Hi,
this issue has been found and resolved by two independent patches:
http://patchwork.ozlabs.org/project/openvswitch/patch/20190726121839.92497-1-wang...@139.com/
http://patchwork.ozlabs.org/project/openvswitch/patch/20201009121503.43893-1-hepeng.0...@bytedance.com/
but I recently found my patch is still not fixing all the cases.
would like to have a discussion about this.
lic121 <lic...@chinatelecom.cn> 于2022年5月3日周二 20:55写道:
> In compose_output_action__(), terminate_native_tunnel() is called
> to test if a pkt matches a tnl port. If yes, a TUNNEL_POP action
> is appended. Instead of outputing the pkt to the origin port, pkt
> is redirected into the tnl port.
>
> pkt metadata(i.e. nw_proto, dst_ip, dst_port) is considered when
> testing a pkt regardless of the out port until Ilya's patch[1].
> Patch[1] adds the condition that terminal ports must have IP
> address. This patch is to make addtional port ip check that port
> ip address must match the pkt dst ip. This check covers the mirror
> port case:
> To tcpdump underlay pkt, we may create mirror port of dpdk port.
> When compose_output_action__() is called on the mirror port,
> pkt is redirected into tnl port again. As a result, ping shows
> DUP. fast path flow has two tnl_pop actions.
>
> ```
> [root@ovs1 vagrant]# ping 172.16.100.2
> PING 172.16.100.2 (172.16.100.2) 56(84) bytes of data.
> 64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=0.606 ms
> 64 bytes from 172.16.100.2: icmp_seq=1 ttl=64 time=0.617 ms (DUP!)
> ```
>
> ```
> [root@ovs ovs]# ovs-appctl dpctl/dump-flows |grep tnl_pop
> recirc_id(0),in_port(3),packet_type(ns=0,id=0),eth(src=52:54:00:a6:c6:de,dst=ea:b4:09:72:44:4c),eth_type(0x0800),ipv4(dst=192.168.124.33,proto=17,frag=no),udp(dst=8472),
> packets:1, bytes:148, used:0.637s, actions:tnl_pop(2),tnl_pop(2)
> ```
>
> [1] (d584bb2b6a1 "ofproto-dpif-xlate: Terminate native tunnels only on
> ports with IP addresses.")
>
> Signed-off-by: lic121 <lic...@chinatelecom.cn>
> ---
> ofproto/ofproto-dpif-xlate.c | 45 +++++++++++++++++++++++++++-------------
> tests/tunnel-push-pop.at | 49
> ++++++++++++++++++++++++++++++++++++++++++++
> 2 files changed, 80 insertions(+), 14 deletions(-)
>
> diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
> index 17f7e28..30e636e 100644
> --- a/ofproto/ofproto-dpif-xlate.c
> +++ b/ofproto/ofproto-dpif-xlate.c
> @@ -4107,18 +4107,26 @@ is_neighbor_reply_correct(const struct xlate_ctx
> *ctx, const struct flow *flow)
> }
>
> static bool
> -xport_has_ip(const struct xport *xport)
> +xport_has_ip(const struct xport *xport, const struct in6_addr ip6)
> {
> struct in6_addr *ip_addr, *mask;
> int n_in6 = 0;
> + int i;
> + bool hasip = false;
>
> if (netdev_get_addr_list(xport->netdev, &ip_addr, &mask, &n_in6)) {
> n_in6 = 0;
> } else {
> + for (i = 0; i < n_in6; i++) {
> + if (IN6_ARE_ADDR_EQUAL(ip_addr + i, &ip6)) {
> + hasip = true;
> + break;
> + }
> + }
> free(ip_addr);
> free(mask);
> }
> - return n_in6 ? true : false;
> + return hasip;
> }
>
> static bool
> @@ -4127,26 +4135,35 @@ terminate_native_tunnel(struct xlate_ctx *ctx,
> const struct xport *xport,
> odp_port_t *tnl_port)
> {
> *tnl_port = ODPP_NONE;
> + bool ip_pkt = true;
> + struct in6_addr ip_dst;
> +
> + if (flow->dl_type == htons(ETH_TYPE_IP)) {
> + ip_dst = in6_addr_mapped_ipv4(flow->nw_dst);
> + } else if (flow->dl_type == htons(ETH_TYPE_IPV6)) {
> + ip_dst = flow->ipv6_dst;
> + } else {
> + ip_pkt = false;
> + }
>
> /* XXX: Write better Filter for tunnel port. We can use in_port
> * in tunnel-port flow to avoid these checks completely.
> *
> - * Port without an IP address cannot be a tunnel termination point.
> - * Not performing a lookup in this case to avoid unwildcarding extra
> - * flow fields (dl_dst). */
> - if (ovs_native_tunneling_is_on(ctx->xbridge->ofproto)
> - && xport_has_ip(xport)) {
> + * Not performing a lookup if dst ip not match, to avoid unwildcarding
> + * extra flow fields (dl_dst). Also avoid duplicate tnl_pop. */
> + if ((flow->dl_type == htons(ETH_TYPE_ARP) ||
> + flow->nw_proto == IPPROTO_ICMPV6) &&
> + is_neighbor_reply_correct(ctx, flow)) {
> + tnl_neigh_snoop(flow, wc, ctx->xbridge->name,
> + ctx->xin->allow_side_effects);
> +
> + } else if (ovs_native_tunneling_is_on(ctx->xbridge->ofproto)
> + && ip_pkt && xport_has_ip(xport, ip_dst)) {
> *tnl_port = tnl_port_map_lookup(flow, wc);
>
> /* If no tunnel port was found and it's about an ARP or ICMPv6
> packet,
> * do tunnel neighbor snooping. */
> - if (*tnl_port == ODPP_NONE &&
> - (flow->dl_type == htons(ETH_TYPE_ARP) ||
> - flow->nw_proto == IPPROTO_ICMPV6) &&
> - is_neighbor_reply_correct(ctx, flow)) {
> - tnl_neigh_snoop(flow, wc, ctx->xbridge->name,
> - ctx->xin->allow_side_effects);
> - } else if (*tnl_port != ODPP_NONE &&
> + if (*tnl_port != ODPP_NONE &&
> ctx->xin->allow_side_effects &&
> dl_type_is_ip_any(flow->dl_type)) {
> struct eth_addr mac = flow->dl_src;
> diff --git a/tests/tunnel-push-pop.at b/tests/tunnel-push-pop.at
> index c633441..b3a3bf9 100644
> --- a/tests/tunnel-push-pop.at
> +++ b/tests/tunnel-push-pop.at
> @@ -808,6 +808,55 @@ NXST_FLOW reply:
> OVS_VSWITCHD_STOP
> AT_CLEANUP
>
> +AT_SETUP([tunnel_push_pop - multiple output])
> +
> +OVS_VSWITCHD_START([add-port br0 p0 -- set Interface p0 type=dummy
> ofport_request=1 other-config:hwaddr=aa:55:aa:55:00:00])
> +AT_CHECK([ovs-vsctl add-port br0 m0 -- set Interface m0 type=dummy
> ofport_request=2])
> +AT_CHECK([ovs-vsctl add-br int-br -- set bridge int-br
> datapath_type=dummy], [0])
> +AT_CHECK([ovs-vsctl add-port int-br t1 -- set Interface t1 type=gre \
> + options:remote_ip=1.1.2.92 options:key=456
> options:seq=true ofport_request=4], [0])
> +
> +AT_CHECK([ovs-appctl dpif/show], [0], [dnl
> +dummy@ovs-dummy: hit:0 missed:0
> + br0:
> + br0 65534/100: (dummy-internal)
> + m0 2/2: (dummy)
> + p0 1/1: (dummy)
> + int-br:
> + int-br 65534/3: (dummy-internal)
> + t1 4/4: (gre: key=456, remote_ip=1.1.2.92, seq=true)
> +])
> +
> +AT_CHECK([ovs-appctl netdev-dummy/ip4addr br0 1.1.2.88/24], [0], [OK
> +])
> +AT_CHECK([ovs-appctl netdev-dummy/ip4addr m0 1.1.3.88/24], [0], [OK
> +])
> +AT_CHECK([ovs-appctl ovs/route/add 1.1.2.92/24 br0], [0], [OK
> +])
> +AT_CHECK([ovs-appctl ovs/route/add 1.1.3.92/24 m0], [0], [OK
> +])
> +AT_CHECK([ovs-ofctl add-flow br0 'arp,priority=1,action=normal'])
> +
> +dnl Use arp reply to achieve tunnel next hop mac binding
> +AT_CHECK([ovs-appctl netdev-dummy/receive p0
> 'recirc_id(0),in_port(1),eth(src=f8:bc:12:44:34:b6,dst=aa:55:aa:55:00:00),eth_type(0x0806),arp(sip=1.1.2.92,tip=1.1.2.88,op=2,sha=f8:bc:12:44:34:b6,tha=00:00:00:00:00:00)'])
> +
> +dnl Ouput gre pkt to both br0 port and m0 port
> +dnl m0 port to simulate mirror port, or flood case
> +AT_CHECK([ovs-ofctl add-flow br0
> 'in_port(1),ip,ip_proto=47,priority=99,action=br0,m0'])
> +
> +AT_CHECK([ovs-appctl netdev-dummy/receive p0
> 'recirc_id(0),in_port(1),eth(src=f8:bc:12:44:34:b6,dst=aa:55:aa:55:00:00),eth_type(0x0800),ipv4(src=1.1.2.92,dst=1.1.2.88,proto=47,tos=0,ttl=64,frag=no)'])
> +
> +dnl port br0: has the configured ip address of tnl port t1, so
> 'tnl_pop(4)'
> +dnl port m0: does not have a configured tnl ip address, so 'output:2'
> +AT_CHECK([ovs-appctl dpctl/dump-flows], [0], [dnl
> +flow-dump from the main thread:
> +recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth(src=f8:bc:12:44:34:b6,dst=aa:55:aa:55:00:00),eth_type(0x0806),arp(sip=1.1.2.92,tip=1.1.2.88,op=2,sha=f8:bc:12:44:34:b6),
> packets:0, bytes:0, used:never, actions:100,2
> +recirc_id(0),in_port(1),packet_type(ns=0,id=0),eth(dst=aa:55:aa:55:00:00),eth_type(0x0800),ipv4(dst=1.1.2.88,proto=47,frag=no),
> packets:0, bytes:0, used:never, actions:tnl_pop(4),2
> +])
> +
> +OVS_VSWITCHD_STOP
> +AT_CLEANUP
> +
> AT_SETUP([tunnel_push_pop - flow translation on unrelated bridges])
>
> OVS_VSWITCHD_START(
> --
> 1.8.3.1
>
> _______________________________________________
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
--
hepeng
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
