Hi all, I'm writing the code to implement the port groups in networking-ovn (the OpenStack integration project with OVN). I found out that when a boot a VM, looks like the egress traffic (from VM) is not working properly. The VM port belongs to 3 Port Groups:
1. Default drop port group with the following ACLs: _uuid : 0b092bb2-e97b-463b-a678-8a28085e3d68 action : drop direction : from-lport external_ids : {} log : false match : "inport == @neutron_pg_drop && ip" name : [] priority : 1001 severity : [] _uuid : 849ee2e0-f86e-4715-a949-cb5d93437847 action : drop direction : to-lport external_ids : {} log : false match : "outport == @neutron_pg_drop && ip" name : [] priority : 1001 severity : [] 2. Subnet port group to allow DHCP traffic on that subnet: _uuid : 8360a415-b7e1-412b-95ff-15cc95059ef0 action : allow direction : from-lport external_ids : {} log : false match : "inport == @pg_b1a572c6_2331_4cfb_a892_3d9d7b0af70c && ip4 && ip4.dst == {255.255.255.255, 10.0.0.0/26} && udp && udp.src == 68 && udp.dst == 67" name : [] priority : 1002 severity : [] 3. Security group port group which the following rules: 3.1 Allow ICMP traffic: _uuid : d12a749f-0f75-4634-aa20-6116e1d5d26d action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="9675d6df-56a1-4640-9a0f-1f88e49ed2b5"} log : false match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4 && ip4.src == 0.0.0.0/0 && icmp4" name : [] priority : 1002 severity : [] 3.2 Allow SSH traffic: _uuid : 05100729-816f-4a09-b15c-4759128019d4 action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="2a48979f-8209-4fb7-b24b-fff8d82a2ae9"} log : false match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22" name : [] priority : 1002 severity : [] 3.3 Allow IPv4/IPv6 traffic from this same port group _uuid : b56ce66e-da6b-48be-a66e-77c8cfd6ab92 action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="5b0a47ee-8114-4b13-8d5b-b16d31586b3b"} log : false match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip6 && ip6.src == $pg_d237185f_733f_4a09_8832_bcee773722ef_ip6" name : [] priority : 1002 severity : [] _uuid : 7b68f430-41b5-414d-a2ed-6c548be53dce action : allow-related direction : to-lport external_ids : {"neutron:security_group_rule_id"="299bd9ca-89fb-4767-8ae9-a738e98603fb"} log : false match : "outport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4 && ip4.src == $pg_d237185f_733f_4a09_8832_bcee773722ef_ip4" name : [] priority : 1002 severity : [] 3.4 Allow all egress (VM point of view) IPv4 traffic _uuid : c5fbf0b7-6461-4f27-802e-b0d743be59e5 action : allow-related direction : from-lport external_ids : {"neutron:security_group_rule_id"="a4ffe40a-f773-41d6-bc04-40500d158f51"} log : false match : "inport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4" name : [] priority : 1002 severity : [] So, I boot a VM using this port and I can verify that ICMP and SSH traffic works good while the egress traffic doesn't work. From the VM I curl to an IP living in a network namespace and this is what I see with tcpdump there: On the VM: $ ip r get 169.254.254.169 169.254.254.169 via 10.0.0.1 dev eth0 src 10.0.0.6 $ curl 169.254.169.254 On the hypervisor (haproxy listening on 169.254.169.254:80): $ sudo ip net e ovnmeta-0cf12eb0-fdb3-4087-98b0-9c52cafd0bdf tcpdump -i any po rt 80 -vvn tcpdump: listening on any, link-type LINUX_SLL (Linux cooked), capture size 262144 bytes 21:59:47.106883 IP (tos 0x0, ttl 64, id 61543, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.6.34553 > 169.254.169.254.http: Flags [S], cksum 0x851c (correct), seq 2571046510, win 14020, options [mss 1402,sackOK,TS val 22740490 ecr 0,nop,wscale 2], length 0 21:59:47.106935 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 169.254.169.254.http > 10.0.0.6.34553: Flags [S.], cksum 0x5e31 (incorrect -> 0x34c0), seq 3215869181, ack 2571046511, win 28960, options [mss 1460,sackOK,TS val 200017176 ecr 22740490,nop,wscale 7], length 0 21:59:48.105256 IP (tos 0x0, ttl 64, id 61544, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.6.34553 > 169.254.169.254.http: Flags [S], cksum 0x5e31 (incorrect -> 0x8422), seq 2571046510, win 14020, options [mss 1402,sackOK,TS val 22740740 ecr 0,nop,wscale 2], length 0 21:59:48.105315 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 169.254.169.254.http > 10.0.0.6.34553: Flags [S.], cksum 0x5e31 (incorrect -> 0x30da), seq 3215869181, ack 2571046511, win 28960, options [mss 1460,sackOK,TS val 200018174 ecr 22740490,nop,wscale 7], length 0 21:59:49.526158 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 169.254.169.254.http > 10.0.0.6.34553: Flags [S.], cksum 0x5e31 (incorrect -> 0x2b4d), seq 3215869181, ack 2571046511, win 28960, options [mss 1460,sackOK,TS val 200019595 ecr 22740490,nop,wscale 7], length 0 21:59:50.109732 IP (tos 0x0, ttl 64, id 61545, offset 0, flags [DF], proto TCP (6), length 60) 10.0.0.6.34553 > 169.254.169.254.http: Flags [S], cksum 0x5e31 (incorrect -> 0x822d), seq 2571046510, win 14020, options [mss 1402,sackOK,TS val 22741241 ecr 0,nop,wscale 2], length 0 21:59:50.109795 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 169.254.169.254.http > 10.0.0.6.34553: Flags [S.], cksum 0x5e31 (incorrect -> 0x2906), seq 3215869181, ack 2571046511, win 28960, options [mss 1460,sackOK,TS val 200020178 ecr 22740490,nop,wscale 7], length 0 21:59:52.146800 IP (tos 0x0, ttl 64, id 0, offset 0, flags [DF], proto TCP (6), length 60) 169.254.169.254.http > 10.0.0.6.34553: Flags [S.], cksum 0x5e31 (incorrect -> 0x2110), seq 3215869181, ack 2571046511, win 28960, options [mss 1460,sackOK,TS val 200022216 ecr 22740490,nop,wscale 7], length 0 Logical flows table in SB database: _uuid : 1797e859-8c8e-4ad5-8e83-bd5f3be6da24 actions : "next;" external_ids : {source="ovn-northd.c:3186", stage-hint="c5fbf0b7", stage-name=ls_in_acl} logical_datapath : 0cf12eb0-fdb3-4087-98b0-9c52cafd0bdf match : "inport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4" pipeline : ingress priority : 2002 table_id : 6 hash : 0 ovn-sbctl lflow-list table=6 (ls_in_acl ), priority=2002 , match=(inport == @pg_b1a572c6_2331_4cfb_a892_3d9d7b0af70c && ip4 && ip4.dst == {255.255.255.255, 10.0.0.0/26} && udp && udp.src == 68 && udp.dst == 67), action=(next;) table=6 (ls_in_acl ), priority=2002 , match=(inport == @pg_d237185f_733f_4a09_8832_bcee773722ef && ip4), action=(next;) table=6 (ls_in_acl ), priority=2001 , match=(inport == @neutron_pg_drop && ip), action=(/* drop */) These are the OpenFlow rules installed in table 14: cookie=0x0, duration=19223.716s, table=14, n_packets=0, n_bytes=0, idle_age=19223, priority=2002,udp,reg14=0x4,metadata=0x1,tp_src=68,tp_dst=67 actions=conju nction(2,1/2) cookie=0x0, duration=19223.716s, table=14, n_packets=0, n_bytes=0, idle_age=19223, priority=2002,udp,metadata=0x1,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=conjunction(2,2/2) cookie=0xd41e70c, duration=19223.844s, table=14, n_packets=0, n_bytes=0, idle_age=19223, priority=2001,ipv6,reg14=0x4,metadata=0x1 actions=drop cookie=0xd41e70c, duration=19223.844s, table=14, n_packets=0, n_bytes=0, idle_age=19223, priority=2001,ip,reg14=0x4,metadata=0x1 actions=drop @Han do you have any pointers as to what this could be failing? Something you want me to check in this setup? Thanks a lot, Daniel
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss