couple corrections inline On Fri, May 3, 2019 at 8:52 AM Darrell Ball <dlu...@gmail.com> wrote:
> > > On Fri, May 3, 2019 at 8:29 AM Zhang, Jing C. (Nokia - CA/Ottawa) < > jing.c.zh...@nokia.com> wrote: > >> >> 1. This issue is with native OVS firewall where the data flows are >> subject to conntrack rules, there is no issue for hybrid firewall >> >> > 1/ Does 'native OVS firewall' mean either kernel datapath or userpace > datapath ? > 2/ Pls define 'hybrid datapath' in your context ? > 2/ Pls define 'hybrid firewall' in your context ? > > >> >> 1. >> >> >> >> 1. Below is from DPDK compute: >> >> >> >> # ovs-vsctl --no-wait get Open_vSwitch . other_config >> > > 3/ dpdk is not initialized > > An info log is also present when dpdk is initialized: "DPDK Enabled - > initialized" > > btw: '--no-wait' is needed for get commands > btw: '--no-wait' is NOT needed for get commands > > > >> # ovs-vsctl -- list bridge br-int | grep datapath >> >> datapath_id : "00001a9b5b9ec94e" >> >> datapath_type : netdev >> >> datapath_version : "<built-in>" >> > > 4/ You are using userspace datapath on this particular node without dpdk > support > Is that intentional ? > > > >> >> >> *From:* Darrell Ball <dlu...@gmail.com> >> *Sent:* Friday, May 3, 2019 11:24 AM >> *To:* Zhang, Jing C. (Nokia - CA/Ottawa) <jing.c.zh...@nokia.com> >> *Cc:* Han Zhou <zhou...@gmail.com>; ovs-discuss@openvswitch.org >> *Subject:* Re: FW: [ovs-discuss] OVS 2.9.0 native firewall drops empty >> payload TCP packets continued >> >> >> >> The node you are displaying below is running kernel datapath >> >> >> >> fyi: The fix Han pointed you to is for userspace datapath/conntrack >> >> >> >> >> >> >> >> On Fri, May 3, 2019 at 8:14 AM Zhang, Jing C. (Nokia - CA/Ottawa) < >> jing.c.zh...@nokia.com> wrote: >> >> We have both OVS and OVS-dpdk computes. >> >> >> >> Below is from OVS compute: >> >> >> >> # ovs-vsctl --no-wait get Open_vSwitch . other_config >> >> {} >> >> # ovs-vsctl -- list bridge br-int | grep datapath >> >> datapath_id : "0000aaf62aaf3546" >> >> datapath_type : system >> >> datapath_version : "<unknown>" >> >> >> >> *From:* Darrell Ball <dlu...@gmail.com> >> *Sent:* Friday, May 3, 2019 12:19 AM >> *To:* Han Zhou <zhou...@gmail.com>; Zhang, Jing C. (Nokia - CA/Ottawa) < >> jing.c.zh...@nokia.com>; ovs-discuss@openvswitch.org >> *Subject:* Re: FW: [ovs-discuss] OVS 2.9.0 native firewall drops empty >> payload TCP packets continued >> >> >> >> What do the following commands yield ? >> >> >> >> sudo ovs-vsctl -- get bridge <bridge name> datapath_type >> >> >> >> sudo ovs-vsctl --no-wait get Open_vSwitch . other_config >> >> >> >> >> >> >> >> *From: *<ovs-discuss-boun...@openvswitch.org> on behalf of Han Zhou < >> zhou...@gmail.com> >> *Date: *Thursday, May 2, 2019 at 7:12 PM >> *To: *"Zhang, Jing C. (Nokia - CA/Ottawa)" <jing.c.zh...@nokia.com> >> *Cc: *"ovs-discuss@openvswitch.org" <ovs-discuss@openvswitch.org> >> *Subject: *Re: [ovs-discuss] OVS 2.9.0 native firewall drops empty >> payload TCP packets continued >> >> >> >> >> >> On Thu, May 2, 2019 at 6:04 PM Zhang, Jing C. (Nokia - CA/Ottawa) < >> jing.c.zh...@nokia.com> wrote: >> > >> > We (our VNFs) continue to observe the same empty payload TCP (ACK) >> packet drop with native firewall (see original post below) after upgrading >> to Centos 7.6. This packet drop results in unacceptable TCP performance, by >> that native firewall still can not be enabled in product. >> > >> > >> https://mail.openvswitch.org/pipermail/ovs-discuss/2018-August/047263.html >> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fmail.openvswitch.org%2Fpipermail%2Fovs-discuss%2F2018-August%2F047263.html&data=02%7C01%7Cdball%40vmware.com%7Cd358d5a23b2640ebd28708d6cf6cc524%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636924463524642583&sdata=ihTE%2BcOA9d8yNflCbqJYHXOJWhFuqvq4yJmu7H9lGwo%3D&reserved=0> >> > >> > $ uname -a >> > Linux overcloud-sriovperformancecompute-0 3.10.0-957.10.1.el7.x86_64 #1 >> SMP Mon Mar 18 15:06:45 UTC 2019 x86_64 x86_64 x86_64 GNU/Linux >> > >> > $ ovs-vswitchd --version >> > ovs-vswitchd (Open vSwitch) 2.9.0 >> > DPDK 17.11.0 >> > >> > The scenario: OVS provider VLAN network is used >> > >> > >> > in physical interface of ovs compute zero length tcp payload packet >> arrives as padded to 64 bytes (and vlan tag is included in ethernet header) >> > same packet does not appear anymore in the tcpdump taken from tap-xyz >> interface (once vlan tag is removed and packet is cut by 4 bytes to 60 >> bytes) >> > >> > >> > Tcpdump on physical port: >> > >> > 00:25:24.468423 fa:16:3e:d7:bb:2c > fa:16:3e:ff:dd:29, ethertype 802.1Q >> (0x8100), length 2674: vlan 3837, p 0, ethertype IPv4, (tos 0x0, ttl 64, id >> 6893, offset 0, flags [DF], proto TCP (6), length 2656) >> > 192.168.10.52.80 > 192.168.10.60.57576: Flags [P.], cksum 0xa013 >> (incorrect -> 0x772d), seq 8961:11577, ack 78, win 210, length 2616: HTTP >> > 00:25:24.468593 fa:16:3e:ff:dd:29 > fa:16:3e:d7:bb:2c, ethertype 802.1Q >> (0x8100), length 60: vlan 3837, p 0, ethertype IPv4, (tos 0x0, ttl 64, id >> 56318, offset 0, flags [DF], proto TCP (6), length 40) >> > 192.168.10.60.57576 > 192.168.10.52.80: Flags [.], cksum 0x1d34 >> (correct), seq 78, ack 11577, win 391, length 0 >> > 00:25:24.475848 fa:16:3e:ff:dd:29 > fa:16:3e:d7:bb:2c, ethertype 802.1Q >> (0x8100), length 60: vlan 3837, p 0, ethertype IPv4, (tos 0x0, ttl 64, id >> 56319, offset 0, flags [DF], proto TCP (6), length 40) >> > 192.168.10.60.57576 > 192.168.10.52.80: Flags [F.], cksum 0x1d33 >> (correct), seq 78, ack 11577, win 391, length 0 >> > 00:25:24.480337 fa:16:3e:d7:bb:2c > fa:16:3e:ff:dd:29, ethertype 802.1Q >> (0x8100), length 2674: vlan 3837, p 0, ethertype IPv4, (tos 0x0, ttl 64, id >> 6894, offset 0, flags [DF], proto TCP (6), length 2656) >> > 192.168.10.52.80 > 192.168.10.60.57576: Flags [P.], cksum 0xa013 >> (incorrect -> 0x772d), seq 8961:11577, ack 78, win 210, length 2616: HTTP >> > >> > Tcpdump on vm tap interface: >> > >> > 00:25:24.468419 fa:16:3e:d7:bb:2c > fa:16:3e:ff:dd:29, ethertype IPv4 >> (0x0800), length 2670: (tos 0x0, ttl 64, id 6893, offset 0, flags [DF], >> proto TCP (6), length 2656) >> > 192.168.10.52.80 > 192.168.10.60.57576: Flags [P.], cksum 0xa013 >> (incorrect -> 0x772d), seq 8961:11577, ack 78, win 210, length 2616: HTTP >> > 00:25:24.480331 fa:16:3e:d7:bb:2c > fa:16:3e:ff:dd:29, ethertype IPv4 >> (0x0800), length 2670: (tos 0x0, ttl 64, id 6894, offset 0, flags [DF], >> proto TCP (6), length 2656) >> > 192.168.10.52.80 > 192.168.10.60.57576: Flags [P.], cksum 0xa013 >> (incorrect -> 0x772d), seq 8961:11577, ack 78, win 210, length 2616: HTTP >> > >> > Very straightforward to see the issue: >> > >> > >> > Configure neutron OVS agent to use native firewall >> > Create a pair of VMs on separate computes on provider vLAN >> > Disable TCP timestamp inside the VMs >> > Exchange TCP traffic between the VMs, e.g. http download. >> > Tcpdump on the physical and vm port, and compare. >> > >> > >> > I wonder why such obvious issue is not widely discussed? >> > >> > Jing >> > >> >> >> >> Maybe it's fixed by: >> >> >> https://github.com/openvswitch/ovs/commit/9171c63532ee9cbc63bb8cfae364ab071f44389b >> <https://nam04.safelinks.protection.outlook.com/?url=https%3A%2F%2Fgithub.com%2Fopenvswitch%2Fovs%2Fcommit%2F9171c63532ee9cbc63bb8cfae364ab071f44389b&data=02%7C01%7Cdball%40vmware.com%7Cd358d5a23b2640ebd28708d6cf6cc524%7Cb39138ca3cee4b4aa4d6cd83d9dd62f0%7C0%7C0%7C636924463524652585&sdata=OLr263fKPdgKA5nga2UlGNF0WtB6srXSIg9a7aHkf44%3D&reserved=0> >> >> >> >>
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss