Hi, I have found a problem related to OpenvSwitch 2.5.x versions. However, the issue does not appear in the 2.7.x series.
When using VXLAN and/or GRE tunneling ports at the bridge, the incoming packets are not processed by the switch if they skb has been previously marked with a value != 0. The mark can be set with iptables in any of the traversed chains. I have created a topology to reproduce the issue, it uses network namespaces and 2 bridges connected with VXLAN tunneling via the loopback interface. If the MARKing rule is removed from the iptables, the communication resumes successfully. Steps to reproduce: ``` ## Create supporting virtual network setup sudo ip netns add ns0 sudo ip netns add ns1 sudo ip link add test0 type veth peer name test0s sudo ip link add test1 type veth peer name test1s sudo ip link set dev test0 netns ns0 sudo ip link set dev test1 netns ns1 sudo ip netns exec ns0 ip link set dev lo up sudo ip netns exec ns0 ip link set dev test0 up sudo ip netns exec ns0 ip address add dev test0 1.1.1.1/24 sudo ip netns exec ns1 ip link set dev lo up sudo ip netns exec ns1 ip link set dev test1 up sudo ip netns exec ns1 ip address add dev test1 1.1.1.2/24 ## Create OVS bridges sudo ovs-vsctl add-br br0 sudo ovs-vsctl add-br br1 sudo ovs-vsctl add-port br0 test0s sudo ovs-vsctl add-port br1 test1s sudo ip link set dev test0s up sudo ip link set dev test1s up ## Create 2 OVS tunnel ports, and assign OpenFlow port 100 sudo ovs-vsctl del-port br0 tun0 sudo ovs-vsctl del-port br1 tun1 sudo ovs-vsctl add-port br0 tun0 -- set interface tun0 ofport_request=100 -- set interface tun0 type=vxlan options:key=flow options:remote_ip=127.0.0.2 options:local_ip=127.0.0.1 sudo ovs-vsctl add-port br1 tun1 -- set interface tun1 ofport_request=100 -- set interface tun1 type=vxlan options:key=flow options:remote_ip=127.0.0.1 options:local_ip=127.0.0.2 ## Add marking rule to iptables sudo iptables -t mangle -A OUTPUT -p udp --dport 4789 -d 127.0.0.2 -j MARK --set-mark 0xabcdef ### When this rule matches it indicates the skb is not scrubbed when forwarding via loopback sudo iptables -t mangle -A PREROUTING -p udp --dport 4789 -d 127.0.0.2 -m mark --mark 0xabcdef # Ping from ns0 to ns1 - This fails unless the MARKing rule is removed sudo ip netns exec ns0 ping 1.1.1.2 ``` Please let me know if you need further information! Best, Jesus
_______________________________________________ discuss mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
