Adrian,
Yes , we are using tc-offload using the Nvidia CX6/7 cards (OFED
driver aligned to the support kernal matrix).
When I do a dump of the tc filter rules when the issue is occuring , I
can't see any rule at all relating to the TCP connection thats
breaking . Is this because the TC_INGRESS drop is happening so early
in the processing pipeline?
Gav
On Thu, 25 Apr 2024 at 02:00, Adrian Moreno <amore...@redhat.com> wrote:
>
>
>
> On 4/23/24 17:39, Gavin McKee wrote:
> > If you look at both traces (non working and working) the thing that
> > stands out to me is this
> >
> > At line 10 in the working file the following entry exists
> > ct_state NEW tcp (SYN_SENT) orig [172.27.16.11.38793 >
> > 172.27.31.189.9100] reply [172.27.31.189.9100 > 172.27.16.11.38793]
> > zone 195
> >
>
> That's quite interesting, indeed. It means that in the working scenario, there
> is already a conntrack entry for the connection even though it's the TCP SYN
> and
> there is no flow in the kernel cache (the packet get's upcalled).
>
> Is the client reusing source ports by any chance?
>
> The fact that the conntrack info is already available makes the working case
> skip an upcall.
>
> Also, I'm curious about the drop in the TC_INGRESS. Are you using tc-offload?
> Can you dump the tc filter rules for your port?
>
>
> > his doesn't happen in the non working file - I just see the following
> >
> > 3904992932904126 [swapper/125] 0 [kr] queue_userspace_packet
> > #ddf92049d47aeff1d0b6625620000 (skb 18382861792850905088) n 4
> > if 38 (enp148s0f0_1) rxif 38 172.27.16.11.42303 >
> > 172.27.31.189.9100 ttl 64 tos 0x0 id 36932 off 0 [DF] len 52 proto TCP
> > (6) flags [S] seq 2266263186 win 42340
> > upcall_enqueue (miss) (125/3904992932890052) q 3682874017 ret 0
> > + 3904992932907247 [swapper/125] 0 [kr] ovs_dp_upcall
> > #ddf92049d47aeff1d0b6625620000 (skb 18382861792850905088) n 5
> > if 38 (enp148s0f0_1) rxif 38 172.27.16.11.42303 >
> > 172.27.31.189.9100 ttl 64 tos 0x0 id 36932 off 0 [DF] len 52 proto TCP
> > (6) flags [S] seq 2266263186 win 42340
> > upcall_ret (125/3904992932890052) ret 0
> >
> > I am wondering if a failure to track the ct_state SYN is causing the
> > returning ACK to drop ?
> >
> > + 3904992936344421 [swapper/125] 0 [tp] skb:kfree_skb
> > #ddf9204d21c48ff1d0b676c330c00 (skb 18382861792850913792) n 3 drop
> > (TC_INGRESS)
> > if 33 (genev_sys_6081) rxif 33 172.27.31.189.9100 >
> > 172.27.16.11.42303 ttl 64 tos 0x0 id 0 off 0 [DF] len 52 proto TCP (6)
> > flags [S.] seq 605271182 ack 2266263187 win 42340
> >
> > On Mon, 22 Apr 2024 at 18:54, Gavin McKee <gavmcke...@googlemail.com> wrote:
> >>
> >> Ok @Adrian Moreno @Flavio Leitner
> >>
> >> Two more detailed Retis traces attached. One is not working - the
> >> same session that I can't establish a TCP session to on port 9010
> >> 172.27.16.11.42303 > 172.27.31.189.9100
> >>
> >> Then I restart Open vSwtich and try again
> >> 172.27.16.11.38793 > 172.27.31.189.9100 (this works post restart)
> >>
> >> It looks to me in the non working example that we -
> >> SEND SYN -> exits the tunnel interface genev_sys_6081 via
> >> enp148s0f0np0 - exactly as expected
> >> RECV ACK -> tcp_gro_receive then -> net:netif_receive_skb where we hit
> >> drop (TC_INGRESS)
> >>
> >> After a restart things seem to be very different
> >>
> >> Any ideas where to look next ? >>
> >> On Mon, 22 Apr 2024 at 12:49, Gavin McKee <gavmcke...@googlemail.com>
> >> wrote:
> >>>
> >>> Hi Guys,
> >>>
> >>>
> >>> We have had another occurrence of the issue today.
> >>>
> >>> In short - we try to open a connection from 172.27.22.90 ->
> >>> 172.27.31.189 on port 9100. We see the SYN being received and the ACK
> >>> being sent from the server back to the client 172.27.22.90. The
> >>> server retransmits the ACK as it's never received by the server.
> >>>
> >>> When we run retis on the server side the ACK is being dropped - see
> >>> (drop (TC_INGRESS) below)
> >>>
> >>> retis -p generic collect -c ovs,ct --ovs-track -f 'port 9100'
> >>>
> >>> (filtered on the ephemeral TCP port 40735)
> >>>
> >>> 3879878550398423 [swapper/125] 0 [tp] net:napi_gro_receive_entry
> >>> #dc8ba9ec4a5d7ff4167e4dd466000 (skb 18393096588613658112) n 0
> >>> if 37 (enp148s0f0_1)
> >>> + 3879878550401407 [swapper/125] 0 [k] tcp_gro_receive
> >>> #dc8ba9ec4a5d7ff4167e4dd466000 (skb 18393096588613658112) n 1
> >>> if 37 (enp148s0f0_1) 172.27.22.90.40735 > 172.27.31.189.9100 ttl
> >>> 64 tos 0x0 id 31996 off 0 [DF] len 52 proto TCP (6) flags [S] seq
> >>> 1864480616 win 42340
> >>> + 3879878550402477 [swapper/125] 0 [tp] net:netif_receive_skb
> >>> #dc8ba9ec4a5d7ff4167e4dd466000 (skb 18393096588613658112) n 2
> >>> if 37 (enp148s0f0_1) 172.27.22.90.40735 > 172.27.31.189.9100 ttl
> >>> 64 tos 0x0 id 31996 off 0 [DF] len 52 proto TCP (6) flags [S] seq
> >>> 1864480616 win 42340
> >>> + 3879878550409874 [swapper/125] 0 [tp] net:net_dev_queue
> >>> #dc8ba9ec4a5d7ff4167e4dd466000 (skb 18393096588613658112) n 3
> >>> if 43 (genev_sys_6081) rxif 37 172.27.22.90.40735 >
> >>> 172.27.31.189.9100 ttl 64 tos 0x0 id 31996 off 0 [DF] len 52 proto TCP
> >>> (6) flags [S] seq 1864480616 win 42340
> >>> + 3879878550411535 [swapper/125] 0 [tp] net:net_dev_start_xmit
> >>> #dc8ba9ec4a5d7ff4167e4dd466000 (skb 18393096588613658112) n 4
> >>> if 43 (genev_sys_6081) rxif 37 172.27.22.90.40735 >
> >>> 172.27.31.189.9100 ttl 64 tos 0x0 id 31996 off 0 [DF] len 52 proto TCP
> >>> (6) flags [S] seq 1864480616 win 42340
> >>> + 3879878550419012 [swapper/125] 0 [k] skb_scrub_packet
> >>> #dc8ba9ec4a5d7ff4167e4dd466000 (skb 18393096588613658112) n 5
> >>> if 43 (genev_sys_6081) rxif 37 172.27.22.90.40735 >
> >>> 172.27.31.189.9100 ttl 64 tos 0x0 id 31996 off 0 [DF] len 52 proto TCP
> >>> (6) flags [S] seq 1864480616 win 42340
> >>> + 3879878550421222 [swapper/125] 0 [k] skb_scrub_packet
