Hello all,
I see strange behaviour with stateful ACLs when the traffic received from logical port with type “vtep”. There are same conntrack records in different zones (0 and 9 in my example). While pinging I dumped DP flows and found that packet goes through conntrack twice: 1. actions:ct,recirc(0x516b) 2. actions:ct(commit,label=0/0x1),ct(zone=9),recirc(0x5085) ovs-dpctl dump-flows: recirc_id(0),tunnel(tun_id=0x1,src=192.168.0.13,dst=192.168.0.9,flags(-df-csum+key)),in_port(13),eth(src=00:00:00:00:00:00/01:00:00:00:00:00),eth_type(0x0800),ipv4(proto=1,frag=no),icmp(type=8/0xf8), packets:0, bytes:0, used:never, actions:ct,recirc(0x516b) recirc_id(0x516b),tunnel(tun_id=0x1,src=192.168.0.13,dst=192.168.0.9,flags(-df-csum+key)),in_port(13),ct_state(+new-est-rel-rpl-inv+trk),ct_label(0/0x1),eth(dst=0a:00:7b:2c:66:00),eth_type(0x0800),ipv4(proto=1,frag=no),icmp(type=8/0xf8), packets:0, bytes:0, used:never, actions:ct(commit,label=0/0x1),ct(zone=9),recirc(0x5085) recirc_id(0x5085),tunnel(tun_id=0x1,src=192.168.0.13,dst=192.168.0.9,flags(-df-csum+key)),in_port(13),ct_state(+new-est-rel-rpl-inv+trk),ct_label(0/0x1),eth(dst=0a:00:7b:2c:66:00),eth_type(0x0800),ipv4(dst=172.31.0.5,proto=1,frag=no), packets:784, bytes:76832, used:0.078s, actions:ct(commit,zone=9,label=0/0x1),6 [root@dev ~]# grep 172.31.0 /proc/net/nf_conntrack ipv4 2 icmp 1 29 src=172.31.0.3 dst=172.31.0.5 type=8 code=0 id=22627 [UNREPLIED] src=172.31.0.5 dst=172.31.0.3 type=0 code=0 id=22627 mark=0 zone=9 use=2 ipv4 2 icmp 1 29 src=172.31.0.3 dst=172.31.0.5 type=8 code=0 id=22627 [UNREPLIED] src=172.31.0.5 dst=172.31.0.3 type=0 code=0 id=22627 mark=0 zone=0 use=2 This VIF belongs to two port_groups with ACLs: [root@dev ~]# ovn-nbctl acl-list sg_35342377 from-lport 1002 (inport == @sg_35342377 && ip4 && ip4.dst == 0.0.0.0/0) allow-related to-lport 1002 (outport == @sg_35342377 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 22) allow-related to-lport 1002 (outport == @sg_35342377 && ip4 && ip4.src == 10.0.0.1/32 && icmp4) allow-related to-lport 1002 (outport == @sg_35342377 && ip4 && ip4.src == 192.168.0.4/32 && icmp4) allow-related [root@dev ~]# ovn-nbctl acl-list default_pg from-lport 1002 (inport == @default_pg && ip4 && ip4.dst == 169.254.169.254 && tcp && tcp.dst == 80) allow-related from-lport 1002 (inport == @default_pg && ip4 && udp && udp.src == 68 && udp.dst == 67) allow from-lport 1001 (inport == @default_pg && ip) drop to-lport 1002 (outport == @default_pg && ip4 && udp && udp.src == 67 && udp.dst == 68) allow to-lport 1001 (outport == @default_pg && ip) drop Is this behaviour expected/correct for such configuration? You can find below the traces. Flow: recirc_id=0x53bb,ct_state=new|trk,eth,icmp,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0 bridge("br-int") ---------------- thaw Resuming from table 14 14. ct_state=-est+trk,ip,metadata=0x1, priority 1, cookie 0xa498a95b load:0x1->NXM_NX_XXREG0[97] resubmit(,15) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress] * Logical flow: table=6 (ls_in_acl), priority=1, match=(ip && (!ct.est || (ct.est && ct_label.blocked == 1))), actions=(reg0[1] = 1; next;) 15. metadata=0x1, priority 0, cookie 0x693e7563 resubmit(,16) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress] * Logical flow: table=7 (ls_in_qos_mark), priority=0, match=(1), actions=(next;) 16. metadata=0x1, priority 0, cookie 0x80ca7fc4 resubmit(,17) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress] * Logical flow: table=8 (ls_in_qos_meter), priority=0, match=(1), actions=(next;) 17. metadata=0x1, priority 0, cookie 0x3b1204f6 resubmit(,18) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress] * Logical flow: table=9 (ls_in_lb), priority=0, match=(1), actions=(next;) 18. ip,reg0=0x2/0x2,metadata=0x1, priority 100, cookie 0x8002c806 ct(commit,zone=NXM_NX_REG13[0..15],exec(load:0->NXM_NX_CT_LABEL[0])) load:0->NXM_NX_CT_LABEL[0] -> Sets the packet to an untracked state, and clears all the conntrack fields. resubmit(,19) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress] * Logical flow: table=10 (ls_in_stateful), priority=100, match=(reg0[1] == 1), actions=(ct_commit(ct_label=0/1); next;) 19. reg14=0x6,metadata=0x1, priority 100, cookie 0xc776ec32 resubmit(,20) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress] * Logical flow: table=11 (ls_in_arp_rsp), priority=100, match=(inport == "vnet2-br0-eth1-vlan10), actions=(next;) 20. metadata=0x1, priority 0, cookie 0xa54585b2 resubmit(,21) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress] * Logical flow: table=12 (ls_in_dhcp_options), priority=0, match=(1), actions=(next;) 21. metadata=0x1, priority 0, cookie 0x84fcc739 resubmit(,22) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress] * Logical flow: table=13 (ls_in_dhcp_response), priority=0, match=(1), actions=(next;) 22. metadata=0x1, priority 0, cookie 0x52f7d494 resubmit(,23) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress] * Logical flow: table=14 (ls_in_dns_lookup), priority=0, match=(1), actions=(next;) 23. metadata=0x1, priority 0, cookie 0x9b28ff8e resubmit(,24) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress] * Logical flow: table=15 (ls_in_dns_response), priority=0, match=(1), actions=(next;) 24. metadata=0x1, priority 0, cookie 0x861b6f52 resubmit(,25) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress] * Logical flow: table=16 (ls_in_external_port), priority=0, match=(1), actions=(next;) 25. metadata=0x1,dl_dst=0a:00:7b:2c:66:00, priority 50, cookie 0x2b4193f set_field:0x8->reg15 resubmit(,32) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [ingress] * Logical flow: table=17 (ls_in_l2_lkup), priority=50, match=(eth.dst == 0a:00:7b:2c:66:00), actions=(outport = "vnet2-9407C6A0-vif0"; output;) 32. reg10=0x2/0x2, priority 150 resubmit(,33) 33. reg15=0x8,metadata=0x1, priority 100 set_field:0x9->reg13 set_field:0x6->reg11 set_field:0xe->reg12 resubmit(,34) 34. priority 0 set_field:0->reg0 set_field:0->reg1 set_field:0->reg2 set_field:0->reg3 set_field:0->reg4 set_field:0->reg5 set_field:0->reg6 set_field:0->reg7 set_field:0->reg8 set_field:0->reg9 resubmit(,40) 40. metadata=0x1, priority 0, cookie 0x76dab24b resubmit(,41) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress] * Logical flow: table=0 (ls_out_pre_lb), priority=0, match=(1), actions=(next;) 41. ip,metadata=0x1, priority 100, cookie 0x41b2b9d8 load:0x1->NXM_NX_XXREG0[96] resubmit(,42) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress] * Logical flow: table=1 (ls_out_pre_acl), priority=100, match=(ip), actions=(reg0[0] = 1; next;) 42. ip,reg0=0x1/0x1,metadata=0x1, priority 100, cookie 0xa2599d7c ct(table=43,zone=NXM_NX_REG13[0..15]) drop -> A clone of the packet is forked to recirculate. The forked pipeline will be resumed at table 43. -> Sets the packet to an untracked state, and clears all the conntrack fields. * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress] * Logical flow: table=2 (ls_out_pre_stateful), priority=100, match=(reg0[0] == 1), actions=(ct_next;) Final flow: recirc_id=0x53bb,eth,icmp,reg0=0x1,reg10=0x2,reg11=0x6,reg12=0xe,reg13=0x9,reg14=0x6,reg15=0x8,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,metadata=0x1,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0 Megaflow: recirc_id=0x53bb,ct_state=+new-est-rel-rpl-inv+trk,ct_label=0/0x1,eth,icmp,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_tos=0,tun_flags=-df-csum+key,in_port=85,dl_dst=0a:00:7b:2c:66:00,nw_frag=no,icmp_type=0x8/0xf8 Datapath actions: ct(commit,label=0/0x1),ct(zone=9),recirc(0x5085) =============================================================================== recirc(0x5085) - resume conntrack with default ct_state=trk|new (use --ct-next to customize) =============================================================================== Flow: recirc_id=0x5085,ct_state=new|trk,ct_zone=9,eth,icmp,reg0=0x1,reg10=0x2,reg11=0x6,reg12=0xe,reg13=0x9,reg14=0x6,reg15=0x8,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,metadata=0x1,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0 bridge("br-int") ---------------- thaw Resuming from table 43 43. metadata=0x1, priority 0, cookie 0x325bbfe9 resubmit(,44) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress] * Logical flow: table=3 (ls_out_lb), priority=0, match=(1), actions=(next;) 44. ct_state=+new-est+trk,icmp,reg15=0x8,metadata=0x1, priority 2002, cookie 0x965c0004 load:0x1->NXM_NX_XXREG0[97] resubmit(,45) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress] * Logical flow: table=4 (ls_out_acl), priority=2002, match=(((ct.new && !ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && (outport == @sg_9AB2C278 && ip4 && ip4.src == 0.0.0.0/0 && icmp4)), actions=(reg0[1] = 1; next;) * ACL: to-lport, priority=1002, match=(outport == @sg_9AB2C278 && ip4 && ip4.src == 0.0.0.0/0 && icmp4), allow-related 45. metadata=0x1, priority 0, cookie 0x263a710f resubmit(,46) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress] * Logical flow: table=5 (ls_out_qos_mark), priority=0, match=(1), actions=(next;) 46. metadata=0x1, priority 0, cookie 0xea0ef852 resubmit(,47) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress] * Logical flow: table=6 (ls_out_qos_meter), priority=0, match=(1), actions=(next;) 47. ip,reg0=0x2/0x2,metadata=0x1, priority 100, cookie 0x27a0a760 ct(commit,zone=NXM_NX_REG13[0..15],exec(load:0->NXM_NX_CT_LABEL[0])) load:0->NXM_NX_CT_LABEL[0] -> Sets the packet to an untracked state, and clears all the conntrack fields. resubmit(,48) * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress] * Logical flow: table=7 (ls_out_stateful), priority=100, match=(reg0[1] == 1), actions=(ct_commit(ct_label=0/1); next;) 48. ip,reg15=0x8,metadata=0x1,dl_dst=0a:00:7b:2c:66:00, priority 80, cookie 0xbf0b3744 drop * Logical datapath: "vnet2" (65f76f8f-bb77-468a-b00f-09ee95f0785a) [egress] * Logical flow: table=8 (ls_out_port_sec_ip), priority=80, match=(outport == "vnet2-9407C6A0-vif0" && eth.dst == 0a:00:7b:2c:66:00 && ip), actions=(drop;) Final flow: recirc_id=0x5085,eth,icmp,reg0=0x3,reg10=0x2,reg11=0x6,reg12=0xe,reg13=0x9,reg14=0x6,reg15=0x8,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_ipv6_src=::,tun_ipv6_dst=::,tun_gbp_id=0,tun_gbp_flags=0,tun_tos=0,tun_ttl=64,tun_erspan_ver=0,tun_flags=key,metadata=0x1,in_port=85,vlan_tci=0x0000,dl_src=00:00:00:00:00:00,dl_dst=0a:00:7b:2c:66:00,nw_src=0.0.0.0,nw_dst=0.0.0.0,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=8,icmp_code=0 Megaflow: recirc_id=0x5085,ct_state=+new-est-rel-rpl-inv+trk,ct_label=0/0x1,eth,icmp,tun_id=0x1,tun_src=192.168.0.13,tun_dst=192.168.0.9,tun_tos=0,tun_flags=-df-csum+key,in_port=85,dl_dst=0a:00:7b:2c:66:00,nw_dst=0.0.0.0/1,nw_frag=no Datapath actions: ct(commit,zone=9,label=0/0x1) Regards, Vladislav Odintsov
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss