-extra-info:miniflow_bits(5,2) > ufid:63728c39-8203-4dd3-8d48-1dd1a2ec999e, > recirc_id(0xe),dp_hash(0/0),skb_priority(0/0),in_port(tapVm72),skb_mark(0/0),ct_state(0x2a/0x3f),ct_zone(0x6/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src=1.1.70.1/0.0.0.0,dst=1.1.70.2/0.0.0.0,proto=1/0,tp_src=8/0,tp_dst=0/0),packet_type(ns=0,id=0),eth(src=52:54:00:9a:bf:ed/00:00:00:00:00:00,dst=52:54:00:67:d5:61),eth_type(0x0800),ipv4(src=1.1.70.2/0.0.0.0,dst=1.1.70.1/255.255.192.0,proto=1,tos=0/0,ttl=64/0,frag=no),icmp(type=0/0,code=0/0), > packets:449, bytes:44002, used:0.086s, dp:ovs, actions:mitapVm72,tapVm71, > dp-extra-info:miniflow_bits(5,2) > ufid:54af771a-7c46-4b33-b207-93b219d014a4, > recirc_id(0xd),dp_hash(0/0),skb_priority(0/0),in_port(tapVm71),skb_mark(0/0),ct_state(0x22/0xf),ct_zone(0x6/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src=1.1.70.1/0.0.0.0,dst=1.1.70.2/0.0.0.0,proto=1/0,tp_src=8/0,tp_dst=0/0),packet_type(ns=0,id=0),eth(src=52:54:00:67:d5:61/00:00:00:00:00:00,dst=52:54:00:9a:bf:ed/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=1.1.70.1/0.0.0.0,dst=1.1.70.2/0.0.0.0,proto=1/0,tos=0/0,ttl=64/0,frag=no),icmp(type=8/0,code=0/0), > packets:448, bytes:43904, used:0.086s, dp:ovs, actions:tapVm72,mitapVm72, > dp-extra-info:miniflow_bits(4,1) > > 3、Bridge > [root@localhost openvswitch-3.2.1]# ovs-vsctl show > Bridge vds1-br > Controller "tcp:172.20.66.228:6633" > is_connected: true > Controller "tcp:172.20.66.229:6633" > is_connected: true > fail_mode: secure > datapath_type: netdev > Port vxlan_vds1-br > Interface vxlan_vds1-br > type: vxlan > options: {key=flow, local_ip="3.3.3.70", remote_ip=flow, > tos=inherit} > Port tapVm72 > tag: 0 > Interface tapVm72 > type: dpdkvhostuserclient > options: {vhost-server-path="/var/run/openvswitch/tapVm72"} > Port mitapVm72 > Interface mitapVm72 > Port tapVm71 > tag: 0 > Interface tapVm71 > type: dpdkvhostuserclient > options: {vhost-server-path="/var/run/openvswitch/tapVm71"} > Port vds1-br > Interface vds1-br > type: internal > ovs_version: "3.2.1" > > 4、packets > [root@localhost ~]# ovs-tcpdump -i tapVm72 > dropped privs to tcpdump > tcpdump: verbose output suppressed, use -v or -vv for full protocol decode > listening on mitapVm72, link-type EN10MB (Ethernet), capture size 262144 bytes > > 10:03:30.173595 IP 1.1.70.1 > 1.1.70.2: ICMP echo request, id 16616, seq 1, > length 64 > 10:03:30.173696 IP 1.1.70.2 > 1.1.70.1: ICMP echo reply, id 16616, seq 1, > length 64 > 10:03:30.173697 IP 1.1.70.2 > 1.1.70.1: ICMP echo reply, id 16616, seq 1, > length 64 > > 5、track > [root@localhost~]# ovs-appctl ofproto/trace vds1-br in_port=tapVm72 > 52540067d5615254009abfed080045000054f9ba00004001f2e901014602010146010000a0761bcd0001c487ea6500000000cbfa0a0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363752540067d5615254009abfed080045000054f9ba00004001f2e901014602010146010000a0761bcd0001c487ea6500000000cbfa0a0000000000101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 > Flow: > icmp,in_port=6,vlan_tci=0x0000,dl_src=52:54:00:9a:bf:ed,dl_dst=52:54:00:67:d5:61,nw_src=1.1.70.2,nw_dst=1.1.70.1,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=0,icmp_code=0 > > bridge("vds1-br") > ----------------- > 0. priority 0, cookie 0x1000000000000001 > goto_table:5 > 5. priority 0, cookie 0x1000000000000001 > group:553648133 > bucket 0 > resubmit(,166) > 166. No match. > drop > goto_table:12 > 12. priority 0, cookie 0x1000000000000001 > goto_table:15 > 15. in_port=6, priority 30000, cookie 0x1000000000000000 > write_metadata:0x500000000 > goto_table:17 > 17. ip,metadata=0x500000000/0x80ffffff0fff0000,in_port=6, priority 30000, > cookie 0x1000000000000000 > load:0x1->NXM_NX_REG4[0..30] > goto_table:20 > 20. priority 0, cookie 0x1000000000000001 > goto_table:21 > 21. priority 0, cookie 0x1000000000000001 > goto_table:25 > 25. priority 0, cookie 0x1000000000000001 > goto_table:30 > 30. > ip,metadata=0x500000000/0x80ffffff0fff0000,in_port=6,dl_src=52:54:00:9a:bf:ed,nw_src=1.1.70.2, > priority 30000, cookie 0x1000000000000000 > goto_table:35 > 35. metadata=0/0x8000000000000000, priority 30000, cookie 0x1000000000000000 > > learn(table=151,hard_timeout=300,priority=10000,OXM_OF_METADATA[32..55],NXM_OF_ETH_DST[]=NXM_OF_ETH_SRC[],load:NXM_OF_IN_PORT[]->OXM_OF_METADATA[0..15],load:OXM_OF_METADATA[16..27]->OXM_OF_METADATA[16..27]) > -> table=151 > metadata=0x500000000/0xffffff00000000,dl_dst=52:54:00:9a:bf:ed priority=10000 > hard=300 > actions=load:0x6->OXM_OF_METADATA[0..15],load:0->OXM_OF_METADATA[16..27] > goto_table:40 > 40. ip, priority 30000, cookie 0x1000000000000000 > goto_table:75 > 75. ct_state=-trk,ip,metadata=0x500000000/0x80ffffff0fff0000,in_port=6, > priority 30000, cookie 0x1020000000000000 > ct(table=76,zone=6) > drop > -> A clone of the packet is forked to recirculate. The forked pipeline > will be resumed at table 76. > -> Sets the packet to an untracked state, and clears all the conntrack > fields. > > Final flow: > icmp,reg4=0x1,metadata=0x500000000,in_port=6,vlan_tci=0x0000,dl_src=52:54:00:9a:bf:ed,dl_dst=52:54:00:67:d5:61,nw_src=1.1.70.2,nw_dst=1.1.70.1,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=0,icmp_code=0 > Megaflow: > recirc_id=0,ct_state=-trk,eth,icmp,in_port=6,dl_src=52:54:00:9a:bf:ed,nw_src=1.1.70.2,nw_frag=no > Datapath actions: 5,ct(zone=6),recirc(0xe) > > =============================================================================== > recirc(0xe) - resume conntrack with default ct_state=trk|new (use --ct-next > to customize) > =============================================================================== > > Flow: > recirc_id=0xe,ct_state=new|trk,ct_zone=6,eth,icmp,reg4=0x1,metadata=0x500000000,in_port=6,vlan_tci=0x0000,dl_src=52:54:00:9a:bf:ed,dl_dst=52:54:00:67:d5:61,nw_src=1.1.70.2,nw_dst=1.1.70.1,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=0,icmp_code=0 > > bridge("vds1-br") > ----------------- > thaw > Resuming from table 76 > 76. ct_state=+new-est,ip,metadata=0x500000000/0x80ffffff0fff0000,in_port=6, > priority 50000, cookie 0x1020000000000000 > ct(commit,zone=6) > drop > -> Sets the packet to an untracked state, and clears all the conntrack > fields. > goto_table:78 > 78. priority 0, cookie 0x1000000000000001 > goto_table:80 > 80. priority 0, cookie 0x1000000000000001 > goto_table:85 > 85. priority 0, cookie 0x1000000000000001 > goto_table:87 > 87. priority 0, cookie 0x1000000000000000 > group:553648129 > bucket 0 > resubmit(,160) > 160. No match. > drop > bucket 1 > resubmit(,145) > 145. No match. > drop > goto_table:90 > 90. ip,metadata=0x500000000/0x80ffffff0fff0000,in_port=6, priority 30000, > cookie 0x1000000000000000 > load:0x1->NXM_NX_REG4[0..30] > goto_table:92 > 92. ip,reg4=0x1,nw_dst=1.1.0.0/16, priority 30000, cookie 0x1000000000000000 > load:0x1->NXM_NX_REG4[31] > goto_table:100 > 100. priority 0, cookie 0x1000000000000001 > goto_table:105 > 105. priority 0, cookie 0x1000000000000001 > goto_table:110 > 110. dl_dst=00:00:00:00:00:00/01:00:00:00:00:00, priority 30000, cookie > 0x1000000000000000 > goto_table:115 > 115. priority 0, cookie 0x1000000000000001 > goto_table:120 > 120. priority 0, cookie 0x1000000000000001 > goto_table:130 > 130. priority 0, cookie 0x1000000000000001 > goto_table:140 > 140. priority 0, cookie 0x1000000000000001 > goto_table:150 > 150. metadata=0x500000000/0xffffff00000000,dl_dst=52:54:00:67:d5:61, priority > 30000, cookie 0x1000000000000000 > write_metadata:0x500000003/0xffffff0fffffff > goto_table:230 > 230. priority 0, cookie 0x1000000000000001 > goto_table:231 > 231. priority 0, cookie 0x1000000000000001 > goto_table:233 > 233. priority 0, cookie 0x1000000000000001 > goto_table:235 > 235. priority 0, cookie 0x1000000000000001 > goto_table:240 > 240. priority 0, cookie 0x1000000000000001 > goto_table:245 > 245. priority 0, cookie 0x1000000000000000 > group:553648130 > bucket 0 > resubmit(,162) > 162. No match. > drop > bucket 1 > resubmit(,171) > 171. No match. > drop > bucket 2 > resubmit(,145) > 145. No match. > drop > goto_table:249 > 249. metadata=0x500000003/0xffffff0fffffff, priority 30000, cookie > 0x1000000000000000 > output:3 > > Final flow: > recirc_id=0xe,eth,icmp,reg4=0x80000001,metadata=0x500000003,in_port=6,vlan_tci=0x0000,dl_src=52:54:00:9a:bf:ed,dl_dst=52:54:00:67:d5:61,nw_src=1.1.70.2,nw_dst=1.1.70.1,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,icmp_type=0,icmp_code=0 > Megaflow: > recirc_id=0xe,ct_state=+new-est-rel-rpl-inv+trk,eth,icmp,in_port=6,dl_dst=52:54:00:67:d5:61,nw_dst=1.1.64.0/18,nw_frag=no > Datapath actions: 5,ct(commit,zone=6),4 > > [root@localhost ~]# ovs-appctl dpif/show > netdev@ovs-netdev: hit:14940 missed:34 > vds1-br: > mitapVm72 5/5: (system) > tapVm71 3/4: (dpdkvhostuserclient: configured_rx_queues=1, > configured_tx_queues=1, mtu=1500, requested_rx_queues=1, > requested_tx_queues=1) > tapVm72 6/6: (dpdkvhostuserclient: configured_rx_queues=1, > configured_tx_queues=1, mtu=1500, requested_rx_queues=1, > requested_tx_queues=1) > vds1-br 65534/2: (tap) > vxlan_vds1-br 2/7: (vxlan: key=flow, local_ip=3.3.3.70, remote_ip=flow, > tos=inherit) > > > Best regards, WeiweiZhang > > ------------------------------------------------------------------------------------------------------------------------------------- > 本邮件及其附件含有新华三集团的保密信息,仅限于发送给上面地址中列出 > 的个人或群组。禁止任何其他人以任何形式使用(包括但不限于全部或部分地泄露、复制、 > 或散发)本邮件中的信息。如果您错收了本邮件,请您立即电话或邮件通知发件人并删除本 > 邮件! > This e-mail and its attachments contain confidential information from New > H3C, which is > intended only for the person or entity whose address is listed above. Any use > of the > information contained herein in any way (including, but not limited to, total > or partial > disclosure, reproduction, or dissemination) by persons other than the intended > recipient(s) is prohibited. If you receive this e-mail in error, please > notify the sender > by phone or email immediately and delete it! > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss _______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