> >>> #dc8ba9ec4a5d7ff4167e4dd466000 (skb 18393096588613658112) n 6
> >>> if 43 (genev_sys_6081) 172.27.22.90.39026 > 172.27.31.189.6081 ttl
> >>> 64 tos 0x0 id 31996 off 0 [DF] len 52 proto TCP (6) flags [] seq
> >>> 5916145:5916177 win 62976
> >>> + 3879878550424101 [swapper/125] 0 [k] ip_output
> >>> #dc8ba9ec4a5d7ff4167e4dd466000 (skb 18393096588613658112) n 7
> >>> if 43 (genev_sys_6081) 10.25.24.43.39026 > 10.25.25.41.6081 ttl 64
> >>> tos 0x0 id 53033 off 0 len 110 proto UDP (17) len 82
> >>> ct_state NEW udp orig [10.25.24.43.39026 > 10.25.25.41.6081] reply
> >>> [10.25.25.41.6081 > 10.25.24.43.39026] zone 0
> >>>
> >>>
> >>>
> >>> 3879878550702925 [swapper/125] 0 [tp] net:napi_gro_receive_entry
> >>> #dc8ba9ec94b4dff4167e881720000 (skb 18393096588613649408) n 0
> >>> if 43 (genev_sys_6081)
> >>> + 3879878550705930 [swapper/125] 0 [k] tcp_gro_receive
> >>> #dc8ba9ec94b4dff4167e881720000 (skb 18393096588613649408) n 1
> >>> if 43 (genev_sys_6081) 172.27.31.189.9100 > 172.27.22.90.40735 ttl
> >>> 64 tos 0x0 id 0 off 0 [DF] len 52 proto TCP (6) flags [S.] seq
> >>> 3930851750 ack 1864480617 win 42340
> >>> + 3879878550706899 [swapper/125] 0 [tp] net:netif_receive_skb
> >>> #dc8ba9ec94b4dff4167e881720000 (skb 18393096588613649408) n 2
> >>> if 43 (genev_sys_6081) 172.27.31.189.9100 > 172.27.22.90.40735 ttl
> >>> 64 tos 0x0 id 0 off 0 [DF] len 52 proto TCP (6) flags [S.] seq
> >>> 3930851750 ack 1864480617 win 42340
> >>> + 3879878550708324 [swapper/125] 0 [tp] skb:kfree_skb
> >>> #dc8ba9ec94b4dff4167e881720000 (skb 18393096588613649408) n 3 drop
> >>> (TC_INGRESS)
> >>> if 43 (genev_sys_6081) rxif 43 172.27.31.189.9100 >
> >>> 172.27.22.90.40735 ttl 64 tos 0x0 id 0 off 0 [DF] len 52 proto TCP (6)
> >>> flags [S.] seq 3930851750 ack 1864480617 win 42340
> >>>
> >>> 3879879581610887 [swapper/125] 0 [tp] net:napi_gro_receive_entry
> >>> #dc8badc3bb387ff4167e881720400 (skb 18393097140186661632) n 0
> >>> if 43 (genev_sys_6081)
> >>> + 3879879581614196 [swapper/125] 0 [k] tcp_gro_receive
> >>> #dc8badc3bb387ff4167e881720400 (skb 18393097140186661632) n 1
> >>> if 43 (genev_sys_6081) 172.27.31.189.9100 > 172.27.22.90.40735 ttl
> >>> 64 tos 0x0 id 0 off 0 [DF] len 52 proto TCP (6) flags [S.] seq
> >>> 3930851750 ack 1864480617 win 42340
> >>> + 3879879581615551 [swapper/125] 0 [tp] net:netif_receive_skb
> >>> #dc8badc3bb387ff4167e881720400 (skb 18393097140186661632) n 2
> >>> if 43 (genev_sys_6081) 172.27.31.189.9100 > 172.27.22.90.40735 ttl
> >>> 64 tos 0x0 id 0 off 0 [DF] len 52 proto TCP (6) flags [S.] seq
> >>> 3930851750 ack 1864480617 win 42340
> >>> + 3879879581617380 [swapper/125] 0 [tp] skb:kfree_skb
> >>> #dc8badc3bb387ff4167e881720400 (skb 18393097140186661632) n 3 drop
> >>> (TC_INGRESS)
> >>> if 43 (genev_sys_6081) rxif 43 172.27.31.189.9100 >
> >>> 172.27.22.90.40735 ttl 64 tos 0x0 id 0 off 0 [DF] len 52 proto TCP (6)
> >>> flags [S.] seq 3930851750 ack 1864480617 win 42340
> >>>
> >>>
> >>> When doing a tc monitor I am not even seeing the tc monitor entry for
> >>> this session (tcp src port 40735)
> >>>
> >>> Again a restart of Open vSwitch fixes the issue - but this is a heavy
> >>> hammer!
> >>>
> >>> Gav
> >>>
> >>> On Thu, 18 Apr 2024 at 17:55, Gavin McKee <gavmcke...@googlemail.com>
> >>> wrote:
> >>>>
> >>>> I thought ct was in that retis trace . I’ll need to capture these events
> >>>> when they occur again .
> >>>>
> >>>> I’m also having some issues with huge amounts of loss in the kernal
> >>>> pipeline that I can’t explain .
> >>>>
> >>>> When sending traffic VM to VM within a logical switch but going across
> >>>> GENEVE tunnel I get 30 - 40 Gbps on iperf . When I use the DAT (by
> >>>> sending traffic to the VM DNAT ) I get huge amounts of loss in the
> >>>> sender kernal , retis is saying sk_bff drops .
> >>>>
> >>>> 3.2.2 is absolutely killing me right now. Should I open another thread
> >>>> on this ?
> >>>>
> >>>> On Thu, Apr 18, 2024 at 00:15 Adrian Moreno <amore...@redhat.com> wrote:
> >>>>>
> >>>>> Hi Gavin
> >>>>>
> >>>>> On 4/18/24 02:38, Gavin McKee via discuss wrote:
> >>>>>> This is an example.
> >>>>>>
> >>>>>> Again the TCP 3 handshake completes , but the next packet fails to NAT
> >>>>>> and goes out onto the physical network using the private address . An
> >>>>>> example of this is in the packet trace I provided.
> >>>>>>
> >>>>>
> >>>>> Given you were using retis in your initial troubleshooting, you can use
> >>>>> it with
> >>>>> the additional "ct" collector to see if the kernel datapath is
> >>>>> retrieving the
> >>>>> right conntrack entry and what's its state. If that shows some
> >>>>> unexpected
> >>>>> conntrack entry change, it can be confirmed by monitoring "conntrack
> >>>>> -E".
> >>>>>
> >>>>> Additionally, a dp flow dump (ovs-appctl dpctl/dump-flows -m) when the
> >>>>> problem
> >>>>> is happening might be also useful.
> >>>>>
> >>>>> --
> >>>>> Adrián
> >>>>>
> >>>>>
> >>>>>> ovs-appctl ofproto/trace br-int
> >>>>>> in_port=7753,dl_src=4e:42:14:a1:2a:fb,dl_dst=1a:16:b1:58:e1:cd,tcp,nw_src=172.27.18.244,nw_dst=104.18.3.35,nw_ttl=32,tcp_src=52776,tcp_dst=443,tcp_flags=2
> >>>>>> Flow:
> >>>>>> tcp,in_port=7753,vlan_tci=0x0000,dl_src=4e:42:14:a1:2a:fb,dl_dst=1a:16:b1:58:e1:cd,nw_src=172.27.18.244,nw_dst=104.18.3.35,nw_tos=0,nw_ecn=0,nw_ttl=32,nw_frag=no,tp_src=52776,tp_dst=443,tcp_flags=syn
> >>>>>>
> >>>>>> bridge("br-int")
> >>>>>> ----------------
> >>>>>> 0. in_port=7753, priority 100, cookie 0xc33f39c4
> >>>>>> set_field:0x16d->reg13
> >>>>>> set_field:0x155->reg11
> >>>>>> set_field:0x1cf->reg12
> >>>>>> set_field:0x12->metadata
> >>>>>> set_field:0xca->reg14
> >>>>>> resubmit(,8)
> >>>>>> 8. metadata=0x12, priority 50, cookie 0x1645d3f2
> >>>>>> set_field:0/0x1000->reg10
> >>>>>> resubmit(,73)
> >>>>>> 73.
