On 1/29/24 07:20, Ales Musil wrote:
> Considering following topology:
> client - sw0 - lrp0 - lr - lrp1 - sw1 - server
> sw0 in subnet 192.168.0.0/24
> sw1 in subnet 172.168.0.0/24
> SNAT configured for client
> gateway_mtu=1400 configured for lrp0
>
> If we send UDP traffic from client to server
> and server responds with packet bigger than 1400
> the following sequence will happen:
>
> 1) Packet is coming into lr via lrp1
> 2) unSNAT
> 3) Routing, the outport will be set to lrp0
> 4) Check for packet larger will fail
> 5) We will generate ICMP need frag
>
> However, the last step is wrong from the server
> perspective. The ICMP message will have IP source
> address = lrp1 IP address. Which means that SNAT won't
> happen because the source is not within the sw0 subnet,
> but the inner packet has sw0 subnet address, because it
> was unSNATted. This results in server ignoring the ICMP
> message because server never sent any packet to the
> sw0 subnet.
>
> In order to prevent this issue perform SNAT for the
> ICMP packet. Because the packet is related to already
> existing connection we just need to perform
> ct_commit_nat(snat) action.
>
> This is achieved with addition of the following flow for
> "lr_in_larger_pkts" stage (the flow for IPv6 is the in
> regard to the addition):
>
> match=(inport == "INPORT" && outport == "OUTPORT" && ip4 && REGBIT_PKT_LARGER
> && REGBIT_EGRESS_LOOPBACK == 0 && ct.trk && ct.rpl && ct.dnat),
> action=(icmp4_error {flags.icmp_snat = 1; REGBIT_EGRESS_LOOPBACK = 1;
> REGBIT_PKT_LARGER = 0; eth.dst = ETH_DST; ip4.dst = ip4.src; ip4.src =
> IP_SRC; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
>
> Also, add flow to "lr_out_post_snat" stage:
>
> match=(icmp && flags.icmp_snat == 1), action=(ct_commit_nat(snat);)
>
> Partially revert 0e49f49c73d6 ("northd: Allow need frag to be SNATed")
> which attempted to fix the same issue in a wrong way.
>
> Also add feature flag for the updated ct_commit_nat action.
> In case there is an update of northd to newer version before all
> controllers are updated.
>
> Fixes: 0e49f49c73d6 ("northd: Allow need frag to be SNATed")
> Reported-at: https://issues.redhat.com/browse/FDP-134
> Reported-at: https://issues.redhat.com/browse/FDP-159
> Signed-off-by: Ales Musil <[email protected]>
> Acked-by: Dumitru Ceara <[email protected]>
> ---
> v3: Rebase on top of current main.
> v2: Rebase on top of current main.
> Squash the 2/3 and 3/3 from previous version to single commit.
> Add ack from Dumitru.
> ---
Hi Ales,
Before accepting this patch I'd like to try to clarify one thing that
was flagged as a potential issue by Numan (ct.dnat), please see below.
> controller/chassis.c | 8 ++
> include/ovn/features.h | 1 +
> include/ovn/logical-fields.h | 3 +
> lib/logical-fields.c | 4 +
> northd/northd.c | 192 ++++++++++++++++++++---------------
> northd/northd.h | 1 +
> tests/ovn-northd.at | 118 ++++++++++++++-------
> tests/ovn.at | 6 +-
> tests/system-ovn-kmod.at | 3 +-
> 9 files changed, 214 insertions(+), 122 deletions(-)
>
> diff --git a/controller/chassis.c b/controller/chassis.c
> index a6f13ccc4..ba2e57238 100644
