There are various costs (e.g., not being able to perform hardware offload in some cases) when using check_pkt_larger() so the CMS can now limit the impact by bypassing the packet length checks for specific types of traffic (e.g., TCP).
Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2011779 Signed-off-by: Dumitru Ceara <[email protected]> --- v2: Rebase. v3: Rebase. --- NEWS | 1 + northd/northd.c | 105 ++++++++++++++++++++++------------------ northd/ovn-northd.8.xml | 14 ++++++ ovn-nb.xml | 12 +++++ tests/ovn-northd.at | 72 ++++++++++++++++++++++++--- 5 files changed, 152 insertions(+), 52 deletions(-) diff --git a/NEWS b/NEWS index e27aaad06..4ac0b37e2 100644 --- a/NEWS +++ b/NEWS @@ -12,6 +12,7 @@ Post v21.09.0 running on SmartNIC control plane CPUs. Please refer to Documentation/topics/vif-plug-providers/vif-plug-providers.rst for more information. + - Added Logical_Router_Port "gateway_mtu_bypass" option. OVN v21.09.0 - 01 Oct 2021 -------------------------- diff --git a/northd/northd.c b/northd/northd.c index c57026081..e3694beed 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -10488,8 +10488,47 @@ build_adm_ctrl_flows_for_lrouter( } } -static int -build_check_pkt_len_action_string(struct ovn_port *op, struct ds *actions); +/* All 'gateway_mtu' and 'gateway_mtu_bypass' flows should be built with this + * function. + */ +static void OVS_PRINTF_FORMAT(9, 10) +build_gateway_mtu_flow(struct hmap *lflows, struct ovn_port *op, + enum ovn_stage stage, uint16_t prio_low, + uint16_t prio_high, struct ds *match, + struct ds *actions, const struct ovsdb_idl_row *hint, + const char *extra_actions_fmt, ...) +{ + int gw_mtu = smap_get_int(&op->nbrp->options, "gateway_mtu", 0); + + va_list extra_actions_args; + va_start(extra_actions_args, extra_actions_fmt); + + ds_clear(actions); + if (gw_mtu > 0) { + ds_put_format(actions, REGBIT_PKT_LARGER" = check_pkt_larger(%d); ", + gw_mtu + VLAN_ETH_HEADER_LEN); + } + + ds_put_format_valist(actions, extra_actions_fmt, extra_actions_args); + ovn_lflow_add_with_hint(lflows, op->od, stage, prio_low, + ds_cstr(match), ds_cstr(actions), + hint); + + if (gw_mtu > 0) { + const char *gw_mtu_bypass = smap_get(&op->nbrp->options, + "gateway_mtu_bypass"); + if (gw_mtu_bypass) { + ds_clear(actions); + ds_put_format_valist(actions, extra_actions_fmt, + extra_actions_args); + ds_put_format(match, " && (%s)", gw_mtu_bypass); + ovn_lflow_add_with_hint(lflows, op->od, stage, prio_high, + ds_cstr(match), ds_cstr(actions), + hint); + } + } + va_end(extra_actions_args); +} /* Logical router ingress Table 0: L2 Admission Control * This table drops packets that the router shouldn’t see at all based @@ -10517,17 +10556,12 @@ build_adm_ctrl_flows_for_lrouter_port( * This will save us from having to match on inport further down in * the pipeline. */ - ds_clear(actions); - - build_check_pkt_len_action_string(op, actions); - ds_put_format(actions, REG_INPORT_ETH_ADDR " = %s; next;", - op->lrp_networks.ea_s); - ds_clear(match); ds_put_format(match, "eth.mcast && inport == %s", op->json_key); - ovn_lflow_add_with_hint(lflows, op->od, S_ROUTER_IN_ADMISSION, 50, - ds_cstr(match), ds_cstr(actions), - &op->nbrp->header_); + build_gateway_mtu_flow(lflows, op, S_ROUTER_IN_ADMISSION, 50, 55, + match, actions, &op->nbrp->header_, + REG_INPORT_ETH_ADDR " = %s; next;", + op->lrp_networks.ea_s); ds_clear(match); ds_put_format(match, "eth.dst == %s && inport == %s", @@ -10538,9 +10572,10 @@ build_adm_ctrl_flows_for_lrouter_port( ds_put_format(match, " && is_chassis_resident(%s)", op->cr_port->json_key); } - ovn_lflow_add_with_hint(lflows, op->od, S_ROUTER_IN_ADMISSION, 50, - ds_cstr(match), ds_cstr(actions), - &op->nbrp->header_); + build_gateway_mtu_flow(lflows, op, S_ROUTER_IN_ADMISSION, 50, 55, + match, actions, &op->nbrp->header_, + REG_INPORT_ETH_ADDR " = %s; next;", + op->lrp_networks.ea_s); } } @@ -11568,20 +11603,6 @@ build_icmperr_pkt_big_flows(struct ovn_port *op, int mtu, struct hmap *lflows, free(outport_match); } -static int -build_check_pkt_len_action_string(struct