Introduce a priority-100 flow in the ingress router defrag stage in order to just perform IP traffic defragmentation without doing any dnat operation. This change is necessary since the logical flow reported below fails for IP fragmented traffic since L4 port info is available just in the first fragment:
table=5 (lr_in_defrag ), priority=110 , match=(ip && ip4.dst == 172.16.0.111 && udp), action=(reg0 = 172.16.0.111; reg9[16..31] = udp.dst; ct_dnat;) Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2170885 Fixes: d91f359b7694 ("northd: Add VIP port to established flows in DNAT table for Load Balancers") Signed-off-by: Lorenzo Bianconi <[email protected]> --- northd/northd.c | 13 +++++++++++++ northd/ovn-northd.8.xml | 16 ++++++++++++++-- 2 files changed, 27 insertions(+), 2 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 97589e31d..38ccd1f5f 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -10841,19 +10841,26 @@ build_lrouter_defrag_flows_for_lb(struct ovn_northd_lb *lb, } struct ds defrag_actions = DS_EMPTY_INITIALIZER; + struct ds defrag_match = DS_EMPTY_INITIALIZER; + for (size_t i = 0; i < lb->n_vips; i++) { struct ovn_lb_vip *lb_vip = &lb->vips[i]; int prio = 100; ds_clear(&defrag_actions); + ds_clear(&defrag_match); ds_clear(match); if (lb_vip->address_family == AF_INET) { ds_put_format(match, "ip && ip4.dst == %s", lb_vip->vip_str); + ds_put_format(&defrag_match, "ip && ip4.dst == %s && ip.is_frag", + lb_vip->vip_str); ds_put_format(&defrag_actions, REG_NEXT_HOP_IPV4" = %s; ", lb_vip->vip_str); } else { ds_put_format(match, "ip && ip6.dst == %s", lb_vip->vip_str); + ds_put_format(&defrag_match, "ip && ip6.dst == %s && ip.is_frag", + lb_vip->vip_str); ds_put_format(&defrag_actions, REG_NEXT_HOP_IPV6" = %s; ", lb_vip->vip_str); } @@ -10868,11 +10875,17 @@ build_lrouter_defrag_flows_for_lb(struct ovn_northd_lb *lb, ds_put_format(&defrag_actions, "ct_dnat;"); + /* Add flow for defrag ip traffic. */ + ovn_lflow_add_with_dp_group( + lflows, lb->nb_lr_map, S_ROUTER_IN_DEFRAG, 100, + ds_cstr(&defrag_match), "ct_next;", &lb->nlb->header_); + ovn_lflow_add_with_dp_group( lflows, lb->nb_lr_map, S_ROUTER_IN_POST_DEFRAG, prio, ds_cstr(match), ds_cstr(&defrag_actions), &lb->nlb->header_); } ds_destroy(&defrag_actions); + ds_destroy(&defrag_match); } static void diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 03eced0e4..03140ab6c 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -3277,10 +3277,22 @@ icmp6 { <p> This is to send packets to connection tracker for tracking and - defragmentation. It contains a priority-0 flow that simply moves traffic - to the next table. + defragmentation. </p> + <ul> + <li> + For each load balancer VIP, a priority-100 flow is added with match + <code>ip && ip.dst == <var>VIP</var> && + ip.is_frag</code> and action <code>ct_next;</code> + </li> + + <li> + A priority 0 flow is added which matches on all packets and applies + the action <code>next;</code>. + </li> + </ul> + <h3>Ingress Table 6: POST_DEFRAG</h3> <p> -- 2.39.2 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