> --- a/controller/chassis.c
> +++ b/controller/chassis.c
> @@ -370,6 +370,7 @@ chassis_build_other_config(const struct ovs_chassis_cfg
> *ovs_cfg,
> smap_replace(config, OVN_FEATURE_CT_LB_RELATED, "true");
> smap_replace(config, OVN_FEATURE_FDB_TIMESTAMP, "true");
> smap_replace(config, OVN_FEATURE_LS_DPG_COLUMN, "true");
> + smap_replace(config, OVN_FEATURE_CT_COMMIT_NAT_V2, "true");
> }
>
> /*
> @@ -509,6 +510,12 @@ chassis_other_config_changed(const struct
> ovs_chassis_cfg *ovs_cfg,
> return true;
> }
>
> + if (!smap_get_bool(&chassis_rec->other_config,
> + OVN_FEATURE_CT_COMMIT_NAT_V2,
> + false)) {
> + return true;
> + }
> +
> return false;
> }
>
> @@ -640,6 +647,7 @@ update_supported_sset(struct sset *supported)
> sset_add(supported, OVN_FEATURE_CT_LB_RELATED);
> sset_add(supported, OVN_FEATURE_FDB_TIMESTAMP);
> sset_add(supported, OVN_FEATURE_LS_DPG_COLUMN);
> + sset_add(supported, OVN_FEATURE_CT_COMMIT_NAT_V2);
> }
>
> static void
> diff --git a/include/ovn/features.h b/include/ovn/features.h
> index 2c47ab766..08f1d8288 100644
> --- a/include/ovn/features.h
> +++ b/include/ovn/features.h
> @@ -27,6 +27,7 @@
> #define OVN_FEATURE_CT_LB_RELATED "ovn-ct-lb-related"
> #define OVN_FEATURE_FDB_TIMESTAMP "fdb-timestamp"
> #define OVN_FEATURE_LS_DPG_COLUMN "ls-dpg-column"
> +#define OVN_FEATURE_CT_COMMIT_NAT_V2 "ct-commit-nat-v2"
>
> /* OVS datapath supported features. Based on availability OVN might generate
> * different types of openflows.
> diff --git a/include/ovn/logical-fields.h b/include/ovn/logical-fields.h
> index e8e0e6d33..f07c4c42e 100644
> --- a/include/ovn/logical-fields.h
> +++ b/include/ovn/logical-fields.h
> @@ -79,6 +79,7 @@ enum mff_log_flags_bits {
> MLF_USE_LB_AFF_SESSION_BIT = 14,
> MLF_LOCALNET_BIT = 15,
> MLF_RX_FROM_TUNNEL_BIT = 16,
> + MLF_ICMP_SNAT_BIT = 17,
> };
>
> /* MFF_LOG_FLAGS_REG flag assignments */
> @@ -132,6 +133,8 @@ enum mff_log_flags {
>
> /* Indicate the packet has been received from the tunnel. */
> MLF_RX_FROM_TUNNEL = (1 << MLF_RX_FROM_TUNNEL_BIT),
> +
> + MLF_ICMP_SNAT = (1 << MLF_ICMP_SNAT_BIT),
> };
>
> /* OVN logical fields
> diff --git a/lib/logical-fields.c b/lib/logical-fields.c
> index 662c1ef0e..20219a67a 100644
> --- a/lib/logical-fields.c
> +++ b/lib/logical-fields.c
> @@ -132,6 +132,10 @@ ovn_init_symtab(struct shash *symtab)
> snprintf(flags_str, sizeof flags_str, "flags[%d]",
> MLF_LOCALNET_BIT);
> expr_symtab_add_subfield(symtab, "flags.localnet", NULL,
> + flags_str);
> + snprintf(flags_str, sizeof flags_str, "flags[%d]",
> + MLF_ICMP_SNAT_BIT);
> + expr_symtab_add_subfield(symtab, "flags.icmp_snat", NULL,
> flags_str);
> snprintf(flags_str, sizeof flags_str, "flags[%d]",
> MLF_RX_FROM_TUNNEL_BIT);
> expr_symtab_add_subfield(symtab, "flags.tunnel_rx", NULL, flags_str);
> diff --git a/northd/northd.c b/northd/northd.c
> index bb028f2ef..222143220 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -501,6 +501,15 @@ build_chassis_features(const struct sbrec_chassis_table
> *sbrec_chassis_table,
> chassis_features->ls_dpg_column) {
> chassis_features->ls_dpg_column = false;
> }
> +
> + bool ct_commit_nat_v2 =