ovn_port *op, struct ds *actions) -{ - int gw_mtu = smap_get_int(&op->nbrp->options, "gateway_mtu", 0); - - if (gw_mtu > 0) { - /* Add the flows only if gateway_mtu is configured. */ - ds_put_format(actions, - REGBIT_PKT_LARGER" = check_pkt_larger(%d); ", - gw_mtu + VLAN_ETH_HEADER_LEN); - } - return gw_mtu; -} - static void build_check_pkt_len_flows_for_lrp(struct ovn_port *op, struct hmap *lflows, @@ -11590,20 +11611,15 @@ build_check_pkt_len_flows_for_lrp(struct ovn_port *op, struct ds *match, struct ds *actions) { - ds_clear(actions); - int gw_mtu = build_check_pkt_len_action_string(op, actions); + int gw_mtu = smap_get_int(&op->nbrp->options, "gateway_mtu", 0); if (gw_mtu <= 0) { return; } - ds_put_format(actions, "next;"); - ds_clear(match); ds_put_format(match, "outport == %s", op->json_key); - - ovn_lflow_add_with_hint(lflows, op->od, S_ROUTER_IN_CHK_PKT_LEN, 50, - ds_cstr(match), ds_cstr(actions), - &op->nbrp->header_); + build_gateway_mtu_flow(lflows, op, S_ROUTER_IN_CHK_PKT_LEN, 50, 55, + match, actions, &op->nbrp->header_, "next;"); /* ingress traffic */ build_icmperr_pkt_big_flows(op, gw_mtu, lflows, meter_groups, @@ -12877,13 +12893,8 @@ build_lrouter_ingress_flow(struct hmap *lflows, struct ovn_datapath *od, * This will save us from having to match on inport further * down in the pipeline. */ - ds_clear(actions); - - int gw_mtu = build_check_pkt_len_action_string(od->l3dgw_ports[0], - actions); - ds_put_format(actions, REG_INPORT_ETH_ADDR " = %s; next;", - od->l3dgw_ports[0]->lrp_networks.ea_s); - + int gw_mtu = smap_get_int(&od->l3dgw_ports[0]->nbrp->options, + "gateway_mtu", 0); ds_clear(match); ds_put_format(match, "eth.dst == "ETH_ADDR_FMT" && inport == %s" @@ -12891,9 +12902,11 @@ build_lrouter_ingress_flow(struct hmap *lflows, struct ovn_datapath *od, ETH_ADDR_ARGS(mac), od->l3dgw_ports[0]->json_key, nat->logical_port); - ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_ADMISSION, 50, - ds_cstr(match), ds_cstr(actions), - &nat->header_); + build_gateway_mtu_flow(lflows, od->l3dgw_ports[0], + S_ROUTER_IN_ADMISSION, 50, 55, + match, actions, &nat->header_, + REG_INPORT_ETH_ADDR " = %s; next;", + od->l3dgw_ports[0]->lrp_networks.ea_s); if (gw_mtu) { build_lrouter_ingress_nat_check_pkt_len(lflows, nat, od, is_v6, match, actions, gw_mtu, diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 0adeaa59d..5d06ac6a7 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -1987,6 +1987,13 @@ output; <code>check_pkt_larger</code> in order to mark the packet setting <code>REGBIT_PKT_LARGER</code> if the size is greater than the MTU. + + If the port is also configured with + <code>options:gateway_mtu_bypass</code> then another flow is + added, with priority-55, to bypass the <code>check_pkt_larger</code> + flow. This is useful for traffic that normally doesn't need to be + fragmented and for which check_pkt_larger, which might not be + offloadable, is not really needed. One such example is TCP traffic. </p> </li> @@ -3927,6 +3934,13 @@ REGBIT_PKT_LARGER = check_pkt_larger(<var>L</var>); next; <ref table="Logical_Router_Port" db="OVN_Northbound"/> row. </p> + <p> + If the port is also configured with + <code>options:gateway_mtu_bypass</code> then another flow is + added, with priority-55, to bypass the <code>check_pkt_larger</code> + flow. + </p> + <p> This table adds one priority-0 fallback flow that matches all packets and advances to the next table. diff --git a/ovn-nb.xml b/ovn-nb.xml index 38fc28280..6a6972856 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -2841,6 +2841,18 @@ This allows for Path MTU Discovery. </p> </column> + + <column name="options" key="gateway_mtu_bypass"> + <p> + When configured, represents a match expression, in the same + expression language used for the <ref column="match" + table="Logical_Flow" db="OVN_Southbound"/> column in the OVN + Southbound database's <ref table="Logical_Flow" db="OVN_Southbound"/> + table. Packets matching this expression will bypass the length + check configured through the + <ref column="options" key="gateway_mtu"/> option. + </p> + </column> </group> <group title="Attachment"> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 670efd496..f03d14082 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -5348,7 +5348,7 @@ check ovn-nbctl lsp-set-options public-lr0 router-port=lr0-public check ovn-nbctl --wait=sb lrp-set-gateway-chassis lr0-public ch1 ovn-sbctl dump-flows lr0 > lr0flows -AT_CAPTURE_FILE([sw0flows]) +AT_CAPTURE_FILE([lr0flows]) AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sed 's/table=../table=??