On Friday, November 4, 2016 12:59:57 PM AST Raymond Burkholder wrote:
> I am following the tutorial at
> http://blog.spinhirne.com/2016/09/an-introduction-to-ovn-routing.html
>
> I have implemented tenant1, dmz, inside, vm1, and vm2.
>
> Vm1 can ping vm2.
>
> ===========
> But shouldn't vm1 and vm2 be able to successfully ping the tenant1 gateway
> (tenant1-dmz) of 172.16.255.129?
> ===========
basic topology: vm1(172.16.255.131/26) -> sw1 -> r1(172.16.255.129/26)
I have reduced the config down to the bare necessities. And have stepped
through flow tables, and have found that a ping from vm1 to r1 gets dropped
because there is no continuing flow rule in table 28. What should be in
table
28? And what computes it? How is it computed?
So should the metadata be changed and recycled through the tables again so
that it hits the icmp rule in table 17?
The the follow on question is that there appears to be flow rules missing
which
would allow r1 to route between different segments. Which also doesn't seem
to work.
My conclusion is, that with out going to back to previous versions, has
something been broken in the logical router, or is there something missing
in
my configuration, or is it a problem elsewhere?
In addition, when performing (ovn-sbctl lflow-list), there is no rule in the
sw1 ingress ath which includes the router r1 for regular ipv4 traffic.
vagrant# ovn-nbctl show
switch f2d5eea9-ea11-429b-8c52-de5c28785ef4 (sw1)
port sw1-r1
addresses: ["00:00:00:00:01:30"]
port sw1-vm1
addresses: ["00:00:00:00:01:31 172.16.255.131/26"]
router e5e9d30c-f719-46b8-9c53-2580e316eea2 (r1)
port r1-sw1
mac: "00:00:00:00:01:29"
networks: ["172.16.255.129/26"]
vagrant# ovs-ofctl -O OpenFlow13 dump-flows br-int table=0 OFPST_FLOW reply
(OF1.3) (xid=0x2):
....
cookie=0x0, duration=953.588s, table=0, n_packets=1031, n_bytes=95742,
priority=100,in_port=3 actions=set_field:0x1->reg13,set_field:0x2-
>metadata,set_field:0x2->reg14,resubmit(,16)
vagrant# ovs-ofctl -O OpenFlow13 dump-flows br-int table=16
cookie=0x0, duration=1073.554s, table=16, n_packets=1160, n_bytes=107712,
priority=50,reg14=0x2,metadata=0x2,dl_src=00:00:00:00:01:31
actions=resubmit(,
17)
ovs-ofctl -O OpenFlow13 dump-flows br-int table=17
cookie=0x0, duration=1109.516s, table=17, n_packets=1073, n_bytes=105154,
priority=90,ip,reg14=0x2,metadata=0x2,dl_src=00:00:00:00:01:31,nw_src=172.16
.255.131
actions=resubmit(,18)
ovs-ofctl -O OpenFlow13 dump-flows br-int table=18
cookie=0x0, duration=1133.152s, table=18, n_packets=1128, n_bytes=109352,
priority=0,metadata=0x2 actions=resubmit(,19)
ovs-ofctl -O OpenFlow13 dump-flows br-int table=19
cookie=0x0, duration=1154.946s, table=19, n_packets=1266, n_bytes=116324,
priority=0,metadata=0x2 actions=resubmit(,20)
..... steps through a bunch more tables with increasing packet counter for
the ping .... then we hit table 27:
ovs-ofctl -O OpenFlow13 dump-flows br-int table=27
cookie=0x0, duration=1210.993s, table=27, n_packets=1324, n_bytes=121240,
priority=0,metadata=0x2 actions=resubmit(,28)
........ which submits to 28 .... when we take a look into 28, there is no
applicable rule, so the packet is implicity dropped .....
agrant# ovs-ofctl -O OpenFlow13 dump-flows br-int table=28
OFPST_FLOW reply (OF1.3) (xid=0x2):
cookie=0x0, duration=1223.562s, table=28, n_packets=31, n_bytes=1302,
priority=100,metadata=0x2,dl_dst=01:00:00:00:00:00/01:00:00:00:00:00
actions=set_field:0xffff->reg15,resubmit(,32)
cookie=0x0, duration=1223.562s, table=28, n_packets=0, n_bytes=0,
priority=50,metadata=0x2,dl_dst=00:00:00:00:01:30 actions=set_field:0x1-
>reg15,resubmit(,32)
cookie=0x0, duration=1223.562s, table=28, n_packets=31, n_bytes=1302,
priority=50,metadata=0x2,dl_dst=00:00:00:00:01:31 actions=set_field:0x2-
>reg15,resubmit(,32)
To recreate my configuration:
LOCALIP=10.0.0.1
ovn-nbctl lr-add r1
ovn-nbctl lrp-add r1 r1-sw1 00:00:00:00:01:29 172.16.255.129/26
ovn-nbctl ls-add sw1
ovn-nbctl lsp-add sw1 sw1-r1
ovn-nbctl lsp-set-type sw1-r1 router
ovn-nbctl lsp-set-addresses sw1-r1 00:00:00:00:01:30
ovn-nbctl lsp-set-options sw1-r1 router-port=r1-sw1
ovn-nbctl lsp-add sw1 sw1-vm1
ovn-nbctl lsp-set-addresses sw1-vm1 "00:00:00:00:01:31
172.16.255.131/26"
ovn-nbctl lsp-set-port-security sw1-vm1 "00:00:00:00:01:31
172.16.255.131/26"
sw1Dhcp="$(ovn-nbctl create DHCP_Options cidr=172.16.255.128/26 \
options="\"server_id\"=\"172.16.255.129\" \"server_mac\"=
\"00:00:00:00:01:29\" \
\"lease_time\"=\"3600\" \"router\"=\"172.16.255.129\"")"
ovn-nbctl lsp-set-dhcpv4-options sw1-vm1 $sw1Dhcp
ovs-vsctl add-br br-int -- set Bridge br-int fail-mode=secure
ovs-vsctl set open . external-ids:ovn-remote=tcp:127.0.0.1:6642
ovs-vsctl set open . external-ids:ovn-encap-type=geneve
ovs-vsctl set open . external-ids:ovn-encap-ip=${LOCALIP}
ovs-vsctl add-port br-int vm1 -- set interface vm1 type=internal
ip netns add vm1
ip netns exec vm1 ip link set dev lo up
ip link set vm1 netns vm1
ip netns exec vm1 ip link set vm1 address 00:00:00:00:01:31
ip netns exec vm1 ip link set up dev vm1
ovs-vsctl set Interface vm1 external_ids:iface-id=sw1-vm1
ip netns exec vm1 dhclient vm1
ip netns exec vm1 ip addr show vm1
ip netns exec vm1 ip route show
ovs-vsctl show
f1500484-f1eb-42ee-a5b4-be3627ed6ce8
Bridge br-int
fail_mode: secure
Port br-int
Interface br-int
type: internal
Port "patch-r1-sw1-to-sw1-r1"
Interface "patch-r1-sw1-to-sw1-r1"
type: patch
options: {peer="patch-sw1-r1-to-r1-sw1"}
Port "vm1"
Interface "vm1"
type: internal
Port "patch-sw1-r1-to-r1-sw1"
Interface "patch-sw1-r1-to-r1-sw1"
type: patch
options: {peer="patch-r1-sw1-to-sw1-r1"}
ovs_version: "2.6.1"
vagrant# ovn-sbctl list port_binding
_uuid : d87a6244-f87b-4501-aa16-f653c7316f7c
chassis : 4b737b2f-c8ad-4a19-9c8f-4e83074a0414
datapath : 64ff439c-8bd4-45bb-819d-76fa13c3d3ff
logical_port : "sw1-vm1"
mac : ["00:00:00:00:01:31 172.16.255.131/26"]
options : {}
parent_port : []
tag : []
tunnel_key : 2
type : ""
_uuid : 4671c58a-945d-40b4-966a-12fdf79876fe
chassis : []
datapath : a3e00f87-a934-46b1-b937-5dcac002ddc0
logical_port : "r1-sw1"
mac : []
options : {peer="sw1-r1"}
parent_port : []
tag : []
tunnel_key : 1
type : patch
_uuid : 26f1416b-a87b-499f-a76d-a338258591b9
chassis : []
datapath : 64ff439c-8bd4-45bb-819d-76fa13c3d3ff
logical_port : "sw1-r1"
mac : ["00:00:00:00:01:30"]
options : {peer="r1-sw1"}
parent_port : []
tag : []
tunnel_key : 1
type : patch
vagrant# ovn-sbctl list datapath_binding
_uuid : 64ff439c-8bd4-45bb-819d-76fa13c3d3ff
external_ids :
{logical-switch="f2d5eea9-ea11-429b-8c52-de5c28785ef4",
name="sw1"}
tunnel_key : 2
_uuid : a3e00f87-a934-46b1-b937-5dcac002ddc0
external_ids :
{logical-router="e5e9d30c-f719-46b8-9c53-2580e316eea2",
name="r1"}
tunnel_key : 1
vagrant# ovn-sbctl lflow-list
Datapath: "sw1" (64ff439c-8bd4-45bb-819d-76fa13c3d3ff) Pipeline: ingress
table=0 (ls_in_port_sec_l2 ), priority=100 , match=(eth.src[40]),
action=(drop;)
table=0 (ls_in_port_sec_l2 ), priority=100 , match=(vlan.present),
action=(drop;)
table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "sw1-r1"),
action=(next;)
table=0 (ls_in_port_sec_l2 ), priority=50 , match=(inport == "sw1-vm1"
&&
eth.src == {00:00:00:00:01:31}), action=(next;)
table=1 (ls_in_port_sec_ip ), priority=90 , match=(inport == "sw1-vm1"
&&
eth.src == 00:00:00:00:01:31 && ip4.src == 0.0.0.0 && ip4.dst ==
255.255.255.255 && udp.src == 68 && udp.dst == 67), action=(next;)
table=1 (ls_in_port_sec_ip ), priority=90 , match=(inport == "sw1-vm1"
&&
eth.src == 00:00:00:00:01:31 && ip4.src == {172.16.255.131}), action=(next;)
table=1 (ls_in_port_sec_ip ), priority=80 , match=(inport == "sw1-vm1"
&&
eth.src == 00:00:00:00:01:31 && ip), action=(drop;)
table=1 (ls_in_port_sec_ip ), priority=0 , match=(1), action=(next;)
table=2 (ls_in_port_sec_nd ), priority=90 , match=(inport == "sw1-vm1"
&&
eth.src == 00:00:00:00:01:31 && arp.sha == 00:00:00:00:01:31 && arp.spa ==
{172.16.255.131}), action=(next;)
table=2 (ls_in_port_sec_nd ), priority=80 , match=(inport == "sw1-vm1"
&&
(arp || nd)), action=(drop;)
table=2 (ls_in_port_sec_nd ), priority=0 , match=(1), action=(next;)
table=3 (ls_in_pre_acl ), priority=0 , match=(1), action=(next;)
table=4 (ls_in_pre_lb ), priority=0 , match=(1), action=(next;)
table=5 (ls_in_pre_stateful ), priority=100 , match=(reg0[0] == 1),
action=(ct_next;)
table=5 (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)
table=6 (ls_in_acl ), priority=0 , match=(1), action=(next;)
table=7 (ls_in_lb ), priority=0 , match=(1), action=(next;)
table=8 (ls_in_stateful ), priority=100 , match=(reg0[1] == 1),
action=(ct_commit(ct_label=0/1); next;)
table=8 (ls_in_stateful ), priority=100 , match=(reg0[2] == 1),
action=(ct_lb;)
table=8 (ls_in_stateful ), priority=0 , match=(1), action=(next;)
table=9 (ls_in_arp_rsp ), priority=100 , match=(arp.tpa ==
172.16.255.131 && arp.op == 1 && inport == "sw1-vm1"), action=(next;)
table=9 (ls_in_arp_rsp ), priority=50 , match=(arp.tpa ==
172.16.255.131 && arp.op == 1), action=(eth.dst = eth.src; eth.src =
00:00:00:00:01:31; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha =
00:00:00:00:01:31; arp.tpa = arp.spa; arp.spa = 172.16.255.131; outport =
inport; flags.loopback = 1; output;)
table=9 (ls_in_arp_rsp ), priority=0 , match=(1), action=(next;)
table=10(ls_in_dhcp_options ), priority=100 , match=(inport == "sw1-vm1"
&&
eth.src == 00:00:00:00:01:31 && ip4.src == 0.0.0.0 && ip4.dst ==
255.255.255.255 && udp.src == 68 && udp.dst == 67), action=(reg0[3] =
put_dhcp_opts(offerip = 172.16.255.131, netmask = 255.255.255.192, router =
172.16.255.129, server_id = 172.16.255.129, lease_time = 3600); next;)
table=10(ls_in_dhcp_options ), priority=0 , match=(1), action=(next;)
table=11(ls_in_dhcp_response), priority=100 , match=(inport == "sw1-vm1"
&&
eth.src == 00:00:00:00:01:31 && ip4.src == 0.0.0.0 && ip4.dst ==
255.255.255.255 && udp.src == 68 && udp.dst == 67 && reg0[3]),
action=(eth.dst
= eth.src; eth.src = 00:00:00:00:01:29; ip4.dst = 172.16.255.131; ip4.src =
172.16.255.129; udp.src = 67; udp.dst = 68; outport = inport; flags.loopback
=
1; output;)
table=11(ls_in_dhcp_response), priority=0 , match=(1), action=(next;)
table=12(ls_in_l2_lkup ), priority=100 , match=(eth.mcast),
action=(outport = "_MC_flood"; output;)
table=12(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:01:30), action=(outport = "sw1-r1"; output;)
table=12(ls_in_l2_lkup ), priority=50 , match=(eth.dst ==
00:00:00:00:01:31), action=(outport = "sw1-vm1"; output;)
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
_______________________________________________
discuss mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