> + smap_get_bool(&chassis->other_config,
> + OVN_FEATURE_CT_COMMIT_NAT_V2,
> + false);
> + if (!ct_commit_nat_v2 &&
> + chassis_features->ct_commit_nat_v2) {
> + chassis_features->ct_commit_nat_v2 = false;
> + }
> }
> }
>
> @@ -14132,96 +14141,103 @@ build_arp_resolve_flows_for_lsp(
> }
> }
>
> +#define ICMP4_NEED_FRAG_FORMAT \
> + "icmp4_error {" \
> + "%s" \
> + REGBIT_EGRESS_LOOPBACK" = 1; " \
> + REGBIT_PKT_LARGER" = 0; " \
> + "eth.dst = %s; " \
> + "ip4.dst = ip4.src; " \
> + "ip4.src = %s; " \
> + "ip.ttl = 255; " \
> + "icmp4.type = 3; /* Destination Unreachable. */ " \
> + "icmp4.code = 4; /* Frag Needed and DF was Set. */ " \
> + "icmp4.frag_mtu = %d; " \
> + "next(pipeline=ingress, table=%d); };" \
> +
> +#define ICMP6_NEED_FRAG_FORMAT \
> + "icmp6_error {" \
> + "%s" \
> + REGBIT_EGRESS_LOOPBACK" = 1; " \
> + REGBIT_PKT_LARGER" = 0; " \
> + "eth.dst = %s; " \
> + "ip6.dst = ip6.src; " \
> + "ip6.src = %s; " \
> + "ip.ttl = 255; " \
> + "icmp6.type = 2; /* Packet Too Big. */ " \
> + "icmp6.code = 0; " \
> + "icmp6.frag_mtu = %d; " \
> + "next(pipeline=ingress, table=%d); };"
> +
> static void
> -build_icmperr_pkt_big_flows(struct ovn_port *op, int mtu, struct hmap
> *lflows,
> - const struct shash *meter_groups, struct ds
> *match,
> - struct ds *actions, enum ovn_stage stage,
> - struct ovn_port *outport)
> -{
> - char *outport_match = outport ? xasprintf("outport == %s && ",
> - outport->json_key)
> - : NULL;
> +create_icmp_need_frag_lflow(const struct ovn_port *op, int mtu,
> + struct ds *actions, struct ds *match,
> + const char *meter, struct hmap *lflows,
> + enum ovn_stage stage, uint16_t priority,
> + bool is_ipv6, const char *extra_match,
> + const char *extra_action)
> +{
> + if ((is_ipv6 && !op->lrp_networks.ipv6_addrs) ||
> + (!is_ipv6 && !op->lrp_networks.ipv4_addrs)) {
> + return;
> + }
>
> - char *ip4_src = NULL;
> + const char *ip = is_ipv6
> + ? op->lrp_networks.ipv6_addrs[0].addr_s
> + : op->lrp_networks.ipv4_addrs[0].addr_s;
> + size_t match_len = match->length;
>
> - if (outport && outport->lrp_networks.ipv4_addrs) {
> - ip4_src = outport->lrp_networks.ipv4_addrs[0].addr_s;
> - } else if (op->lrp_networks.ipv4_addrs) {
> - ip4_src = op->lrp_networks.ipv4_addrs[0].addr_s;
> + ds_put_format(match, " && ip%c && "REGBIT_PKT_LARGER
> + " && "REGBIT_EGRESS_LOOPBACK" == 0", is_ipv6 ? '6' : '4');
> +
> + if (*extra_match) {
> + ds_put_format(match, " && %s", extra_match);
> }
>
> - if (ip4_src) {
> - ds_clear(match);
> - ds_put_format(match, "inport == %s && %sip4 && "REGBIT_PKT_LARGER
> - " && "REGBIT_EGRESS_LOOPBACK" == 0", op->json_key,
> - outport ? outport_match : "");
> + ds_clear(actions);
> + ds_put_format(actions,
> + is_ipv6 ? ICMP6_NEED_FRAG_FORMAT : ICMP4_NEED_FRAG_FORMAT,
> + extra_action, op->lrp_networks.ea_s, ip,
> + mtu, ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
>
> - ds_clear(actions);
> - /* Set icmp4.frag_mtu to gw_mtu */
> - ds_put_format(actions,
> - "icmp4_error {"
> - REGBIT_EGRESS_LOOPBACK" = 1; "
> - REGBIT_PKT_LARGER" = 0; "
> - "eth.dst = %s; "
> - "ip4.dst = ip4.src; "
> - "ip4.src = %s; "
> - "ip.ttl = 255; "
> - "icmp4.type = 3; /* Destination Unreachable. */ "
> - "icmp4.code = 4; /* Frag Needed and DF was Set. */ "
> - "icmp4.frag_mtu = %d; "
> - "next(pipeline=ingress, table=%d); };",
> - op->lrp_networks.ea_s, ip4_src, mtu,
> - ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
> - ovn_lflow_add_with_hint__(lflows, op->od, stage, 150,
> - ds_cstr(match), ds_cstr(actions),
> - NULL,
> - copp_meter_get(
> - COPP_ICMP4_ERR,
> - op->od->nbr->copp,
> - meter_groups),
> - &op->nbrp->header_);
> - }
> + ovn_lflow_add_with_hint__(lflows, op->od, stage, priority,
> + ds_cstr(match), ds_cstr(actions),
> + NULL, meter, &op->nbrp->header_);
>
> - char *ip6_src = NULL;
> + ds_truncate(match, match_len);
> +}
>
> - if (outport && outport->lrp_networks.ipv6_addrs) {
> - ip6_src = outport->lrp_networks.ipv6_addrs[0].addr_s;
> - } else if (op->lrp_networks.ipv6_addrs) {
> - ip6_src = op->lrp_networks.ipv6_addrs[0].addr_s;
> - }
> +static void
> +build_icmperr_pkt_big_flows(struct ovn_port *op, int mtu, struct hmap
> *lflows,
> + const struct shash *meter_groups, struct ds
> *match,
> + struct ds *actions, enum ovn_stage stage,
> + struct ovn_port *outport)
> +{
> + const char *ipv4_meter = copp_meter_get(COPP_ICMP4_ERR,
> op->od->nbr->copp,
> + meter_groups);
> + const char *ipv6_meter = copp_meter_get(COPP_ICMP6_ERR,
> op->od->nbr->copp,
> + meter_groups);
>
> - if (ip6_src) {
> - ds_clear(match);
> - ds_put_format(match, "inport == %s && %sip6 && "REGBIT_PKT_LARGER
> - " && "REGBIT_EGRESS_LOOPBACK" == 0", op->json_key,
> - outport ? outport_match : "");
> + ds_clear(match);
> + ds_put_format(match, "inport == %s", op->json_key);
>
> - ds_clear(actions);
> - /* Set icmp6.frag_mtu to gw_mtu */
> - ds_put_format(actions,
> - "icmp6_error {"
> - REGBIT_EGRESS_LOOPBACK" = 1; "
> - REGBIT_PKT_LARGER" = 0; "
> - "eth.dst = %s; "
> - "ip6.dst = ip6.src; "
> - "ip6.src = %s; "
> - "ip.ttl = 255; "
> - "icmp6.type = 2; /* Packet Too Big. */ "
> - "icmp6.code = 0; "
> - "icmp6.frag_mtu = %d; "
> - "next(pipeline=ingress, table=%d); };",
> - op->lrp_networks.ea_s, ip6_src, mtu,
> - ovn_stage_get_table(S_ROUTER_IN_ADMISSION));
> - ovn_lflow_add_with_hint__(lflows, op->od, stage, 150,
> - ds_cstr(match), ds_cstr(actions),
> - NULL,
> - copp_meter_get(
> - COPP_ICMP6_ERR,
> - op->od->nbr->copp,
> - meter_groups),
> - &op->nbrp->header_);
> + if (outport) {
> + ds_put_format(match, " && outport == %s", outport->json_key);
> +
> + create_icmp_need_frag_lflow(op, mtu, actions, match, ipv4_meter,
> + lflows, stage, 160, false,
> + "ct.trk && ct.rpl && ct.dnat",
> + "flags.icmp_snat = 1; ");
> + create_icmp_need_frag_lflow(op, mtu, actions, match, ipv6_meter,
> + lflows, stage, 160, true,
> + "ct.trk && ct.rpl && ct.dnat",
> + "flags.icmp_snat = 1; ");
Numan pointed out offline that in the past we tried to avoid matching on
"ct.dnat" because it creates flows that cannot be offloaded to hardware
(for specific vendors) [0]. However, these flows we add here always
send packets to ovn-controller (pinctrl) and cannot be offloaded anyway.
To me that seems to be fine but I'd like to hear an opinion from Numan
and Han about this too.
Regards,
Dumitru
[0]
https://github.com/ovn-org/ovn/commit/110e670462a9ae580d40d14181c388fc2f0b1e1c
> }
> - free(outport_match);
> +
> + create_icmp_need_frag_lflow(op, mtu, actions, match, ipv4_meter, lflows,
> + stage, 150, false, "", "");
> + create_icmp_need_frag_lflow(op, mtu, actions, match, ipv6_meter, lflows,
> + stage, 150, true, "", "");
> }
>
> static void
> @@ -14229,8 +14245,8 @@ build_check_pkt_len_flows_for_lrp(struct ovn_port *op,
> struct hmap *lflows,
> const struct hmap *lr_ports,
> const struct shash *meter_groups,
> - struct ds *match,
> - struct ds *actions)
> + struct ds *match, struct ds *actions,
> + const struct chassis_features *features)
> {
> int gw_mtu = smap_get_int(&op->nbrp->options, "gateway_mtu", 0);
> if (gw_mtu <= 0) {
> @@ -14259,6 +14275,12 @@ build_check_pkt_len_flows_for_lrp(struct ovn_port
> *op,
> match, actions, S_ROUTER_IN_LARGER_PKTS,
> op);
> }
> +
> + if (features->ct_commit_nat_v2) {
> + ovn_lflow_add_with_hint(lflows, op->od, S_ROUTER_OUT_POST_SNAT, 100,
> + "icmp && flags.icmp_snat == 1",
> + "ct_commit_nat(snat);", &op->nbrp->header_);
> + }
> }
>
> /* Local router ingress table CHK_PKT_LEN: Check packet length.
> @@ -14279,7 +14301,8 @@ build_check_pkt_len_flows_for_lrouter(
> struct ovn_datapath *od, struct hmap *lflows,
> const struct hmap *lr_ports,
> struct ds *match, struct ds *actions,
> - const struct shash *meter_groups)
> + const struct shash *meter_groups,
> + const struct chassis_features *features)
> {
> ovs_assert(od->nbr);
>
> @@ -14296,7 +14319,7 @@ build_check_pkt_len_flows_for_lrouter(
> continue;
> }
> build_check_pkt_len_flows_for_lrp(rp, lflows, lr_ports, meter_groups,
> - match, actions);
> + match, actions, features);
> }
> }
>
> @@ -16266,7 +16289,7 @@ build_lswitch_and_lrouter_iterate_by_lr(struct
> ovn_datapath *od,
> build_arp_resolve_flows_for_lrouter(od, lsi->lflows);
> build_check_pkt_len_flows_for_lrouter(od, lsi->lflows, lsi->lr_ports,
> &lsi->match, &lsi->actions,
> - lsi->meter_groups);
> + lsi->meter_groups, lsi->features);
> build_gateway_redirect_flows_for_lrouter(od, lsi->lflows, &lsi->match,
> &lsi->actions);
> build_arp_request_flows_for_lrouter(od, lsi->lflows, &lsi->match,
> @@ -17898,6 +17921,7 @@ northd_enable_all_features(struct northd_data *data)
> .ct_lb_related = true,
> .fdb_timestamp = true,
> .ls_dpg_column = true,
> + .ct_commit_nat_v2 = true,
> };
> }
>
> diff --git a/northd/northd.h b/northd/northd.h
> index ebbb4ba0a..27ae5da08 100644
> --- a/northd/northd.h
> +++ b/northd/northd.h
> @@ -71,6 +71,7 @@ struct chassis_features {
> bool ct_lb_related;
> bool fdb_timestamp;
> bool ls_dpg_column;
> + bool ct_commit_nat_v2;
> };
>
> /* A collection of datapaths. E.g. all logical switch datapaths, or all
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index 18073ad19..ba8c67e4e 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -6138,7 +6138,8 @@ OVN_FOR_EACH_NORTHD_NO_HV([
> AT_SETUP([ovn -- gateway mtu check pkt larger flows])
> ovn_start
>
> -check ovn-sbctl chassis-add ch1 geneve 127.0.0.1
> +check ovn-sbctl chassis-add ch1 geneve 127.0.0.1 --\
> + set chassis ch1 other_config:ct-commit-nat-v2=true
>
> check ovn-nbctl ls-add sw0
> check ovn-nbctl ls-add sw1
> @@ -6183,10 +6184,14 @@ AT_CHECK([grep -e "chk_pkt_len" -e
> "lr_in_larger_pkts" lr0flows | sed 's/table=.