> >>>>>> ip,reg14=0xca,metadata=0x12,dl_src=4e:42:14:a1:2a:fb,nw_src=172.27.18.244,
> >>>>>> priority 90, cookie 0xc33f39c4
> >>>>>> set_field:0/0x1000->reg10
> >>>>>> move:NXM_NX_REG10[12]->NXM_NX_XXREG0[111]
> >>>>>> -> NXM_NX_XXREG0[111] is now 0
> >>>>>> resubmit(,9)
> >>>>>> 9. metadata=0x12, priority 0, cookie 0xcc4fd106
> >>>>>> resubmit(,10)
> >>>>>> 10. metadata=0x12, priority 0, cookie 0x9e10ad0e
> >>>>>> resubmit(,11)
> >>>>>> 11. metadata=0x12, priority 0, cookie 0x557f3249
> >>>>>> resubmit(,12)
> >>>>>> 12. ip,metadata=0x12, priority 100, cookie 0x14131a67
> >>>>>>
> >>>>>> set_field:0x1000000000000000000000000/0x1000000000000000000000000->xxreg0
> >>>>>> resubmit(,13)
> >>>>>> 13. metadata=0x12, priority 0, cookie 0x85f9ed4f
> >>>>>> resubmit(,14)
> >>>>>> 14. ip,reg0=0x1/0x1,metadata=0x12, priority 100, cookie 0x279651c
> >>>>>> ct(table=15,zone=NXM_NX_REG13[0..15])
> >>>>>> drop
> >>>>>> -> A clone of the packet is forked to recirculate. The forked
> >>>>>> pipeline will be resumed at table 15.
> >>>>>> -> Sets the packet to an untracked state, and clears all the
> >>>>>> conntrack fields.
> >>>>>>
> >>>>>> Final flow:
> >>>>>> tcp,reg0=0x1,reg11=0x155,reg12=0x1cf,reg13=0x16d,reg14=0xca,metadata=0x12,in_port=7753,vlan_tci=0x0000,dl_src=4e:42:14:a1:2a:fb,dl_dst=1a:16:b1:58:e1:cd,nw_src=172.27.18.244,nw_dst=104.18.3.35,nw_tos=0,nw_ecn=0,nw_ttl=32,nw_frag=no,tp_src=52776,tp_dst=443,tcp_flags=syn
> >>>>>> Megaflow:
> >>>>>> recirc_id=0,eth,tcp,in_port=7753,dl_src=4e:42:14:a1:2a:fb,dl_dst=1a:16:b1:58:e1:cd,nw_src=172.27.18.244,nw_frag=no
> >>>>>> Datapath actions: ct(zone=365),recirc(0x13b5a)
> >>>>>>
> >>>>>> ===============================================================================
> >>>>>> recirc(0x13b5a) - resume conntrack with default ct_state=trk|new (use
> >>>>>> --ct-next to customize)
> >>>>>> ===============================================================================
> >>>>>>
> >>>>>> Flow:
> >>>>>> recirc_id=0x13b5a,ct_state=new|trk,ct_zone=365,eth,tcp,reg0=0x1,reg11=0x155,reg12=0x1cf,reg13=0x16d,reg14=0xca,metadata=0x12,in_port=7753,vlan_tci=0x0000,dl_src=4e:42:14:a1:2a:fb,dl_dst=1a:16:b1:58:e1:cd,nw_src=172.27.18.244,nw_dst=104.18.3.35,nw_tos=0,nw_ecn=0,nw_ttl=32,nw_frag=no,tp_src=52776,tp_dst=443,tcp_flags=syn
> >>>>>>
> >>>>>> bridge("br-int")
> >>>>>> ----------------
> >>>>>> thaw
> >>>>>> Resuming from table 15
> >>>>>> 15. ct_state=+new-est+trk,metadata=0x12, priority 7, cookie 0xa9e0ee6f
> >>>>>>
> >>>>>> set_field:0x80000000000000000000000000/0x80000000000000000000000000->xxreg0
> >>>>>>
> >>>>>> set_field:0x200000000000000000000000000/0x200000000000000000000000000->xxreg0
> >>>>>> resubmit(,16)
> >>>>>> 16. conj_id=2865573479,tcp,reg0=0x80/0x80,reg14=0xca,metadata=0x12,
> >>>>>> priority 3000, cookie 0xabdec111
> >>>>>> set_field:0x1000000000000/0x1000000000000->xreg4
> >>>>>>
> >>>>>> set_field:0x2000000000000000000000000/0x2000000000000000000000000->xxreg0
> >>>>>> resubmit(,17)
> >>>>>> 17. reg8=0x10000/0x10000,metadata=0x12, priority 1000, cookie
> >>>>>> 0x8171c04a
> >>>>>> set_field:0/0x1000000000000->xreg4
> >>>>>> set_field:0/0x2000000000000->xreg4
> >>>>>> set_field:0/0x4000000000000->xreg4
> >>>>>> resubmit(,18)
> >>>>>> 18. metadata=0x12, priority 0, cookie 0x62454929
> >>>>>> resubmit(,19)
> >>>>>> 19. metadata=0x12, priority 0, cookie 0x3bb47080
> >>>>>> resubmit(,20)
> >>>>>> 20. metadata=0x12, priority 0, cookie 0x73face9d
> >>>>>> resubmit(,21)
> >>>>>> 21. metadata=0x12, priority 0, cookie 0x8e46634d
> >>>>>> resubmit(,22)
> >>>>>> 22. metadata=0x12, priority 0, cookie 0xbddac461
> >>>>>> resubmit(,23)
> >>>>>> 23. metadata=0x12, priority 0, cookie 0x9a32c0de
> >>>>>> resubmit(,24)
> >>>>>> 24. metadata=0x12, priority 0, cookie 0x79b1c074
> >>>>>> resubmit(,25)
> >>>>>> 25. metadata=0x12, priority 0, cookie 0xc02374d3
> >>>>>> resubmit(,26)
> >>>>>> 26. metadata=0x12, priority 0, cookie 0x218dc750
> >>>>>> resubmit(,27)
> >>>>>> 27. metadata=0x12, priority 0, cookie 0xf6943631
> >>>>>> set_field:0/0x1000000000000->xreg4
> >>>>>> set_field:0/0x2000000000000->xreg4
> >>>>>> set_field:0/0x4000000000000->xreg4
> >>>>>> resubmit(,28)
> >>>>>> 28. ip,reg0=0x2/0x2002,metadata=0x12, priority 100, cookie 0x7fdca4fb
> >>>>>>
> >>>>>> ct(commit,zone=NXM_NX_REG13[0..15],nat(src),exec(set_field:0/0x1->ct_mark))
> >>>>>> nat(src)
> >>>>>> set_field:0/0x1->ct_mark
> >>>>>> -> Sets the packet to an untracked state, and clears all the
> >>>>>> conntrack fields.
> >>>>>> resubmit(,29)
> >>>>>> 29. metadata=0x12, priority 0, cookie 0x34e5fac7
> >>>>>> resubmit(,30)
> >>>>>> 30. metadata=0x12, priority 0, cookie 0xac3f53bd
> >>>>>> resubmit(,31)
> >>>>>> 31. metadata=0x12, priority 0, cookie 0x54000bd5
> >>>>>> resubmit(,32)
> >>>>>> 32. metadata=0x12, priority 0, cookie 0x29ab49f3
> >>>>>> resubmit(,33)
> >>>>>> 33. metadata=0x12, priority 0, cookie 0xae6aefcb
> >>>>>> resubmit(,34)
> >>>>>> 34. metadata=0x12, priority 0, cookie 0x632dc93b
> >>>>>> resubmit(,35)
> >>>>>> 35. metadata=0x12,dl_dst=1a:16:b1:58:e1:cd, priority 50, cookie
> >>>>>> 0x3fa33935
> >>>>>> set_field:0x1->reg15
> >>>>>> resubmit(,37)
> >>>>>> 37. priority 0
> >>>>>> resubmit(,39)
> >>>>>> 39. priority 0
> >>>>>> resubmit(,40)
> >>>>>> 40. reg15=0x1,metadata=0x12, priority 100, cookie 0x95c785db
> >>>>>> set_field:0x155->reg11
> >>>>>> set_field:0x1cf->reg12
> >>>>>> resubmit(,41)
> >>>>>> 41. priority 0
> >>>>>> set_field:0->reg0
> >>>>>> set_field:0->reg1
> >>>>>> set_field:0->reg2
> >>>>>> set_field:0->reg3
> >>>>>> set_field:0->reg4
> >>>>>> set_field:0->reg5
> >>>>>> set_field:0->reg6
> >>>>>> set_field:0->reg7
> >>>>>> set_field:0->reg8
> >>>>>> set_field:0->reg9
> >>>>>> resubmit(,42)
> >>>>>> 42. ip,reg15=0x1,metadata=0x12, priority 110, cookie 0xc9a79824
> >>>>>> resubmit(,43)
> >>>>>> 43. ip,reg15=0x1,metadata=0x12, priority 110, cookie 0xac7d5d78
> >>>>>> resubmit(,44)
> >>>>>> 44. metadata=0x12, priority 0, cookie 0xa1ddb4f6
> >>>>>> resubmit(,45)
> >>>>>> 45. ct_state=-trk,metadata=0x12, priority 5, cookie 0xb2622a65
> >>>>>>
> >>>>>> set_field:0x100000000000000000000000000/0x100000000000000000000000000->xxreg0
> >>>>>>
> >>>>>> set_field:0x200000000000000000000000000/0x200000000000000000000000000->xxreg0
> >>>>>> resubmit(,46)
> >>>>>> 46. metadata=0x12, priority 0, cookie 0x267ae0e3
> >>>>>> resubmit(,47)
> >>>>>> 47. metadata=0x12, priority 0, cookie 0x914392c3
> >>>>>> set_field:0/0x1000000000000->xreg4
> >>>>>> set_field:0/0x2000000000000->xreg4
> >>>>>> set_field:0/0x4000000000000->xreg4
> >>>>>> resubmit(,48)
> >>>>>> 48. metadata=0x12, priority 0, cookie 0xc4f6a97f
> >>>>>> resubmit(,49)
> >>>>>> 49. metadata=0x12, priority 0, cookie 0x8ebb0c71
> >>>>>> resubmit(,50)
> >>>>>> 50. metadata=0x12, priority 0, cookie 0x61e385f4
> >>>>>> resubmit(,51)
> >>>>>> 51. metadata=0x12, priority 0, cookie 0x4c722ce1
> >>>>>> set_field:0/0x1000->reg10
> >>>>>> resubmit(,75)
> >>>>>> 75. No match.
> >>>>>> drop
> >>>>>> move:NXM_NX_REG10[12]->NXM_NX_XXREG0[111]
> >>>>>> -> NXM_NX_XXREG0[111] is now 0
> >>>>>> resubmit(,52)
> >>>>>> 52. metadata=0x12, priority 0, cookie 0x3c01b89d
> >>>>>> resubmit(,64)
> >>>>>> 64. priority 0
> >>>>>> resubmit(,65)
> >>>>>> 65. reg15=0x1,metadata=0x12, priority 100, cookie 0x95c785db
> >>>>>>
> >>>>>> clone(ct_clear,set_field:0->reg11,set_field:0->reg12,set_field:0->reg13,set_field:0x4cc->reg11,set_field:0x383->reg12,set_field:0x13->metadata,set_field:0x1->reg14,set_field:0->reg10,set_field:0->reg15,set_field:0->reg0,set_field:0->reg1,set_field:0->reg2,set_field:0->reg3,set_field:0->reg4,set_field:0->reg5,set_field:0->reg6,set_field:0->reg7,set_field:0->reg8,set_field:0->reg9,resubmit(,8))
> >>>>>> ct_clear
> >>>>>> set_field:0->reg11
> >>>>>> set_field:0->reg12
> >>>>>> set_field:0->reg13
> >>>>>> set_field:0x4cc->reg11
> >>>>>> set_field:0x383->reg12
> >>>>>> set_field:0x13->metadata
> >>>>>> set_field:0x1->reg14
> >>>>>> set_field:0->reg10
> >>>>>> set_field:0->reg15
> >>>>>> set_field:0->reg0
> >>>>>> set_field:0->reg1
> >>>>>> set_field:0->reg2
> >>>>>> set_field:0->reg3
> >>>>>> set_field:0->reg4
> >>>>>> set_field:0->reg5
> >>>>>> set_field:0->reg6
> >>>>>> set_field:0->reg7
> >>>>>> set_field:0->reg8
> >>>>>> set_field:0->reg9
> >>>>>> resubmit(,8)
> >>>>>> 8. reg14=0x1,metadata=0x13,dl_dst=1a:16:b1:58:e1:cd, priority 50,
> >>>>>> cookie 0x8522832c
> >>>>>>
> >>>>>> set_field:0x1a16b158e1cd0000000000000000/0xffffffffffff0000000000000000->xxreg0
> >>>>>> resubmit(,9)
> >>>>>> 9. metadata=0x13, priority 0, cookie 0xef4dd8a9
> >>>>>> set_field:0x4/0x4->xreg4
> >>>>>> resubmit(,10)
> >>>>>> 10. reg9=0x4/0x4,metadata=0x13, priority 100, cookie 0x37718dd7
> >>>>>> resubmit(,79)
> >>>>>> 79.
> >>>>>> ip,reg14=0x1,metadata=0x13,dl_src=4e:42:14:a1:2a:fb,nw_src=172.27.18.244,
> >>>>>> priority 100, cookie 0x2e544767
> >>>>>> drop
> >>>>>> resubmit(,11)
> >>>>>> 11. metadata=0x13, priority 0, cookie 0x3c2eb1b
> >>>>>> resubmit(,12)
> >>>>>> 12. metadata=0x13, priority 0, cookie 0x44f62446
> >>>>>> resubmit(,13)
> >>>>>> 13. metadata=0x13, priority 0, cookie 0x3842bec6
> >>>>>> resubmit(,14)
> >>>>>> 14. metadata=0x13, priority 0, cookie 0xfd7b2ab9
> >>>>>> resubmit(,15)
> >>>>>> 15. metadata=0x13, priority 0, cookie 0xefbd7e27
> >>>>>> resubmit(,16)
> >>>>>> 16. metadata=0x13, priority 0, cookie 0xf439d853
> >>>>>> resubmit(,17)
> >>>>>> 17. metadata=0x13, priority 0, cookie 0x123f01f0
> >>>>>> resubmit(,18)
> >>>>>> 18. metadata=0x13, priority 0, cookie 0x142cd59b
> >>>>>> resubmit(,19)
> >>>>>> 19. metadata=0x13, priority 0, cookie 0x297e0190
> >>>>>> resubmit(,20)
> >>>>>> 20. metadata=0x13, priority 0, cookie 0x61e9e3c7
> >>>>>> set_field:0/0xffffffff->xxreg1
> >>>>>> resubmit(,21)
> >>>>>> 21. ip,reg7=0,metadata=0x13, priority 1, cookie 0x9f114f3d
> >>>>>> dec_ttl()
> >>>>>> set_field:0/0xffff00000000->xreg4
> >>>>>>
> >>>>>> set_field:0x64646401000000000000000000000000/0xffffffff000000000000000000000000->xxreg0
> >>>>>>
> >>>>>> set_field:0x646464030000000000000000/0xffffffff0000000000000000->xxreg0
> >>>>>> set_field:2a:d5:d1:e8:89:cc->eth_src
> >>>>>> set_field:0x2->reg15
> >>>>>> set_field:0x1/0x1->reg10
> >>>>>> resubmit(,22)
> >>>>>> 22. reg8=0/0xffff,metadata=0x13, priority 150, cookie 0x6ece899a
> >>>>>> resubmit(,23)
> >>>>>> 23. metadata=0x13, priority 0, cookie 0x72437536
> >>>>>> set_field:0/0xffff00000000->xreg4
> >>>>>> resubmit(,24)
> >>>>>> 24. reg8=0/0xffff,metadata=0x13, priority 150, cookie 0xce06f1
> >>>>>> resubmit(,25)
> >>>>>> 25. ip,metadata=0x13, priority 1, cookie 0xf690342c
> >>>>>> push:NXM_NX_REG0[]
> >>>>>> push:NXM_NX_XXREG0[96..127]
> >>>>>> pop:NXM_NX_REG0[]
> >>>>>> -> NXM_NX_REG0[] is now 0x64646401
> >>>>>> set_field:00:00:00:00:00:00->eth_dst
> >>>>>> resubmit(,66)
> >>>>>> 66. reg0=0x64646401,reg15=0x2,metadata=0x13, priority 100,
> >>>>>> cookie 0x97b4353d
> >>>>>> set_field:00:00:5e:00:01:ff->eth_dst
> >>>>>> set_field:0x40/0x40->reg10
> >>>>>> pop:NXM_NX_REG0[]
> >>>>>> -> NXM_NX_REG0[] is now 0x64646401
> >>>>>> resubmit(,26)
> >>>>>> 26. metadata=0x13, priority 0, cookie 0x6c2ad4cc
> >>>>>> resubmit(,27)
> >>>>>> 27. metadata=0x13, priority 0, cookie 0xadc9fb4f
> >>>>>> resubmit(,28)
> >>>>>> 28. ip,reg15=0x2,metadata=0x13,nw_src=172.27.18.244, priority 100,
> >>>>>> cookie 0xfa923492
> >>>>>> set_field:4e:42:14:a1:2a:fb->eth_src
> >>>>>>
> >>>>>> set_field:0xcc3418740000000000000000/0xffffffff0000000000000000->xxreg0
> >>>>>> resubmit(,29)
> >>>>>> 29. metadata=0x13, priority 0, cookie 0x571bbf77
> >>>>>> resubmit(,37)
> >>>>>> 37. priority 0
> >>>>>> resubmit(,39)
> >>>>>> 39. priority 0
> >>>>>> resubmit(,40)
> >>>>>> 40. reg15=0x2,metadata=0x13, priority 100, cookie 0x407086d0
> >>>>>> set_field:0x4cc->reg11
> >>>>>> set_field:0x383->reg12
> >>>>>> resubmit(,41)
> >>>>>> 41. priority 0
> >>>>>> set_field:0->reg0
> >>>>>> set_field:0->reg1
> >>>>>> set_field:0->reg2
> >>>>>> set_field:0->reg3
> >>>>>> set_field:0->reg4
> >>>>>> set_field:0->reg5
> >>>>>> set_field:0->reg6
> >>>>>> set_field:0->reg7
> >>>>>> set_field:0->reg8
> >>>>>> set_field:0->reg9
> >>>>>> resubmit(,42)
> >>>>>> 42. metadata=0x13, priority 0, cookie 0x4c3b7fcc
> >>>>>> set_field:0/0x10->xreg4
> >>>>>> resubmit(,43)
> >>>>>> 43. ip,reg15=0x2,metadata=0x13,nw_src=172.27.18.244, priority 100,
> >>>>>> cookie 0x540f90b2
> >>>>>> set_field:4e:42:14:a1:2a:fb->eth_src
> >>>>>> ct(table=44,zone=NXM_NX_REG11[0..15],nat)
> >>>>>> nat
> >>>>>> -> A clone of the packet is forked to recirculate. The forked
> >>>>>> pipeline will be resumed at table 44.
> >>>>>> -> Sets the packet to an untracked state, and clears all the
> >>>>>> conntrack fields.
> >>>>>>
> >>>>>> Final flow:
> >>>>>> recirc_id=0x13b5a,eth,tcp,reg0=0x300,reg11=0x155,reg12=0x1cf,reg13=0x16d,reg14=0xca,reg15=0x1,metadata=0x12,in_port=7753,vlan_tci=0x0000,dl_src=4e:42:14:a1:2a:fb,dl_dst=1a:16:b1:58:e1:cd,nw_src=172.27.18.244,nw_dst=104.18.3.35,nw_tos=0,nw_ecn=0,nw_ttl=32,nw_frag=no,tp_src=52776,tp_dst=443,tcp_flags=syn
> >>>>>> Megaflow:
> >>>>>> recirc_id=0x13b5a,ct_state=+new-est-rel-rpl-inv+trk,ct_mark=0/0x1,eth,tcp,in_port=7753,dl_src=4e:42:14:a1:2a:fb,dl_dst=1a:16:b1:58:e1:cd,nw_src=172.27.18.244,nw_dst=104.0.0.0/5,nw_ttl=32,nw_frag=no,tp_src=0x8000/0x8000,tp_dst=0x180/0xffc0
> >>>>>> Datapath actions:
> >>>>>> ct(commit,zone=365,mark=0/0x1,nat(src)),set(eth(dst=00:00:5e:00:01:ff)),set(ipv4(ttl=31)),ct(zone=1228,nat),recirc(0x13b5c)
> >>>>>>
> >>>>>> ===============================================================================
> >>>>>> recirc(0x13b5c) - resume conntrack with default ct_state=trk|new (use
> >>>>>> --ct-next to customize)
> >>>>>> Replacing src/dst IP/ports to simulate NAT:
> >>>>>> Initial flow:
> >>>>>> Modified flow:
> >>>>>> ===============================================================================
> >>>>>>
> >>>>>> Flow:
> >>>>>> recirc_id=0x13b5c,ct_state=new|trk,ct_zone=1228,eth,tcp,reg10=0x41,reg11=0x4cc,reg12=0x383,reg14=0x1,reg15=0x2,metadata=0x13,in_port=7753,vlan_tci=0x0000,dl_src=4e:42:14:a1:2a:fb,dl_dst=00:00:5e:00:01:ff,nw_src=172.27.18.244,nw_dst=104.18.3.35,nw_tos=0,nw_ecn=0,nw_ttl=31,nw_frag=no,tp_src=52776,tp_dst=443,tcp_flags=syn
> >>>>>>
> >>>>>> bridge("br-int")
> >>>>>> ----------------
> >>>>>> thaw
> >>>>>> Resuming from table 44
> >>>>>> 44. metadata=0x13, priority 0, cookie 0x48ef0c42
> >>>>>> resubmit(,45)
> >>>>>> 45. ct_state=-rpl+trk,ip,reg15=0x2,metadata=0x13,nw_src=172.27.18.244,
> >>>>>> priority 161, cookie 0x5414262a
> >>>>>> set_field:4e:42:14:a1:2a:fb->eth_src
> >>>>>>
> >>>>>> ct(commit,table=46,zone=NXM_NX_REG12[0..15],nat(src=204.52.24.116))
> >>>>>> nat(src=204.52.24.116)
> >>>>>> -> A clone of the packet is forked to recirculate. The forked
> >>>>>> pipeline will be resumed at table 46.
> >>>>>> -> Sets the packet to an untracked state, and clears all the
> >>>>>> conntrack fields.
