[ovs-dev] Issue processing incoming tunneled packets when packet has been marked in iptables

Fri, 01 Sep 2017 05:58:29 -0700 

Hi,

In OpenvSwitch version 2.5.x, including latest 2.5.3, I have seen some issues 
processing traffic in tunnel ports. I can successfully create a VXLAN or GRE 
tunnel between 2 OVS instances and traffic flows correctly. However, when I use 
iptables to set a mark on either VXLAN or GRE matching packets, the tunnels 
receiving the traffic and does not decapsulate anything. If I remove the 
iptables rule, it works fine again.

I have tested later versions of 2.7.x and it works as expected, there is no 
such problem there.

Output  of "ovs-vsctl show"
f0d81ccd-5b79-4832-ab18-0f874200dda8
    Bridge "br1"
        Port "br1"
            Interface "br1"
                type: internal
        Port "test1s"
            Interface "test1s"
        Port "tun1"
            Interface "tun1"
                type: vxlan
                options: {key=flow, local_ip="127.0.0.2", remote_ip="127.0.0.1"}
    Bridge "br0"
        Port "br0"
            Interface "br0"
                type: internal
        Port "tun0"
            Interface "tun0"
                type: vxlan
                options: {key=flow, local_ip="127.0.0.1", remote_ip="127.0.0.2"}
        Port "test0s"
            Interface "test0s"
    ovs_version: "2.5.0"



Here are the steps to reproduce:

# Create supporting virtual network setup
sudo ip netns add ns0
sudo ip netns add ns1

sudo ip link add test0 type veth peer name test0s
sudo ip link add test1 type veth peer name test1s

sudo ip link set dev test0s up
sudo ip link set dev test1s up

sudo ip link set dev test0 netns ns0
sudo ip link set dev test1 netns ns1

sudo ip netns exec ns0 ip link set dev lo up
sudo ip netns exec ns0 ip link set dev test0 up
sudo ip netns exec ns0 ip address add dev test0 1.1.1.1/24

sudo ip netns exec ns1 ip link set dev lo up
sudo ip netns exec ns1 ip link set dev test1 up
sudo ip netns exec ns1 ip address add dev test1 1.1.1.2/24

# Create OVS bridges
sudo ovs-vsctl add-br br0
sudo ovs-vsctl add-br br1
sudo ovs-vsctl add-port br0 test0s
sudo ovs-vsctl add-port br1 test1s

# Create 2 OVS tunnel ports, and assign OpenFlow port 100
sudo ovs-vsctl add-port br0 tun0 -- set interface tun0 ofport_request=100 -- 
set interface tun0 type=vxlan options:key=flow options:remote_ip=127.0.0.2 
options:local_ip=127.0.0.1
sudo ovs-vsctl add-port br1 tun1 -- set interface tun1 ofport_request=100 -- 
set interface tun1 type=vxlan options:key=flow options:remote_ip=127.0.0.1 
options:local_ip=127.0.0.2

# Initiate ping between network namespaces
sudo ip netns exec ns0 ping 1.1.1.2

# Add iptables marking rule -> ping stops working
sudo iptables -t mangle -A INPUT -d 127.0.0.2 -p udp --dport 4789  -j MARK 
--set-mark 0xabcdef

# Remove iptables marking rule -> ping starts working
sudo iptables -t mangle -D INPUT -d 127.0.0.2 -p udp --dport 4789  -j MARK 
--set-mark 0xabcdef


Thank you so much!
Jesus Llorente
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to