Public bug reported:
* Explain the bug(s)
Misses on multi chain tc egress rules that are offloaded from ovs datapath
rules (ct rules on ovs' internal port devices)
will restart from recirc_id(0) again in OvS dp, instead of recirc_id that
matches where we left off
in tc (ovs recirc_id should be equal tc chain).
* brief explanation of fixes
Set the tc skb extension that stores the last executed tc chain which ovs reads
on misses to
set the starting recirc_id from.
* How to test
Setup ovs with ovs offload enabled, and add ip to internal port, example with
veth device:
function config_veth() {
local ns=$1
local ip=$2
local peer=${ns}_peer
local veth=${ns}_veth
echo "Create namespace $ns, veths: hv $veth <-> ns $peer ($ip)"
ip netns add $ns
ip link del $veth &>/dev/null
ip link add $veth type veth peer name $peer
ip link set $veth up
ip link set $peer netns $ns
ip netns exec $ns ifconfig $peer $ip/24 mtu 1400 up
}
IP1="7.7.7.1"
IP2="7.7.7.2"
config_veth ns0 $IP1
ifconfig ovs-br $IP2
ovs-vsctl add-br ovs-br
ovs-vsctl add-port ovs-br ns0_veth
ovs-vsctl add-port ovs-br ns1_veth
Add openflow rules and check if packets arriving to table=0 (default table
that corrosponds to recirc_id(0))
have ct mark that was only set if a later table was executed. Add a
unsupported offload action (in this case group), so we
will have miss from offloaded tc rules to ovs dp:
ovs-ofctl del-flows ovs-br
ovs-ofctl -O OpenFlow12 add-group ovs-br
'group_id=2,type=select,bucket=ct(commit,zone=1,table=2)'
ovs-ofctl add-flow ovs-br "table=0, arp, action=normal"
ovs-ofctl add-flow ovs-br "table=0, ip, +trk, actions=drop"
#bad flow
ovs-ofctl add-flow ovs-br "table=0, ip, -trk, actions=ct(commit,table=1)"
#good flow
ovs-ofctl add-flow ovs-br "table=1, in_port=1, actions=group:2"
ovs-ofctl add-flow ovs-br "table=2, ip, actions=normal"
run udp/tcp traffic from default ns 7.7.7.1 to ns1 7.7.7.2 and
check ovs-appctl dpctl/dump-flows
if bug occurs there should be a drop rule, because we got to recirc_id(0)
after missing in tc, and tc
already did the -trk ct(commit...) rule, so packet should be tracked (+trk)
when missed to ovs.
* What it could break.
Running the wrong datapath rules in OvS datapath.
** Affects: linux-bluefield (Ubuntu)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Kernel
Packages, which is subscribed to linux-bluefield in Ubuntu.
https://bugs.launchpad.net/bugs/1982980
Title:
store the last executed chain also for clsact egress
Status in linux-bluefield package in Ubuntu:
New
Bug description:
* Explain the bug(s)
Misses on multi chain tc egress rules that are offloaded from ovs datapath
rules (ct rules on ovs' internal port devices)
will restart from recirc_id(0) again in OvS dp, instead of recirc_id that
matches where we left off
in tc (ovs recirc_id should be equal tc chain).
* brief explanation of fixes
Set the tc skb extension that stores the last executed tc chain which ovs
reads on misses to
set the starting recirc_id from.
* How to test
Setup ovs with ovs offload enabled, and add ip to internal port, example
with veth device:
function config_veth() {
local ns=$1
local ip=$2
local peer=${ns}_peer
local veth=${ns}_veth
echo "Create namespace $ns, veths: hv $veth <-> ns $peer ($ip)"
ip netns add $ns
ip link del $veth &>/dev/null
ip link add $veth type veth peer name $peer
ip link set $veth up
ip link set $peer netns $ns
ip netns exec $ns ifconfig $peer $ip/24 mtu 1400 up
}
IP1="7.7.7.1"
IP2="7.7.7.2"
config_veth ns0 $IP1
ifconfig ovs-br $IP2
ovs-vsctl add-br ovs-br
ovs-vsctl add-port ovs-br ns0_veth
ovs-vsctl add-port ovs-br ns1_veth
Add openflow rules and check if packets arriving to table=0 (default table
that corrosponds to recirc_id(0))
have ct mark that was only set if a later table was executed. Add a
unsupported offload action (in this case group), so we
will have miss from offloaded tc rules to ovs dp:
ovs-ofctl del-flows ovs-br
ovs-ofctl -O OpenFlow12 add-group ovs-br
'group_id=2,type=select,bucket=ct(commit,zone=1,table=2)'
ovs-ofctl add-flow ovs-br "table=0, arp, action=normal"
ovs-ofctl add-flow ovs-br "table=0, ip, +trk, actions=drop"
#bad flow
ovs-ofctl add-flow ovs-br "table=0, ip, -trk, actions=ct(commit,table=1)"
#good flow
ovs-ofctl add-flow ovs-br "table=1, in_port=1, actions=group:2"
ovs-ofctl add-flow ovs-br "table=2, ip, actions=normal"
run udp/tcp traffic from default ns 7.7.7.1 to ns1 7.7.7.2 and
check ovs-appctl dpctl/dump-flows
if bug occurs there should be a drop rule, because we got to recirc_id(0)
after missing in tc, and tc
already did the -trk ct(commit...) rule, so packet should be tracked
(+trk) when missed to ovs.
* What it could break.
Running the wrong datapath rules in OvS datapath.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/linux-bluefield/+bug/1982980/+subscriptions
--
Mailing list: https://launchpad.net/~kernel-packages
Post to : kernel-packages@lists.launchpad.net
Unsubscribe : https://launchpad.net/~kernel-packages
More help : https://help.launchpad.net/ListHelp