> >>>>>>
> >>>>>> Final flow:
> >>>>>> recirc_id=0x13b5c,eth,tcp,reg10=0x41,reg11=0x4cc,reg12=0x383,reg14=0x1,reg15=0x2,metadata=0x13,in_port=7753,vlan_tci=0x0000,dl_src=4e:42:14:a1:2a:fb,dl_dst=00:00:5e:00:01:ff,nw_src=172.27.18.244,nw_dst=104.18.3.35,nw_tos=0,nw_ecn=0,nw_ttl=31,nw_frag=no,tp_src=52776,tp_dst=443,tcp_flags=syn
> >>>>>> Megaflow:
> >>>>>> recirc_id=0x13b5c,ct_state=-rpl+trk,eth,ip,in_port=7753,dl_src=4e:42:14:a1:2a:fb,nw_src=172.27.18.244,nw_frag=no
> >>>>>> Datapath actions:
> >>>>>> ct(commit,zone=899,nat(src=204.52.24.116)),recirc(0x25f9b)
> >>>>>>
> >>>>>> ===============================================================================
> >>>>>> recirc(0x25f9b) - resume conntrack with default ct_state=trk|new (use
> >>>>>> --ct-next to customize)
> >>>>>> Replacing src/dst IP/ports to simulate NAT:
> >>>>>> Initial flow:
> >>>>>> nw_src=172.27.18.244,tp_src=52776,nw_dst=104.18.3.35,tp_dst=443
> >>>>>> Modified flow:
> >>>>>> nw_src=204.52.24.116,tp_src=52776,nw_dst=104.18.3.35,tp_dst=443
> >>>>>> ===============================================================================
> >>>>>>
> >>>>>> Flow:
> >>>>>> recirc_id=0x25f9b,ct_state=new|trk,ct_zone=899,eth,tcp,reg10=0x41,reg11=0x4cc,reg12=0x383,reg14=0x1,reg15=0x2,metadata=0x13,in_port=7753,vlan_tci=0x0000,dl_src=4e:42:14:a1:2a:fb,dl_dst=00:00:5e:00:01:ff,nw_src=204.52.24.116,nw_dst=104.18.3.35,nw_tos=0,nw_ecn=0,nw_ttl=31,nw_frag=no,tp_src=52776,tp_dst=443,tcp_flags=syn
> >>>>>>
> >>>>>> bridge("br-int")
> >>>>>> ----------------
> >>>>>> thaw
> >>>>>> Resuming from table 46
> >>>>>> 46. metadata=0x13, priority 0, cookie 0x3800cb88
> >>>>>> resubmit(,47)
> >>>>>> 47. metadata=0x13, priority 0, cookie 0xc2575be2
> >>>>>> resubmit(,48)
> >>>>>> 48. reg15=0x2,metadata=0x13, priority 100, cookie 0xaf19a22a
> >>>>>> resubmit(,64)
> >>>>>> 64. reg10=0x1/0x1,reg15=0x2,metadata=0x13, priority 100, cookie
> >>>>>> 0x407086d0
> >>>>>> push:NXM_OF_IN_PORT[]
> >>>>>> set_field:ANY->in_port
> >>>>>> resubmit(,65)
> >>>>>> 65. reg15=0x2,metadata=0x13, priority 100, cookie 0x407086d0
> >>>>>>
> >>>>>> clone(ct_clear,set_field:0->reg11,set_field:0->reg12,set_field:0->reg13,set_field:0x2c2->reg11,set_field:0x327->reg12,set_field:0x1->metadata,set_field:0xa->reg14,set_field:0->reg10,set_field:0->reg15,set_field:0->reg0,set_field:0->reg1,set_field:0->reg2,set_field:0->reg3,set_field:0->reg4,set_field:0->reg5,set_field:0->reg6,set_field:0->reg7,set_field:0->reg8,set_field:0->reg9,resubmit(,8))
> >>>>>> ct_clear
> >>>>>> set_field:0->reg11
> >>>>>> set_field:0->reg12
> >>>>>> set_field:0->reg13
> >>>>>> set_field:0x2c2->reg11
> >>>>>> set_field:0x327->reg12
> >>>>>> set_field:0x1->metadata
> >>>>>> set_field:0xa->reg14
> >>>>>> set_field:0->reg10
> >>>>>> set_field:0->reg15
> >>>>>> set_field:0->reg0
> >>>>>> set_field:0->reg1
> >>>>>> set_field:0->reg2
> >>>>>> set_field:0->reg3
> >>>>>> set_field:0->reg4
> >>>>>> set_field:0->reg5
> >>>>>> set_field:0->reg6
> >>>>>> set_field:0->reg7
> >>>>>> set_field:0->reg8
> >>>>>> set_field:0->reg9
> >>>>>> resubmit(,8)
> >>>>>> 8. metadata=0x1, priority 50, cookie 0x1645d3f2
> >>>>>> set_field:0/0x1000->reg10
> >>>>>> resubmit(,73)
> >>>>>> 73. No match.
> >>>>>> drop
> >>>>>> move:NXM_NX_REG10[12]->NXM_NX_XXREG0[111]
> >>>>>> -> NXM_NX_XXREG0[111] is now 0
> >>>>>> resubmit(,9)
> >>>>>> 9. metadata=0x1, priority 0, cookie 0xcc4fd106
> >>>>>> resubmit(,10)
> >>>>>> 10. metadata=0x1, priority 0, cookie 0x9e10ad0e
> >>>>>> resubmit(,11)
> >>>>>> 11. metadata=0x1, priority 0, cookie 0x557f3249
> >>>>>> resubmit(,12)
> >>>>>> 12. metadata=0x1, priority 0, cookie 0x915c56b1
> >>>>>> resubmit(,13)
> >>>>>> 13. ip,reg14=0xa,metadata=0x1, priority 110, cookie
> >>>>>> 0xccdcd3e1
> >>>>>> resubmit(,14)
> >>>>>> 14. metadata=0x1, priority 0, cookie 0x134ce32f
> >>>>>> resubmit(,15)
> >>>>>> 15. metadata=0x1, priority 65535, cookie 0x49627e5f
> >>>>>> resubmit(,16)
> >>>>>> 16. metadata=0x1, priority 65535, cookie 0xc947843d
> >>>>>> resubmit(,17)
> >>>>>> 17. metadata=0x1, priority 0, cookie 0xd2fb4d2
> >>>>>> resubmit(,18)
> >>>>>> 18. metadata=0x1, priority 0, cookie 0x62454929
> >>>>>> resubmit(,19)
> >>>>>> 19. metadata=0x1, priority 0, cookie 0x3bb47080
> >>>>>> resubmit(,20)
> >>>>>> 20. metadata=0x1, priority 0, cookie 0x73face9d
> >>>>>> resubmit(,21)
> >>>>>> 21. metadata=0x1, priority 0, cookie 0x8e46634d
> >>>>>> resubmit(,22)
> >>>>>> 22. metadata=0x1, priority 0, cookie 0xbddac461
> >>>>>> resubmit(,23)
> >>>>>> 23. metadata=0x1, priority 0, cookie 0x9a32c0de
> >>>>>> resubmit(,24)
> >>>>>> 24. metadata=0x1, priority 0, cookie 0x79b1c074
> >>>>>> resubmit(,25)
> >>>>>> 25. metadata=0x1, priority 0, cookie 0xc02374d3
> >>>>>> resubmit(,26)
> >>>>>> 26. metadata=0x1, priority 0, cookie 0x218dc750
> >>>>>> resubmit(,27)
> >>>>>> 27. metadata=0x1, priority 0, cookie 0x8db4eebc
> >>>>>> resubmit(,28)
> >>>>>> 28. metadata=0x1, priority 0, cookie 0x6deecbbe
> >>>>>> resubmit(,29)
> >>>>>> 29. metadata=0x1, priority 0, cookie 0x34e5fac7
> >>>>>> resubmit(,30)
> >>>>>> 30. metadata=0x1, priority 0, cookie 0xac3f53bd
> >>>>>> resubmit(,31)
> >>>>>> 31. metadata=0x1, priority 0, cookie 0x54000bd5
> >>>>>> resubmit(,32)
> >>>>>> 32. metadata=0x1, priority 0, cookie 0x29ab49f3
> >>>>>> resubmit(,33)
> >>>>>> 33. metadata=0x1, priority 0, cookie 0xae6aefcb
> >>>>>> resubmit(,34)
> >>>>>> 34. metadata=0x1, priority 0, cookie 0x632dc93b
> >>>>>> resubmit(,35)
> >>>>>> 35. metadata=0x1, priority 0, cookie 0x9961115c
> >>>>>> set_field:0->reg15
> >>>>>> resubmit(,71)
> >>>>>> 71. No match.
