[ovs-dev] [PATCH ovn 2/2] northd: add flows to defrag IP traffic

Wed, 22 Feb 2023 07:58:50 -0800 

Introduce a priority-100 flow in the ingress router defrag stage in
order to just perform IP traffic defragmentation without doing any dnat
operation. This change is necessary since the logical flow reported
below fails for IP fragmented traffic since L4 port info is available
just in the first fragment:

table=5 (lr_in_defrag       ), priority=110  , match=(ip && ip4.dst == 
172.16.0.111 && udp), action=(reg0 = 172.16.0.111; reg9[16..31] = udp.dst; 
ct_dnat;)

Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2170885
Fixes: d91f359b7694 ("northd: Add VIP port to established flows in DNAT table 
for Load Balancers")
Signed-off-by: Lorenzo Bianconi <lorenzo.bianc...@redhat.com>
---
 northd/northd.c         |  4 ++++
 northd/ovn-northd.8.xml | 15 +++++++++++++--
 2 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/northd/northd.c b/northd/northd.c
index 97589e31d..27dc07c5a 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -14238,6 +14238,10 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath 
*od, struct hmap *lflows,
     ovn_lflow_add(lflows, od, S_ROUTER_OUT_EGR_LOOP, 0, "1", "next;");
     ovn_lflow_add(lflows, od, S_ROUTER_IN_ECMP_STATEFUL, 0, "1", "next;");
 
+    /* Add flow for defrag ip traffic. */
+    ovn_lflow_add(lflows, od, S_ROUTER_IN_DEFRAG, 100,
+                  "ip && ip.is_frag", "ct_next;");
+
     /* Ingress DNAT and DEFRAG Table (Priority 50/70).
      *
      * The defrag stage needs to have flows for ICMP in order to get
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index 03eced0e4..ee3b05044 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -3277,10 +3277,21 @@ icmp6 {
 
     <p>
       This is to send packets to connection tracker for tracking and
-      defragmentation.  It contains a priority-0 flow that simply moves traffic
-      to the next table.
+      defragmentation.
     </p>
 
+    <ul>
+      <li>
+        A priority 100 flow is added with match <code>ip &amp;&amp;
+        ip.is_frag</code> and action <code>ct_next;</code>
+      </li>
+
+      <li>
+        A priority 0 flow is added which matches on all packets and applies
+        the action <code>next;</code>.
+      </li>
+    </ul>
+
     <h3>Ingress Table 6: POST_DEFRAG</h3>
 
     <p>
-- 
2.39.2

_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to