On Thu, Jun 1, 2017 at 10:09 PM, <[email protected]> wrote:
> There are two computer node, each have one vm. And the two vms in
> indifferent vlan networks. The ping between the vms is not success.
>
> The reason is that, acl of to-localnet port or from-localnet port is
> signed to contrack. So the pair of icmp request and reply have different
> zone id in one ovs node. This makes the ct state not correct.
>
> This patch do the modification that localnet port do not use ct.
>
> Change-Id: Iac42ceaa3ef1d4e9b34768f802502d8326b7f507
> Signed-off-by: wangqianyu <[email protected]>
> ---
> ovn/northd/ovn-northd.8.xml | 4 +++-
> ovn/northd/ovn-northd.c | 24 +++++++++++++++++++++++-
> 2 files changed, 26 insertions(+), 2 deletions(-)
>
Can you help clarify the scenario here used to reproduce the problem?
Is it just:
Logical Switch A
VM 1
localnet port - VLAN 100
Logical Switch B
VM 2
localnet port - VLAN 200
and pinging between VM 1 and VM 2 through a router that is external to OVN?
> diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
> index c0b4c5e..05f0470 100644
> --- a/ovn/northd/ovn-northd.8.xml
> +++ b/ovn/northd/ovn-northd.8.xml
> @@ -220,7 +220,9 @@
> logical datapath, a priority-100 flow is added that sets a hint
> (with <code>reg0[0] = 1; next;</code>) for table
> <code>Pre-stateful</code> to send IP packets to the connection
> tracker
> - before eventually advancing to ingress table <code>ACLs</code>.
> + before eventually advancing to ingress table <code>ACLs</code>. If
> some
> + special ports such as route ports or localnet ports can't use ct(),
> a
> + priority-110 flow is added to skip over stateful ACLs.
> </p>
>
> <h3>Ingress Table 4: Pre-LB</h3>
> diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
> index 83db753..eea12e8 100644
> --- a/ovn/northd/ovn-northd.c
> +++ b/ovn/northd/ovn-northd.c
> @@ -1,4 +1,4 @@
> -/*
> +/*
> * Licensed under the Apache License, Version 2.0 (the "License");
> * you may not use this file except in compliance with the License.
> * You may obtain a copy of the License at:
> @@ -416,6 +416,7 @@ struct ovn_datapath {
> /* The "derived" OVN port representing the instance of l3dgw_port on
> * the "redirect-chassis". */
> struct ovn_port *l3redirect_port;
> + struct ovn_port *localnet_port;
> };
>
> struct macam_node {
> @@ -1351,6 +1352,10 @@ join_logical_ports(struct northd_context *ctx,
> ovs_list_push_back(nb_only, &op->list);
> }
>
> + if (!strcmp(nbsp->type, "localnet")) {
> + od->localnet_port = op;
> + }
> +
> op->lsp_addrs
> = xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses);
> for (size_t j = 0; j < nbsp->n_addresses; j++) {
> @@ -2629,6 +2634,23 @@ build_pre_acls(struct ovn_datapath *od, struct hmap
> *lflows)
> ds_destroy(&match_in);
> ds_destroy(&match_out);
> }
> + if (od->localnet_port) {
> + struct ds match_in = DS_EMPTY_INITIALIZER;
> + struct ds match_out = DS_EMPTY_INITIALIZER;
> +
> + ds_put_format(&match_in, "ip && inport == %s",
> + od->localnet_port->json_key);
> + ds_put_format(&match_out, "ip && outport == %s",
> + od->localnet_port->json_key);
> + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
> + ds_cstr(&match_in), "next;");
> + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
> + ds_cstr(&match_out), "next;");
> +
> + ds_destroy(&match_in);
> + ds_destroy(&match_out);
> + }
> +
> /* Ingress and Egress Pre-ACL Table (Priority 110).
> *
> * Not to do conntrack on ND packets. */
> --
> 2.7.2.windows.1
> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
--
Russell Bryant
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