/' | sort], [0], [dnl table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;) @@ -5358,7 +5358,7 @@ AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sed 's/table=. check ovn-nbctl --wait=sb set logical_router_port lr0-public options:gateway_mtu=1500 ovn-sbctl dump-flows lr0 > lr0flows -AT_CAPTURE_FILE([sw0flows]) +AT_CAPTURE_FILE([lr0flows]) AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sed 's/table=../table=??/' | sort], [0], [dnl table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;) @@ -5389,7 +5389,7 @@ check ovn-nbctl --wait=sb clear logical_router_port lr0-public gateway_chassis check ovn-nbctl --wait=sb set logical_router lr0 options:chassis=ch1 ovn-sbctl dump-flows lr0 > lr0flows -AT_CAPTURE_FILE([sw0flows]) +AT_CAPTURE_FILE([lr0flows]) AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sed 's/table=../table=??/' | sort], [0], [dnl table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;) @@ -5413,16 +5413,41 @@ AT_CHECK([grep -E "lr_in_ip_input.*icmp6_error" lr0flows | sort], [0], [dnl table=3 (lr_in_ip_input ), priority=150 , match=(inport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };) ]) +# Set gateway_mtu_bypass to avoid check_pkt_larger() for tcp on lr0-public. +check ovn-nbctl --wait=sb set logical_router_port lr0-public options:gateway_mtu_bypass=tcp + +ovn-sbctl dump-flows lr0 > lr0flows +AT_CAPTURE_FILE([lr0flows]) + +AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;) + table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); next;) + table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport == "lr0-public" && (tcp)), action=(next;) + table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };) +]) + +AT_CHECK([grep "lr_in_admission" lr0flows | grep -e "check_pkt_larger" -e "tcp" | sort], [0], [dnl + table=0 (lr_in_admission ), priority=50 , match=(eth.dst == 00:00:20:20:12:13 && inport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); xreg0[[0..47]] = 00:00:20:20:12:13; next;) + table=0 (lr_in_admission ), priority=50 , match=(eth.mcast && inport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); xreg0[[0..47]] = 00:00:20:20:12:13; next;) + table=0 (lr_in_admission ), priority=55 , match=(eth.dst == 00:00:20:20:12:13 && inport == "lr0-public" && (tcp)), action=(xreg0[[0..47]] = 00:00:20:20:12:13; next;) + table=0 (lr_in_admission ), priority=55 , match=(eth.mcast && inport == "lr0-public" && (tcp)), action=(xreg0[[0..47]] = 00:00:20:20:12:13; next;) +]) + # Set gateway_mtu option on lr0-sw0 check ovn-nbctl --wait=sb set logical_router_port lr0-sw0 options:gateway_mtu=1400 ovn-sbctl dump-flows lr0 > lr0flows -AT_CAPTURE_FILE([sw0flows]) +AT_CAPTURE_FILE([lr0flows]) AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sed 's/table=../table=??/' | sort], [0], [dnl table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;) table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); next;) table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-sw0"), action=(reg9[[1]] = check_pkt_larger(1418); next;) + table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport == "lr0-public" && (tcp)), action=(next;) table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;) table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };) table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };) @@ -5434,7 +5459,7 @@ AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sed 's/table=. table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };) ]) -AT_CHECK([grep -E "lr_in_admission.