From patchwork Fri Sep 11 08:52:11 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Dumitru Ceara
X-Patchwork-Id: 1362316
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
(client-ip=140.211.166.136; helo=silver.osuosl.org;
envelope-from=ovs-dev-bounces@openvswitch.org; receiver=)
Authentication-Results: ozlabs.org;
dmarc=fail (p=none dis=none) header.from=redhat.com
Authentication-Results: ozlabs.org;
dkim=fail reason="signature verification failed" (1024-bit key;
unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256
header.s=mimecast20190719 header.b=B7rOUlZd;
dkim-atps=neutral
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ozlabs.org (Postfix) with ESMTPS id 4BnqMs4LMCz9sRf
for ; Fri, 11 Sep 2020 18:55:21 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
by silver.osuosl.org (Postfix) with ESMTP id 9CE022E21E;
Fri, 11 Sep 2020 08:55:19 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id jtALVqKHzb40; Fri, 11 Sep 2020 08:55:16 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
by silver.osuosl.org (Postfix) with ESMTP id 12D7C204B3;
Fri, 11 Sep 2020 08:55:16 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
by lists.linuxfoundation.org (Postfix) with ESMTP id C681CC0052;
Fri, 11 Sep 2020 08:55:15 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id F1541C0051
for ; Fri, 11 Sep 2020 08:55:14 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by fraxinus.osuosl.org (Postfix) with ESMTP id BC3208720E
for ; Fri, 11 Sep 2020 08:55:14 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 8GmFiCtWQC1v for ;
Fri, 11 Sep 2020 08:55:13 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from us-smtp-delivery-1.mimecast.com (us-smtp-1.mimecast.com
[205.139.110.61])
by fraxinus.osuosl.org (Postfix) with ESMTPS id AE78F871FF
for ; Fri, 11 Sep 2020 08:55:13 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
s=mimecast20190719; t=1599814512;
h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
to:to:cc:content-type:content-type;
bh=5sgJX13MHxx4sG2MDj6SKiZDbHhYBc8gfEdwU5VcAfQ=;
b=B7rOUlZdPbSWnKgv7CxmPQpVLM5FVSq41HWkPlxORHeXv5zKlUkWuvJ9EtkGNtGTJYq2pL
bGV8LpzD7qllzoBJIck70AfNOEhR5biyNx2YzqG/n/h1g4CSPkh5tQLAqtc8nXUP0z2QkV
yoGU+u6JW5kX+MEh0HdtZTRpflOhZfU=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
[209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
us-mta-438-LEzeZL9_PeOJusuEg7bLqQ-1; Fri, 11 Sep 2020 04:55:10 -0400
X-MC-Unique: LEzeZL9_PeOJusuEg7bLqQ-1
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.phx2.redhat.com
[10.5.11.13])
(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
(No client certificate requested)
by mimecast-mx01.redhat.com (Postfix) with ESMTPS id DDD291005E60
for ; Fri, 11 Sep 2020 08:55:09 +0000 (UTC)
Received: from dceara.remote.csb (ovpn-112-247.ams2.redhat.com
[10.36.112.247])
by smtp.corp.redhat.com (Postfix) with ESMTP id 50BE781C53
for ; Fri, 11 Sep 2020 08:55:08 +0000 (UTC)
From: Dumitru Ceara
To: dev@openvswitch.org
Date: Fri, 11 Sep 2020 10:52:11 +0200
Message-Id: <1599814331-20105-1-git-send-email-dceara@redhat.com>
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.13
Authentication-Results: relay.mimecast.com;
auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dceara@redhat.com
X-Mimecast-Spam-Score: 0.001
X-Mimecast-Originator: redhat.com
Subject: [ovs-dev] [PATCH ovn] ovn-northd: Skip conntrack for MLD packets.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
MIME-Version: 1.0
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev"
We currently skip conntrack for IPv6 Neighbor Discovery packets because
conntrack marks all ND packets as invalid [0].
The same thing should be done for MLD packets. Otherwise, as soon as an
allow-related ACL or load balancer is added, MLD packets will go to
conntrack and get dropped because they are marked "invalid".
This commit also fixes the MLD test to use a link local IPv6 source
address.
[0] https://bugzilla.kernel.org/show_bug.cgi?id=11797
Signed-off-by: Dumitru Ceara
---
northd/ovn-northd.8.xml | 16 +++++++++-------
northd/ovn-northd.c | 12 ++++++------
tests/ovn.at | 23 +++++++++++++++++++----
3 files changed, 34 insertions(+), 17 deletions(-)
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index a275442..e09b28a 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -318,7 +318,8 @@
Pre-stateful
to send IP packets to the connection tracker
before eventually advancing to ingress table ACLs
. If
special ports such as route ports or localnet ports can't use ct(), a
- priority-110 flow is added to skip over stateful ACLs.
+ priority-110 flow is added to skip over stateful ACLs. IPv6 Neighbor
+ Discovery and MLD traffic also skips stateful ACLs.
@@ -337,11 +338,12 @@
This table prepares flows for possible stateful load balancing processing
in ingress table LB
and Stateful
. It contains
a priority-0 flow that simply moves traffic to the next table. Moreover
- it contains a priority-110 flow to move IPv6 Neighbor Discovery traffic
- to the next table. If load balancing rules with virtual IP addresses
- (and ports) are configured in OVN_Northbound
database for a
- logical switch datapath, a priority-100 flow is added for each configured
- virtual IP address VIP. For IPv4 VIPs, the match is
+ it contains a priority-110 flow to move IPv6 Neighbor Discovery and MLD
+ traffic to the next table. If load balancing rules with virtual IP
+ addresses (and ports) are configured in OVN_Northbound
+ database for a logical switch datapath, a priority-100 flow is added for
+ each configured virtual IP address VIP. For IPv4
+ VIPs, the match is
ip && ip4.dst == VIP
. For IPv6
VIPs, the match is ip &&
ip6.dst == VIP
. The flow sets an action
@@ -478,7 +480,7 @@
A priority-65535 flow that allows IPv6 Neighbor solicitation,
- Neighbor discover, Router solicitation and Router advertisement
+ Neighbor discover, Router solicitation, Router advertisement and MLD
packets.
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index b95d6cd..48d17a4 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -4924,10 +4924,10 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
* Not to do conntrack on ND and ICMP destination
* unreachable packets. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
- "nd || nd_rs || nd_ra || "
+ "nd || nd_rs || nd_ra || mldv1 || mldv2 || "
"(udp && udp.src == 546 && udp.dst == 547)", "next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
- "nd || nd_rs || nd_ra || "
+ "nd || nd_rs || nd_ra || mldv1 || mldv2 || "
"(udp && udp.src == 546 && udp.dst == 547)", "next;");
/* Ingress and Egress Pre-ACL Table (Priority 100).
@@ -5040,10 +5040,10 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows,
{
/* Do not send ND packets to conntrack */
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110,
- "nd || nd_rs || nd_ra",
+ "nd || nd_rs || nd_ra || mldv1 || mldv2",
"next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110,
- "nd || nd_rs || nd_ra",
+ "nd || nd_rs || nd_ra || mldv1 || mldv2",
"next;");
/* Do not send service monitor packets to conntrack. */
@@ -5575,9 +5575,9 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows,
*
* Not to do conntrack on ND packets. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX,
- "nd || nd_ra || nd_rs", "next;");
+ "nd || nd_ra || nd_rs || mldv1 || mldv2", "next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX,
- "nd || nd_ra || nd_rs", "next;");
+ "nd || nd_ra || nd_rs || mldv1 || mldv2", "next;");
}
/* Ingress or Egress ACL Table (Various priorities). */
diff --git a/tests/ovn.at b/tests/ovn.at
index 4e58722..1898728 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -17339,7 +17339,7 @@ store_mld_query() {
local mld_type=82
local mld_code=00
local max_resp=03e8
- local mld_chksum=59be
+ local mld_chksum=7b3d
local addr=00000000000000000000000000000000
local eth=${eth_dst}${eth_src}86dd
@@ -17419,6 +17419,21 @@ ovn-nbctl lsp-add sw3 sw3-rtr \
-- lsp-set-addresses sw3-rtr 00:00:00:00:03:00 \
-- lsp-set-options sw3-rtr router-port=rtr-sw3
+# Conntrack marks all IPv6 Neighbor Discovery and MLD packets as invalid,
+# make sure to test that conntrack is bypassed for MLD by adding an empty
+# allow-related ACL and an empty load balancer.
+ovn-nbctl acl-add sw1 from-lport 1 "1" allow-related
+ovn-nbctl acl-add sw2 from-lport 1 "1" allow-related
+ovn-nbctl acl-add sw3 from-lport 1 "1" allow-related
+ovn-nbctl acl-add sw1 to-lport 1 "1" allow-related
+ovn-nbctl acl-add sw2 to-lport 1 "1" allow-related
+ovn-nbctl acl-add sw3 to-lport 1 "1" allow-related
+
+ovn-nbctl lb-add lb0 [[4242::1]]:80 ""
+ovn-nbctl ls-lb-add sw1 lb0
+ovn-nbctl ls-lb-add sw2 lb0
+ovn-nbctl ls-lb-add sw3 lb0
+
net_add n1
sim_add hv1
as hv1
@@ -17614,12 +17629,12 @@ ovn-nbctl set Logical_Switch sw2 \
other_config:mcast_querier="true" \
other_config:mcast_query_interval=1 \
other_config:mcast_eth_src="00:00:00:00:02:fe" \
- other_config:mcast_ip6_src="2000::fe"
+ other_config:mcast_ip6_src="fe80::fe"
# Wait for 1 query interval (1 sec) and check that two queries are generated.
> expected
-store_mld_query 0000000002fe 200000000000000000000000000000fe expected
-store_mld_query 0000000002fe 200000000000000000000000000000fe expected
+store_mld_query 0000000002fe fe8000000000000000000000000000fe expected
+store_mld_query 0000000002fe fe8000000000000000000000000000fe expected
sleep 1
OVN_CHECK_PACKETS([hv1/vif3-tx.pcap], [expected])