Public bug reported: [ Versions of Software]
OS: jammy (22.04) Openstack: yoga openvswitch: 3.3.4 dpdk: 23.11.4 ovn: 22.03.3 [ Test Scenario ] 1. Create 2 instances in openstack on 2 different hypervisors 2. Create a security group similar to something below $ openstack security group rule list 9c9f4cce-8f61-4f9a-b542-776fb6d55099 --long +--------------------------------------+-------------+-----------+------------+-----------+-----------+-----------------------+ | ID | IP Protocol | IP Range | Port Range | Direction | Ethertype | Remote Security Group | +--------------------------------------+-------------+-----------+------------+-----------+-----------+-----------------------+ | dda781f2-1517-44d7-91fe-ad095bd194c9 | udp | 0.0.0.0/0 | 9080:9080 | ingress | IPv4 | None | | eb7da79a-efd4-40d0-a0f6-21df88955185 | None | None | | egress | IPv4 | None | | 04c41dab-cf56-4aba-9082-6048a333fb62 | None | None | | egress | IPv6 | None | +--------------------------------------+-------------+-----------+------------+-----------+-----------+-----------------------+ 3. Add the security group to the second instance 4. Create a scapy script similar to the contents in the attached file udp_pkt_gen.py 5. Update the script to reflect the source IP/port and destination IP/port 6. Run the script on the source host 7. Monitor the tcpdump on the second host or the virtual interface on the hypervisor tcpdump -i <interface> not arp 8. Now add all encompassing rule, and remove the security group for port 9080 openstack security group rule create --ethertype IPv4 --protocol UDP --ingress 9c9f4cce-8f61-4f9a-b542-776fb6d55099 9. Now you will see the packets coming through Looking through the OpenFlow tables in ovs, we see the following for just port 9080 ``` cookie=0xd5b295, duration=1754.469s, table=44, n_packets=0, n_bytes=0, priority=2002,udp,reg0=0x80/0x80,reg15=0x3,metadata=0x11,tp_dst=9080 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45) cookie=0xd5b295, duration=1754.469s, table=44, n_packets=1686, n_bytes=709806, priority=2002,udp,reg0=0x80/0x80,reg15=0x6,metadata=0x11,tp_dst=9080 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45) cookie=0x7933a8de, duration=1754.469s, table=44, n_packets=0, n_bytes=0, priority=2002,udp,reg0=0x100/0x100,reg15=0x6,metadata=0x11,tp_dst=9080 actions=resubmit(,45) cookie=0x7933a8de, duration=1754.469s, table=44, n_packets=0, n_bytes=0, priority=2002,udp,reg0=0x100/0x100,reg15=0x3,metadata=0x11,tp_dst=9080 actions=resubmit(,45) ``` Now if you removed the port specific security group, you and add the all encompassing UDP port rule, yo will get he following rules in OpenFlow, and this is where we do get the packets through ``` cookie=0x2e62bb04, duration=82.161s, table=44, n_packets=246, n_bytes=202868, priority=2002,udp,reg0=0x80/0x80,reg15=0x6,metadata=0x11 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45) cookie=0x2e62bb04, duration=82.161s, table=44, n_packets=146, n_bytes=146949, priority=2002,udp,reg0=0x80/0x80,reg15=0x3,metadata=0x11 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45) cookie=0xf0c033d8, duration=82.161s, table=44, n_packets=0, n_bytes=0, priority=2002,udp,reg0=0x100/0x100,reg15=0x6,metadata=0x11 actions=resubmit(,45) cookie=0xf0c033d8, duration=82.161s, table=44, n_packets=0, n_bytes=0, priority=2002,udp,reg0=0x100/0x100,reg15=0x3,metadata=0x11 actions=resubmit(,45) ``` As an added item to test, we also tried to add the following rule to the port only rule, to allow fragmented packets, but this would allow all packets no matter what the port was, so this was not the right route for this. ovs-ofctl -O OpenFlow13 add-flow br-int "table=44,priority=2005,ip,nw_frag=yes,reg0=0x200/0x200,reg15=0x3,metadata=0x11,actions=resubmit(,45)" [Things to look at] https://issues.redhat.com/browse/FDP-1175 This issue was already solved in latest commits, and the version we were using has this change in 3.3.4 https://issues.redhat.com/browse/FDP-684 This issue, although suggests packets on fragments, but the codebase seems to only touch the LB functions. ** Affects: ovn (Ubuntu) Importance: Undecided Status: New ** Attachment added: "udp_pkt_gen.py" https://bugs.launchpad.net/bugs/2115795/+attachment/5887409/+files/udp_pkt_gen.py -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2115795 Title: UDP fragmented packets not passing through in DPDK when destination port is defined To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/2115795/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
