Should we fix the problem another way, by introducing a way to make sure
that the same port is used, or at least that the same zone is used? It
does not sound like a good idea to simply bypass the firewall.
On Thu, Jun 01, 2017 at 09:22:24AM +0800, wang.qia...@zte.com.cn wrote:
> Hi Ben, thanks for your review.
>
> Conntrack have no problem with localnet port, but the pipline hase problem
> in the follow circumstance
>
> ------ vlan ----
> |ovs1|---------- |ovs2|
> ------ -----
> | |
> vm1 vm2
>
> net1 10.0.0.0/24 has vm1 with ip 10.0.0.10, net2 10.0.0.0/24 has vm2 with
> ip 20.0.0.10. net1 and net2 link to same route. net1 and net2 have
> localnet ports as inport/outport when packet forwarded between ovs1 and
> ovs2.
>
> when vm1 ping vm2, by the route forward, the out port of icmp request is
> localnet port of net2 in ovs1. And in reverse, ovs1 will use localnet port
> of net1 as inport of icmp reply from vm2.
>
> The request and reply is not the same localnet port in ovs. Because of
> different localnet port with different zone id, when localnet port use ct,
> the ct state can not change to established.
>
> So the icmp relpy will be dropped because of the error ct state.
>
>
>
>
>
> Ben Pfaff <b...@ovn.org>
> 2017/06/01 07:42
>
> 收件人: wang.qia...@zte.com.cn,
> 抄送: d...@openvswitch.org, zhou.huij...@zte.com.cn,
> xu.r...@zte.com.cn
> 主题: [spam可疑邮件]Re: [ovs-dev] [PATCH] ovn-northd: Fix ping
> failure of vlan networks.
>
>
> On Mon, May 22, 2017 at 07:39:22PM +0800, wang.qia...@zte.com.cn wrote:
> > There are two computer node, each have one vm. And the two vms in
> > indifferent vlan networks. The ping between the vms is not success.
> >
> > The reason is that, acl of to-localnet port or from-localnet port is
> > signed to contrack. So the pair of icmp request and reply have different
> > zone id in one ovs node. This makes the ct state not correct.
> >
> > This patch do the modification that localnet port do not use ct.
> >
> > Signed-off-by: wangqianyu <wang.qia...@zte.com.cn>
>
> This patch was word-wrapped, but I was able to deal with that.
>
> I don't exactly understand the problem. Does conntrack not work at all
> with packets that go to/from localnet ports? Or does it have something
> to do with VLAN tags?
>
> Please document the new flows in ovn-northd.8.xml.
>
> Also, checkpatch reported the following:
>
> ERROR: Improper whitespace around control block
> #17 FILE: b/ovn/northd/ovn-northd.c:1355:
> if(!strcmp(nbsp->type, "localnet")) {
>
> ERROR: Improper whitespace around control block
> #28 FILE: b/ovn/northd/ovn-northd.c:2637:
> if(od->localnet_port) {
>
> WARNING: Line length is >79-characters long
> #32 FILE: b/ovn/northd/ovn-northd.c:2641:
> ds_put_format(&match_in, "ip && inport == %s",
> od->localnet_port->json_key);
>
> WARNING: Line length is >79-characters long
> #33 FILE: b/ovn/northd/ovn-northd.c:2642:
> ds_put_format(&match_out, "ip && outport == %s",
> od->localnet_port->json_key);
>
> Thanks a lot for working on OVN!
>
>
>
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
