On 5/11/22 03:45, Peng He wrote: > Hi, Ilya, > > Ilya Maximets <i.maxim...@ovn.org <mailto:i.maxim...@ovn.org>> 于2022年5月11日周三 > 06:28写道: > > On 5/5/22 04:14, Peng He wrote: > > Hi, lic121 and Ilya, > > > > Ilya, it looks like I did not get the first reply from you. > > I'm not sure what is happening with this thread. I'm also not receiving > some emails from it. > > > > > But it's ok, I now understand the solution, which is to restrict the > > termination condition rather than specifying the mirror context, > > and yes, this is a more general fix. > > I'm getting second thoughts about all this though. > Having IP addresses on two bridge ports seems to be a misconfiguration. > Why do you need an IP address on the mirror port? AFAICT, ovs-tcpdump > doesn't set IP address to the mirror port, or am I missing something? > > > I have also asked lic121, and he told me that, > yes, the mirror port is not assigned any IP addresses. > But an IPv6 link address has been assigned to the port automatically, and > that's > why it still translates into two tnl_pop actions. the DUP is because the > packet has > been cloned due to the two tunl_pop actions.
Hmm, I see. Link-local IPv6 address is an issue indeed. But can we solve that by just adding 'ip addr flush' to the ovs-tcpdump script? > > IMO, lic121's patch has also fixed the two tunnel issues you mentioned, by > matching > the dst IP address, when packets coming from one normal port are forwarded > to another normal port, the termination will not be performed due to the dst > IP address > does not match. > > So maybe adding a unmask to his patch will solve the issue? I'm not convinced that these are actual issues anymore. I'd say such configuration is incorrect, because it will lead to duplicated packets even in the scenario with kernel tunneling. So, I'm not sure these cases needs a fix. in general, creating a match outside of the tunnel classifier doesn't look like a great solution, because the classifier will perform almost the same matching again just a few lines of code below. > > > > Why I think it is a misconfiguration: In case of a kernel datapath and > a normal tunneling decapsulation is happening outside of the OVS, so > you will have 2 equal vxlan packets being sent to 2 bridge ports and > they will enter the normal kernel in the same network namespace. > So it's a DUP tunnel packet. They will likely both be decapsulated > within that network namespace (because the destination interface is > there), and we'll have a DUP icmp packet. I didn't try that though. > > The correct mirroring configuration would be to have a mirror port > be one side of a veth pair with the other side in the different > network namespace, or just a separate physical port. In both cases > the mirror port doesn't need to have an IP address. > > What do you think? Does that make sense? > > Best regards, Ilya Maximets. > > > > -- > hepeng _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