> >>>>>> drop
> >>>>>> resubmit(,36)
> >>>>>> 36. reg15=0,metadata=0x1, priority 50, cookie 0x62255993
> >>>>>> set_field:0x8001->reg15
> >>>>>> resubmit(,37)
> >>>>>> 37. priority 0
> >>>>>> resubmit(,39)
> >>>>>> 39. priority 0
> >>>>>> resubmit(,40)
> >>>>>> 40. reg15=0x8001,metadata=0x1, priority 100, cookie
> >>>>>> 0x11699429
> >>>>>> set_field:0x14->reg13
> >>>>>> set_field:0x1->reg15
> >>>>>> resubmit(,41)
> >>>>>> 41. priority 0
> >>>>>> set_field:0->reg0
> >>>>>> set_field:0->reg1
> >>>>>> set_field:0->reg2
> >>>>>> set_field:0->reg3
> >>>>>> set_field:0->reg4
> >>>>>> set_field:0->reg5
> >>>>>> set_field:0->reg6
> >>>>>> set_field:0->reg7
> >>>>>> set_field:0->reg8
> >>>>>> set_field:0->reg9
> >>>>>> resubmit(,42)
> >>>>>> 42. metadata=0x1, priority 0, cookie 0x9ad1480d
> >>>>>> resubmit(,43)
> >>>>>> 43. ip,reg15=0x1,metadata=0x1, priority 110, cookie
> >>>>>> 0xca4977d3
> >>>>>> ct_clear
> >>>>>> resubmit(,44)
> >>>>>> 44. metadata=0x1, priority 0, cookie 0xa1ddb4f6
> >>>>>> resubmit(,45)
> >>>>>> 45. metadata=0x1, priority 65535, cookie 0x91b4350e
> >>>>>> resubmit(,46)
> >>>>>> 46. metadata=0x1, priority 65535, cookie 0xfc9c351d
> >>>>>> resubmit(,47)
> >>>>>> 47. metadata=0x1, priority 0, cookie 0xb984696e
> >>>>>> resubmit(,48)
> >>>>>> 48. metadata=0x1, priority 0, cookie 0xc4f6a97f
> >>>>>> resubmit(,49)
> >>>>>> 49. metadata=0x1, priority 0, cookie 0x8ebb0c71
> >>>>>> resubmit(,50)
> >>>>>> 50. metadata=0x1, priority 0, cookie 0x61e385f4
> >>>>>> resubmit(,51)
> >>>>>> 51. metadata=0x1, priority 0, cookie 0x4c722ce1
> >>>>>> set_field:0/0x1000->reg10
> >>>>>> resubmit(,75)
> >>>>>> 75. No match.
> >>>>>> drop
> >>>>>> move:NXM_NX_REG10[12]->NXM_NX_XXREG0[111]
> >>>>>> -> NXM_NX_XXREG0[111] is now 0
> >>>>>> resubmit(,52)
> >>>>>> 52. metadata=0x1, priority 0, cookie 0x3c01b89d
> >>>>>> resubmit(,64)
> >>>>>> 64. priority 0
> >>>>>> resubmit(,65)
> >>>>>> 65. reg15=0x1,metadata=0x1, priority 100, cookie
> >>>>>> 0x4581da82
> >>>>>> push_vlan:0x8100
> >>>>>> set_field:4216->vlan_vid
> >>>>>> output:7754
> >>>>>>
> >>>>>> bridge("br-provider")
> >>>>>> ---------------------
> >>>>>> 0. priority 0
> >>>>>> NORMAL
> >>>>>> -> forwarding to learned port
> >>>>>> pop_vlan
> >>>>>> set_field:0x8001->reg15
> >>>>>> pop:NXM_OF_IN_PORT[]
> >>>>>> -> NXM_OF_IN_PORT[] is now 7753
> >>>>>>
> >>>>>> Final flow: unchanged
> >>>>>> Megaflow:
> >>>>>> recirc_id=0x25f9b,ct_state=+new-est-rel-rpl-inv+trk,ct_mark=0/0x1,eth,ip,in_port=7753,dl_src=4e:42:14:a1:2a:fb,dl_dst=00:00:5e:00:01:ff,nw_dst=0.0.0.0/1,nw_frag=no
> >>>>>> Datapath actions: ct_clear,push_vlan(vid=120,pcp=0),5
> >>>>>>
> >>>>>> On Wed, 17 Apr 2024 at 17:32, Gavin McKee <gavmcke...@googlemail.com>
> >>>>>> wrote:
> >>>>>>>
> >>>>>>> That information is all in the email
> >>>>>>>
> >>>>>>> The openflow trace is showing that the pipeline is fine . This is why
> >>>>>>> I’m worried about a deeper issue with the kernal / openvswitch kernal
> >>>>>>> module / connection tracking
> >>>>>>>
> >>>>>>>
> >>>>>>>
> >>>>>>> On Wed, Apr 17, 2024 at 16:33 Flavio Leitner <f...@sysclose.org>
> >>>>>>> wrote:
> >>>>>>>>
> >>>>>>>> On Wed, 17 Apr 2024 12:26:27 -0700
> >>>>>>>> Gavin McKee <gavmcke...@googlemail.com> wrote:
> >>>>>>>>
> >>>>>>>>> Hi Flavio,
> >>>>>>>>>
> >>>>>>>>> I had to restart the Open vSwitch across 16 machines to resolve the
> >>>>>>>>> issue for a customer . I think it will occur again and when it does
> >>>>>>>>> I'll use that command to gather the tc information.
> >>>>>>>>>
> >>>>>>>>> Until then I think I have found why the issue is occurring .
> >>>>>>>>>
> >>>>>>>>> Take a look at the output below (this is a packet capture from the
> >>>>>>>>> physical interface on the compute node , so traffic that has gone
> >>>>>>>>> through the OVS Openflow pipeline) - we make a 3 way handshake with
> >>>>>>>>> R2
> >>>>>>>>> , and establish the connection. A packet goes missing - TLS
> >>>>>>>>> handshake, it then appears that it hasn't gone through NAT as it's
> >>>>>>>>> using the Private IP of the VM .
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> If that is the case, you might be able to see if the data path
> >>>>>>>> is matching correctly and the actions are using NAT with
> >>>>>>>> ovs-appctl ofproto/trace.
> >>>>>>>>
> >>>>>>>> fbl
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>> Take a look at frame 14
> >>>>>>>>>
> >>>>>>>>> No. Time Source Destination
> >>>>>>>>> Protocol Length Info
> >>>>>>>>> Delta
> >>>>>>>>> 14 09:24:08.064432 172.27.18.244 104.18.2.35
> >>>>>>>>> TLSv1 502 Client Hello, Alert (Level: Fatal, Description:
> >>>>>>>>> Decode
> >>>>>>>>> Error) 2.362983
> >>>>>>>>>
> >>>>>>>>> Frame 14: 502 bytes on wire (4016 bits), 502 bytes captured (4016
> >>>>>>>>> bits) Ethernet II, Src: 4e:42:14:a1:2a:fb (4e:42:14:a1:2a:fb), Dst:
> >>>>>>>>> IETF-VRRP-VRID_ff (00:00:5e:00:01:ff)
> >>>>>>>>> 802.1Q Virtual LAN, PRI: 0, DEI: 0, ID: 120
> >>>>>>>>> Internet Protocol Version 4, Src: 172.27.18.244, Dst: 104.18.2.35
> >>>>>>>>> Transmission Control Protocol, Src Port: 57394, Dst Port: 443, Seq:
> >>>>>>>>> 1,
> >>>>>>>>> Ack: 1, Len: 444
> >>>>>>>>> Transport Layer Security
> >>>>>>>>> TLSv1 Record Layer: Handshake Protocol: Client Hello
> >>>>>>>>> Content Type: Handshake (22)
> >>>>>>>>> Version: TLS 1.0 (0x0301)
> >>>>>>>>> Length: 432
> >>>>>>>>> Handshake Protocol: Client Hello
> >>>>>>>>> TLSv1 Record Layer: Alert (Level: Fatal, Description: Decode
> >>>>>>>>> Error) Content Type: Alert (21)
> >>>>>>>>> Version: TLS 1.0 (0x0301)
> >>>>>>>>> Length: 2
> >>>>>>>>> Alert Message
> >>>>>>>>> Level: Fatal (2)
> >>>>>>>>> Description: Decode Error (50)
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>>
> >>>>>>>>> ------------------------------------------------------------------------------------------------------------
> >>>>>>>>>
> >>>>>>>>> On Wed, 17 Apr 2024 at 11:28, Flavio Leitner <f...@sysclose.org>
> >>>>>>>>> wrote:
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Hi Gavin,
> >>>>>>>>>>
> >>>>>>>>>> It would be helpful if you can provide some TC dumps from the
> >>>>>>>>>> "good" state to the "bad" state to see how it was and what changes.
> >>>>>>>>>> Something like:
> >>>>>>>>>>
> >>>>>>>>>> # tc -s filter show dev enp148s0f0_1 ingress
> >>>>>>>>>>
> >>>>>>>>>> I haven't checked the attached files, but one suggestion is to
> >>>>>>>>>> check if this is not a csum issue.
> >>>>>>>>>>
> >>>>>>>>>> Thanks,
> >>>>>>>>>> fbl
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> On Tue, 16 Apr 2024 13:17:10 -0700
> >>>>>>>>>> Gavin McKee via discuss <ovs-discuss@openvswitch.org> wrote:
> >>>>>>>>>>
> >>>>>>>>>>> Adding information relating to the Open VSwitch kernal module
> >>>>>>>>>>> @Ilya Maximets @Numan Siddique Can either of you help out here?
> >>>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> modinfo openvswitch
> >>>>>>>>>>> filename:
> >>>>>>>>>>> /lib/modules/5.14.0-362.8.1.el9_3.x86_64/kernel/net/openvswitch/openvswitch.ko.xz
> >>>>>>>>>>> alias: net-pf-16-proto-16-family-ovs_ct_limit
> >>>>>>>>>>> alias: net-pf-16-proto-16-family-ovs_meter
> >>>>>>>>>>> alias: net-pf-16-proto-16-family-ovs_packet
> >>>>>>>>>>> alias: net-pf-16-proto-16-family-ovs_flow
> >>>>>>>>>>> alias: net-pf-16-proto-16-family-ovs_vport
> >>>>>>>>>>> alias: net-pf-16-proto-16-family-ovs_datapath
> >>>>>>>>>>> license: GPL
> >>>>>>>>>>> description: Open vSwitch switching datapath
> >>>>>>>>>>> rhelversion: 9.3
> >>>>>>>>>>> srcversion: 8A2159D727C8BADC82261B8
> >>>>>>>>>>> depends: nf_conntrack,nf_conncount,libcrc32c,nf_nat
> >>>>>>>>>>> retpoline: Y
> >>>>>>>>>>> intree: Y
> >>>>>>>>>>> name: openvswitch
> >>>>>>>>>>> vermagic: 5.14.0-362.8.1.el9_3.x86_64 SMP preempt mod_unload
> >>>>>>>>>>> modversions sig_id: PKCS#7
> >>>>>>>>>>> signer: Rocky kernel signing key
> >>>>>>>>>>> sig_key:
> >>>>>>>>>>> 17:CA:DE:1F:EC:D1:59:2D:9F:52:34:C6:7C:09:06:81:3D:74:7C:F7
> >>>>>>>>>>> sig_hashalgo: sha256 signature:
> >>>>>>>>>>> 67:31:56:70:86:DB:57:69:8D:4A:9B:A7:ED:17:F3:67:65:98:97:08:
> >>>>>>>>>>> 1F:FB:4D:F8:A8:2D:7C:A7:7D:3A:57:85:CA:67:9D:82:72:EB:54:14:
> >>>>>>>>>>> F2:BB:40:78:AD:85:56:2D:EF:D5:00:95:38:A4:86:9F:5F:29:1A:81:
> >>>>>>>>>>> 32:94:B4:87:41:94:A0:3E:71:A5:97:44:2E:42:DD:F7:42:6B:69:94:
> >>>>>>>>>>> E3:AB:6E:E5:4F:C9:60:57:70:07:5F:CA:C7:83:7A:2F:C7:81:62:FF:
> >>>>>>>>>>> 53:AF:AC:2B:06:D8:08:D3:1D:A7:F0:43:10:98:DE:B1:62:AE:89:A5:
> >>>>>>>>>>> FE:EF:74:09:0F:2D:0F:D9:73:A5:59:75:D0:87:1E:EA:3A:40:86:1E:
> >>>>>>>>>>> 76:E5:E7:3B:59:2E:3A:7E:65:F3:92:A1:B4:84:48:3F:43:A0:D7:1C:
> >>>>>>>>>>> 21:29:E0:B6:D1:10:36:15:88:43:6A:11:8F:55:EE:1B:F9:53:3B:86:
> >>>>>>>>>>> EF:81:71:17:81:08:EC:53:30:D6:69:8E:13:11:D5:DF:15:75:88:50:
> >>>>>>>>>>> 69:19:51:3B:41:6B:6F:E0:7A:30:33:32:E6:60:18:02:A6:0C:63:9B:
> >>>>>>>>>>> C5:D7:2F:6A:D0:BA:45:03:19:0E:21:E8:18:FB:E8:D1:C1:33:05:36:
> >>>>>>>>>>> 1F:9B:0F:29:3F:05:51:7A:30:86:88:B7:C7:44:2E:2B:50:F9:EF:4F:
> >>>>>>>>>>> D4:70:EA:1B:33:E2:F0:E3:E2:88:00:E5:BF:06:E2:D4:B7:81:EE:6E:
> >>>>>>>>>>> 89:02:18:65:8B:1C:84:42:2F:89:14:63:1D:51:70:37:42:C5:68:DD:
> >>>>>>>>>>> 4D:12:7B:07:33:2B:C6:BC:8F:7F:23:D7:58:DF:47:AC:DE:08:67:FE:
> >>>>>>>>>>> CB:E8:E6:4D:95:2F:6B:F5:07:4D:32:92:80:0A:7C:D1:B6:81:EE:AB:
> >>>>>>>>>>> 26:C3:C6:22:77:00:5E:64:DE:96:0E:9F:A4:A0:F0:45:9F:19:73:EB:
> >>>>>>>>>>> CC:60:AE:E9:63:E2:6D:2E:BA:65:9B:BD:04:CC:13:C2:55:88:05:03:
> >>>>>>>>>>> 1B:30:18:8B
> >>>>>>>>>>>
> >>>>>>>>>>> On Tue, 16 Apr 2024 at 11:12, Gavin McKee
> >>>>>>>>>>> <gavmcke...@googlemail.com> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Hi,
> >>>>>>>>>>>>
> >>>>>>>>>>>> I need some help with strange OVS behaviours.
> >>>>>>>>>>>>
> >>>>>>>>>>>> ovs-vsctl (Open vSwitch) 3.2.2
> >>>>>>>>>>>> ovn-controller 23.09.1
> >>>>>>>>>>>> Open vSwitch Library 3.2.2
> >>>>>>>>>>>>
> >>>>>>>>>>>> TLDR: We need to restart Open VSwitch in order for TLS traffic
> >>>>>>>>>>>> to work between a VM and Cloudflare R2. After restarting Open
> >>>>>>>>>>>> VSwitch the TLS connection works fine.
> >>>>>>>>>>>> (see attached pcap tls-error.txt)
> >>>>>>>>>>>>
> >>>>>>>>>>>> See the attached openflow traces - they show a flow trace from
> >>>>>>>>>>>> Open Vswitch.
> >>>>>>>>>>>>
> >>>>>>>>>>>> Also there is a retis trace (retis tool discussed at Open
> >>>>>>>>>>>> VSwitch conference 2023).
> >>>>>>>>>>>>
> >>>>>>>>>>>> Note the drop (TC_INGRESS) in this file
> >>>>>>>>>>>> + 1702601116185568 [swapper/140] 0 [tp] skb:kfree_skb
> >>>>>>>>>>>> #60c81b6b91e2cff284fb3a3d65800 (skb 18386033671255367680) n 3
> >>>>>>>>>>>> drop (TC_INGRESS)
> >>>>>>>>>>>> if 21 (enp148s0f0_1) rxif 21 172.27.18.244.57394 >
> >>>>>>>>>>>> 104.18.2.35.443 ttl 63 tos 0x0 id 26162 off 0 [DF] len 477 proto
> >>>>>>>>>>>> TCP (6) flags [P.] seq 792060930:792061367 ack 951229219 win 11
> >>>>>>>>>>>>
> >>>>>>>>>>>> Again , once I restart Open vSwitch the problem goes away for a
> >>>>>>>>>>>> time and comes back sometime later (not sure what that time
> >>>>>>>>>>>> frame is but its a recurring issue.)
> >>>>>>>>>>> _______________________________________________
> >>>>>>>>>>> discuss mailing list
> >>>>>>>>>>> disc...@openvswitch.org
> >>>>>>>>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> --
> >>>>>>>>>> fbl
> >>>>>>>>
> >>>>>>>>
> >>>>>>>>
> >>>>>>>> --
> >>>>>>>> fbl
> >>>>>> _______________________________________________
> >>>>>> discuss mailing list
> >>>>>> disc...@openvswitch.org
> >>>>>> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
> >>>>>
> >
>
_______________________________________________
discuss mailing list
disc...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