> table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;)
> table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport ==
> "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1514); next;)
> table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src =
> 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src =
> 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> ])
>
> AT_CHECK([grep -E "lr_in_admission.*check_pkt_larger" lr0flows | sort], [0],
> [dnl
> @@ -6201,6 +6206,10 @@ AT_CHECK([grep -E "lr_in_ip_input.*icmp6_error"
> lr0flows | sort], [0], [dnl
> table=3 (lr_in_ip_input ), priority=150 , match=(inport ==
> "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error
> {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst =
> ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /*
> Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
> ])
>
> +AT_CHECK([grep -E "lr_out_post_snat.*ct_commit_nat" lr0flows | sed
> 's/table=../table=??/' | sort], [0], [dnl
> + table=??(lr_out_post_snat ), priority=100 , match=(icmp &&
> flags.icmp_snat == 1), action=(ct_commit_nat(snat);)
> +])
> +
> # Clear the gateway-chassis for lr0-public
> check ovn-nbctl --wait=sb clear logical_router_port lr0-public
> gateway_chassis
>
> @@ -6214,10 +6223,14 @@ AT_CHECK([grep -e "chk_pkt_len" -e
> "lr_in_larger_pkts" lr0flows | sed 's/table=.
> table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;)
> table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport ==
> "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1514); next;)
> table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src =
> 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src =
> 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> ])
>
> AT_CHECK([grep -E "lr_in_admission.*check_pkt_larger" lr0flows | sort], [0],
> [dnl
> @@ -6232,6 +6245,10 @@ AT_CHECK([grep -E "lr_in_ip_input.*icmp6_error"
> lr0flows | sort], [0], [dnl
> table=3 (lr_in_ip_input ), priority=150 , match=(inport ==
> "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error
> {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst =
> ip6.src; ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /*
> Packet Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
> ])
>
> +AT_CHECK([grep -E "lr_out_post_snat.*ct_commit_nat" lr0flows | sed
> 's/table=../table=??/' | sort], [0], [dnl
> + table=??(lr_out_post_snat ), priority=100 , match=(icmp &&
> flags.icmp_snat == 1), action=(ct_commit_nat(snat);)
> +])
> +
> # Set gateway_mtu_bypass to avoid check_pkt_larger() for tcp on lr0-public.
> check ovn-nbctl --wait=sb set logical_router_port lr0-public
> options:gateway_mtu_bypass=tcp
>
> @@ -6243,10 +6260,14 @@ AT_CHECK([grep -e "chk_pkt_len" -e
> "lr_in_larger_pkts" lr0flows | sed 's/table=.
> table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport ==
> "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1514); next;)
> table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport ==
> "lr0-public" && (tcp)), action=(next;)
> table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src =
> 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src =
> 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> ])
>
> AT_CHECK([grep "lr_in_admission" lr0flows | grep -e "check_pkt_larger" -e
> "tcp" | sort], [0], [dnl
> @@ -6268,14 +6289,22 @@ AT_CHECK([grep -e "chk_pkt_len" -e
> "lr_in_larger_pkts" lr0flows | sed 's/table=.
> table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport ==
> "lr0-sw0"), action=(reg9[[1]] = check_pkt_larger(1414); next;)
> table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport ==
> "lr0-public" && (tcp)), action=(next;)
> table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0 &&
> ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1;
> reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src;
> ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination
> Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */
> icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0 &&
> ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1;
> reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src;
> ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet
> Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress,
> table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src =
> 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src =
> 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src =
> 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> ])
>
> AT_CHECK([grep "lr_in_admission.*check_pkt_larger" lr0flows | sort], [0],
> [dnl
> @@ -6294,6 +6323,10 @@ AT_CHECK([grep -E "lr_in_ip_input.*icmp6_error"
> lr0flows | sort], [0], [dnl
> table=3 (lr_in_ip_input ), priority=150 , match=(inport == "lr0-sw0"
> && ip6 && reg9[[1]] && reg9[[0]] == 0), action=(icmp6_error {reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> ])
>
> +AT_CHECK([grep -E "lr_out_post_snat.*ct_commit_nat" lr0flows | sed
> 's/table=../table=??/' | sort], [0], [dnl
> + table=??(lr_out_post_snat ), priority=100 , match=(icmp &&
> flags.icmp_snat == 1), action=(ct_commit_nat(snat);)
> +])
> +
> # Set gateway_mtu_bypass to avoid check_pkt_larger() for tcp on lr0-sw0.
> check ovn-nbctl --wait=sb set logical_router_port lr0-sw0
> options:gateway_mtu_bypass=tcp
>
> @@ -6307,14 +6340,22 @@ AT_CHECK([grep -e "chk_pkt_len" -e
> "lr_in_larger_pkts" lr0flows | sed 's/table=.
> table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport ==
> "lr0-public" && (tcp)), action=(next;)
> table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport == "lr0-sw0"
> && (tcp)), action=(next;)
> table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0 &&
> ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1;
> reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src;
> ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination
> Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */
> icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0 &&
> ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1;
> reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src;
> ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet
> Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress,
> table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip4.dst = ip4.src; ip4.src =
> 10.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw0"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:01; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff01; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src =
> 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1500;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-public" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1500; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src =
> 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> ])
>
> AT_CHECK([grep "lr_in_admission" lr0flows | grep -e "check_pkt_larger" -e
> "tcp" | sort], [0], [dnl
> @@ -6333,16 +6374,19 @@ check ovn-nbctl --wait=sb clear logical_router_port
> lr0-public options
> ovn-sbctl dump-flows lr0 > lr0flows
> AT_CAPTURE_FILE([lr0flows])
>
> -grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sed
> 's/table=../table=??/' | sort
> AT_CHECK([grep -e "chk_pkt_len" -e "lr_in_larger_pkts" lr0flows | sed
> 's/table=../table=??/' | sort], [0], [dnl
> table=??(lr_in_chk_pkt_len ), priority=0 , match=(1), action=(next;)
> table=??(lr_in_chk_pkt_len ), priority=50 , match=(outport ==
> "lr0-sw0"), action=(reg9[[1]] = check_pkt_larger(1414); next;)
> table=??(lr_in_chk_pkt_len ), priority=55 , match=(outport == "lr0-sw0"
> && (tcp)), action=(next;)
> table=??(lr_in_larger_pkts ), priority=0 , match=(1), action=(next;)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 10.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> - table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff01;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:20:20:12:13; ip4.dst = ip4.src; ip4.src = 172.168.0.100; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:20:20:12:13; ip6.dst = ip6.src; ip6.src = fe80::200:20ff:fe20:1213;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp4_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src = 20.0.0.1; ip.ttl = 255;
> icmp4.type = 3; /* Destination Unreachable. */ icmp4.code = 4; /* Frag Needed
> and DF was Set. */ icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=150 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0),
> action=(icmp6_error {reg9[[0]] = 1; reg9[[1]] = 0; eth.dst =
> 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src = fe80::200:ff:fe00:ff02;
> ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */ icmp6.code = 0;
> icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0 &&
> ct.trk && ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1;
> reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip4.dst = ip4.src;
> ip4.src = 172.168.0.100; ip.ttl = 255; icmp4.type = 3; /* Destination
> Unreachable. */ icmp4.code = 4; /* Frag Needed and DF was Set. */
> icmp4.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport ==
> "lr0-public" && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0 &&
> ct.trk && ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1;
> reg9[[0]] = 1; reg9[[1]] = 0; eth.dst = 00:00:20:20:12:13; ip6.dst = ip6.src;
> ip6.src = fe80::200:20ff:fe20:1213; ip.ttl = 255; icmp6.type = 2; /* Packet
> Too Big. */ icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress,
> table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip4 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp4_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip4.dst = ip4.src; ip4.src =
> 20.0.0.1; ip.ttl = 255; icmp4.type = 3; /* Destination Unreachable. */
> icmp4.code = 4; /* Frag Needed and DF was Set. */ icmp4.frag_mtu = 1400;
> next(pipeline=ingress, table=0); };)
> + table=??(lr_in_larger_pkts ), priority=160 , match=(inport == "lr0-sw1"
> && outport == "lr0-sw0" && ip6 && reg9[[1]] && reg9[[0]] == 0 && ct.trk &&
> ct.rpl && ct.dnat), action=(icmp6_error {flags.icmp_snat = 1; reg9[[0]] = 1;
> reg9[[1]] = 0; eth.dst = 00:00:00:00:ff:02; ip6.dst = ip6.src; ip6.src =
> fe80::200:ff:fe00:ff02; ip.ttl = 255; icmp6.type = 2; /* Packet Too Big. */
> icmp6.code = 0; icmp6.frag_mtu = 1400; next(pipeline=ingress, table=0); };)
> ])
>
> check ovn-nbctl --wait=sb clear logical_router_port lr0-sw0 options
> @@ -6375,6 +6419,12 @@ AT_CHECK([grep "lr_in_admission" lr0flows | grep -e
> "check_pkt_larger" | sort],
> table=0 (lr_in_admission ), priority=50 , match=(eth.mcast && inport
> == "lr0-public"), action=(reg9[[1]] = check_pkt_larger(1518); xreg0[[0..47]]
> = 00:00:20:20:12:13; next;)
> ])
>
> +check ovn-sbctl set chassis ch1 other_config:ct-commit-nat-v2=false
> +check ovn-nbctl --wait=sb sync
> +
> +ovn-sbctl dump-flows lr0 > lr0flows
> +AT_CHECK([grep -E "lr_out_post_snat.*ct_commit_nat" lr0flows], [1])
> +
> AT_CLEANUP
> ])
>
> diff --git a/tests/ovn.at b/tests/ovn.at
> index d362b4c56..2411c653e 100644
> --- a/tests/ovn.at
> +++ b/tests/ovn.at
> @@ -20601,12 +20601,12 @@ test_ip_packet_larger() {
> expected=${expected}0000000000000000000000000000
> echo $expected > br_phys_n1.expected
> else
> - src_ip=`ip_to_hex 172.168.0.100`
> + src_ip=`ip_to_hex 10 0 0 1`
> dst_ip=`ip_to_hex 10 0 0 3`
> # pkt len should be 146 (28 (icmp packet) + 118 (orig ip + payload))
> reply_pkt_len=008e
> ip_csum=fc97
> -
> icmp_reply=${src_mac}${dst_mac}08004500${reply_pkt_len}00004000fe01c55f
> +
> icmp_reply=${src_mac}${dst_mac}08004500${reply_pkt_len}00004000fe01686b
> icmp_reply=${icmp_reply}${src_ip}${dst_ip}0304${ip_csum}0000$(printf
> "%04x" $mtu)
> icmp_reply=${icmp_reply}4500${pkt_len}000000003f01c4dd
> icmp_reply=${icmp_reply}${orig_packet_l3}
> @@ -20698,7 +20698,7 @@ test_ip6_packet_larger() {
>
> local ipv6_src=10000000000000000000000000000003
> local ipv6_dst=20000000000000000000000000000002
> - local ipv6_rt=20000000000000000000000000000001
> + local ipv6_rt=10000000000000000000000000000001
>
> local payload=0000000000000000000000000000000000000000
> local payload=${payload}0000000000000000000000000000000000000000
> diff --git a/tests/system-ovn-kmod.at b/tests/system-ovn-kmod.at
> index 88c72edcd..2341bb387 100644
> --- a/tests/system-ovn-kmod.at
> +++ b/tests/system-ovn-kmod.at
> @@ -977,7 +977,7 @@ dnl check ovn-nbctl lr-lb-add lr lb1
> check ovn-nbctl set logical_router lr options:chassis=hv1
> check ovn-nbctl set logical_router_port lr-internal options:gateway_mtu=800
>
> -check ovn-nbctl lr-nat-add lr snat 192.168.1.1 172.16.1.2/24
> +check ovn-nbctl lr-nat-add lr snat 192.168.1.1 172.16.1.2
>
> check ovn-nbctl --wait=hv sync
>
> @@ -1032,6 +1032,7 @@ NS_CHECK_EXEC([client], [$PYTHON3 ./client.py])
>
> dnl Expecting 2 outgoing packets and 2 fragments back - 8 lines total.
> OVS_WAIT_UNTIL([test "$(cat client.tcpdump | wc -l)" = "8"])
> +AT_CHECK([test $(grep -c "need to frag (mtu 800)" server.tcpdump) -eq 1])
>
> ovn-appctl -t ovn-controller vlog/set info
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