*check_pkt_larger" lr0flows | sort], [0], [dnl +AT_CHECK([grep "lr_in_admission.*check_pkt_larger" lr0flows | sort], [0], [dnl table=0 (lr_in_admission ), priority=50 , match=(eth.dst == 00:00:00:00:ff:01 && inport == "lr0-sw0"), action=(reg9[[1]] = check_pkt_larger(1418); xreg0[[0..47]] = 00:00:00:00:ff:01; next;) table=0 (lr_in_admission ), priority=50 , match=(eth.dst == 00:00:20:20:12:13 && inport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); xreg0[[0..47]] = 00:00:20:20:12:13; next;) table=0 (lr_in_admission ), priority=50 , match=(eth.mcast && inport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); xreg0[[0..47]] = 00:00:20:20:12:13; next;) @@ -5450,14 +5475,49 @@ AT_CHECK([grep -E "lr_in_ip_input.*icmp6_error" lr0flows | sort], [0], [dnl table=3 (lr_in_ip_input ), priority=150 , match=(inport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };) ]) +# Set gateway_mtu_bypass to avoid check_pkt_larger() for tcp on lr0-sw0. +check ovn-nbctl --wait=sb set logical_router_port lr0-sw0 options:gateway_mtu_bypass=tcp + +ovn-sbctl dump-flows lr0 > lr0flows +AT_CAPTURE_FILE([lr0flows]) + +AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;) + table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); next;) + table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-sw0"), action=(reg9[[1]] = check_pkt_larger(1418); next;) + table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport == "lr0-public" && (tcp)), action=(next;) + table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport == "lr0-sw0" && (tcp)), action=(next;) + table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };) + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };) +]) + +AT_CHECK([grep "lr_in_admission" lr0flows | grep -e "check_pkt_larger" -e "tcp" | sort], [0], [dnl + table=0 (lr_in_admission ), priority=50 , match=(eth.dst == 00:00:00:00:ff:01 && inport == "lr0-sw0"), action=(reg9[[1]] = check_pkt_larger(1418); xreg0[[0..47]] = 00:00:00:00:ff:01; next;) + table=0 (lr_in_admission ), priority=50 , match=(eth.dst == 00:00:20:20:12:13 && inport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); xreg0[[0..47]] = 00:00:20:20:12:13; next;) + table=0 (lr_in_admission ), priority=50 , match=(eth.mcast && inport == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); xreg0[[0..47]] = 00:00:20:20:12:13; next;) + table=0 (lr_in_admission ), priority=50 , match=(eth.mcast && inport == "lr0-sw0"), action=(reg9[[1]] = check_pkt_larger(1418); xreg0[[0..47]] = 00:00:00:00:ff:01; next;) + table=0 (lr_in_admission ), priority=55 , match=(eth.dst == 00:00:00:00:ff:01 && inport == "lr0-sw0" && (tcp)), action=(xreg0[[0..47]] = 00:00:00:00:ff:01; next;) + table=0 (lr_in_admission ), priority=55 , match=(eth.dst == 00:00:20:20:12:13 && inport == "lr0-public" && (tcp)), action=(xreg0[[0..47]] = 00:00:20:20:12:13; next;) + table=0 (lr_in_admission ), priority=55 , match=(eth.mcast && inport == "lr0-public" && (tcp)), action=(xreg0[[0..47]] = 00:00:20:20:12:13; next;) + table=0 (lr_in_admission ), priority=55 , match=(eth.mcast && inport == "lr0-sw0" && (tcp)), action=(xreg0[[0..47]] = 00:00:00:00:ff:01; next;) +]) + # Clear gateway_mtu option on lr0-public check ovn-nbctl --wait=sb clear logical_router_port lr0-public options ovn-sbctl dump-flows lr0 > lr0flows -AT_CAPTURE_FILE([sw0flows]) +AT_CAPTURE_FILE([lr0flows]) AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sed 's/table=../table=??/' | sort], [0], [dnl table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;) table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport == "lr0-sw0"), action=(reg9[[1]] = check_pkt_larger(1418); next;) + table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport == "lr0-sw0" && (tcp)), action=(next;) table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;) table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0), action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };) table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };) -- 2.27.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
