There are two computer node, each have one vm. And the two vms in
indifferent vlan networks. The ping between the vms is not success.
The reason is that, acl of to-localnet port or from-localnet port is
signed to contrack. So the pair of icmp request and reply have different
zone id in one ovs node. This makes the ct state not correct.
This patch do the modification that localnet port do not use ct.
Change-Id: Iac42ceaa3ef1d4e9b34768f802502d8326b7f507
Signed-off-by: wangqianyu <wang.qia...@zte.com.cn>
---
ovn/northd/ovn-northd.8.xml | 4 +++-
ovn/northd/ovn-northd.c | 24 +++++++++++++++++++++++-
2 files changed, 26 insertions(+), 2 deletions(-)
diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index c0b4c5e..05f0470 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -220,7 +220,9 @@
logical datapath, a priority-100 flow is added that sets a hint
(with <code>reg0[0] = 1; next;</code>) for table
<code>Pre-stateful</code> to send IP packets to the connection
tracker
- before eventually advancing to ingress table <code>ACLs</code>.
+ before eventually advancing to ingress table <code>ACLs</code>. If
some
+ special ports such as route ports or localnet ports can't use ct(),
a
+ priority-110 flow is added to skip over stateful ACLs.
</p>
<h3>Ingress Table 4: Pre-LB</h3>
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 83db753..eea12e8 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -1,4 +1,4 @@
-/*
+/*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at:
@@ -416,6 +416,7 @@ struct ovn_datapath {
/* The "derived" OVN port representing the instance of l3dgw_port on
* the "redirect-chassis". */
struct ovn_port *l3redirect_port;
+ struct ovn_port *localnet_port;
};
struct macam_node {
@@ -1351,6 +1352,10 @@ join_logical_ports(struct northd_context *ctx,
ovs_list_push_back(nb_only, &op->list);
}
+ if (!strcmp(nbsp->type, "localnet")) {
+ od->localnet_port = op;
+ }
+
op->lsp_addrs
= xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses);
for (size_t j = 0; j < nbsp->n_addresses; j++) {
@@ -2629,6 +2634,23 @@ build_pre_acls(struct ovn_datapath *od, struct hmap
*lflows)
ds_destroy(&match_in);
ds_destroy(&match_out);
}
+ if (od->localnet_port) {
+ struct ds match_in = DS_EMPTY_INITIALIZER;
+ struct ds match_out = DS_EMPTY_INITIALIZER;
+
+ ds_put_format(&match_in, "ip && inport == %s",
+ od->localnet_port->json_key);
+ ds_put_format(&match_out, "ip && outport == %s",
+ od->localnet_port->json_key);
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
+ ds_cstr(&match_in), "next;");
+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
+ ds_cstr(&match_out), "next;");
+
+ ds_destroy(&match_in);
+ ds_destroy(&match_out);
+ }
+
/* Ingress and Egress Pre-ACL Table (Priority 110).
*
* Not to do conntrack on ND packets. */
--
2.7.2.windows.1
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
