[NETVIRT-430] Ping responder on tenant network and FIP-FIP traffic between vm in same n/w in same compute is not working in stateful SG mode. Created: 16/Jan/17  Updated: 03/May/18  Resolved: 06/Apr/18

Status: Resolved
Project: netvirt
Component/s: General
Affects Version/s: Oxygen, Fluorine
Fix Version/s: Fluorine

Type: Bug Priority: Highest
Reporter: Sridhar Gaddam Assignee: Aswin Suryanarayanan
Resolution: Done Votes: 0
Labels: patch_merged
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified
Environment:

Operating System: All
Platform: All


External issue ID: 7545

 Description   

On the tenant network, Netvirt supports ping to router interface address using OVS flows.
This is achieved by programming the necessary flows [1] in Table21 (FIB_TABLE) to auto-respond to ping.

However, when using "Stateful SG mode", this feature is broken and ACL service is dropping [2] the packets in Table252.
This feature works fine in "SG transparent mode", when port-security is disabled on the port (obviously isn't it and when we explicitly add an ACL ingress rule to allow this traffic.

[1] table=21, n_packets=6, n_bytes=588, priority=42,icmp,metadata=0x222e0/0xfffffffe,nw_dst=10.0.0.1,icmp_type=8,icmp_code=0 actions=move:NXM_OF_ETH_SRC[]>NXM_OF_ETH_DST[],set_field:fa:16:3e:87:0b:fc>eth_src,move:NXM_OF_IP_SRC[]>NXM_OF_IP_DST[],set_field:10.0.0.1>ip_src,set_field:0->icmp_type,load:0->NXM_OF_IN_PORT[],resubmit(,21)
[2] table=252, n_packets=78, n_bytes=7644, priority=50,ct_state=+new+trk actions=drop



 Comments   
Comment by Vivekanandan Narasimhan [ 03/Apr/17 ]

Hi Aswin,

Since you were driving ACLService, am parking this temporararily with you now.

Please feel free to work with Somashekhar and Raja Shashidhar to sort this out.

Vivek

Comment by Aswin Suryanarayanan [ 20/Jun/17 ]

https://mail.openvswitch.org/pipermail/ovs-discuss/2017-June/044613.html

Comment by Aswin Suryanarayanan [ 01/Aug/17 ]

https://git.opendaylight.org/gerrit/#/c/60991/

Comment by Sridhar Gaddam [ 07/Aug/17 ]

@Aswin, does the patch also support IPv6 use-case (i.e., ping6)?

Comment by Aswin Suryanarayanan [ 12/Mar/18 ]

OpenFlow Plugin
https://git.opendaylight.org/gerrit/#/c/69033/

Genius
https://git.opendaylight.org/gerrit/#/c/69033/

Netvirt
https://git.opendaylight.org/gerrit/#/c/69302/

Comment by Daniel Farrell [ 12/Mar/18 ]

aswins - The Genius link is a dup of the OpenFlow Plugin one. I don't see one to Genius searching quickly.

jluhrsen - Is going to work on getting a multipatch run of this, with all patches, to verify.

Comment by Aswin Suryanarayanan [ 12/Mar/18 ]

Sorry that was oversight while I pasted the link

This is the genius patch.

[1]https://git.opendaylight.org/gerrit/#/c/69081/

Comment by Aswin Suryanarayanan [ 12/Mar/18 ]

This patch requires ovs2.9 with kernel module installed.

Comment by Daniel Farrell [ 12/Mar/18 ]

aswins - Do we not have that in CSIT? Are you asking for us to do something?

Comment by Aswin Suryanarayanan [ 13/Mar/18 ]

We don't have that in CSIT right now as OVS queens is yet to move to 2.9 But this should not result in any CSIT failure as these changes will not affect any existing test cases.

Comment by Daniel Farrell [ 13/Mar/18 ]

aswins - So you're saying a multipatch run will not help, will still fail because Queens isn't on 2.9 yet? And that this is ready to merge, should be manually +1-verified?

Comment by Aswin Suryanarayanan [ 13/Mar/18 ]

Multi patch do help to ensure this didn't add any regression. I have manually tested this with ovs2.9 and looks good.

Comment by Daniel Farrell [ 13/Mar/18 ]

aswins - I noticed all those patches are against master. Can we get them cherry-picked to stable/oxygen?

Comment by Daniel Farrell [ 13/Mar/18 ]

I kicked off a multipatch-oxygen job, cherry-picking the changes to stable/oxygen

openflowplugin:33/69033/5,genius:81/69081/3,netvirt:02/69302/3

https://jenkins.opendaylight.org/releng/job/integration-multipatch-test-oxygen/91

Thanks for helping me understand aswins

Comment by Daniel Farrell [ 13/Mar/18 ]

This is the distro that resulted from that multipatch aswins:

https://nexus.opendaylight.org/content/repositories/opendaylight.snapshot/org/opendaylight/integration/integration/distribution/karaf/0.8.0-SNAPSHOT/karaf-0.8.0-20180313.122315-182.zip

Comment by Daniel Farrell [ 13/Mar/18 ]

jluhrsen should we put that through some test job^^?

Comment by Jamo Luhrsen [ 14/Mar/18 ]

 

Jamo Luhrsen should we put that through some test job^^?

started these two:
https://jenkins.opendaylight.org/releng/user/jluhrsen/my-views/view/netvirt%20csit/job/netvirt-csit-1node-openstack-queens-gate-stateful-oxygen/106/
https://jenkins.opendaylight.org/releng/user/jluhrsen/my-views/view/netvirt%20csit/job/netvirt-csit-1node-openstack-queens-gate-stateful-snat-conntrack-oxygen/2/

Comment by Daniel Farrell [ 14/Mar/18 ]

Here are the three cherry-picks to stable/oxygen:

OpenFlow Plugin: https://git.opendaylight.org/gerrit/#/c/69445/

Genius: https://git.opendaylight.org/gerrit/#/c/69446/

Netvirt: https://git.opendaylight.org/gerrit/#/c/69447/

Comment by Daniel Farrell [ 14/Mar/18 ]

aswins - Of the three above, only 69446 (Genius) is getting verified -1. Can you confirm that's expected because of the Queens/OVS 2.9 issue you mentioned above?

Update: After looking, I'm suspicious that's not from the OVS 2.9 stuff. Compile time failure in mdsal-utils.

Comment by Aswin Suryanarayanan [ 14/Mar/18 ]

The 0vs2.9 issue will not affect the build nor create any exception during run time, this should be working fine.

Comment by Daniel Farrell [ 15/Mar/18 ]

All three patches are merged.

aswins - Can you verify this is fixed and close the bug?

Comment by Sam Hague [ 15/Mar/18 ]

Daniel, the fix is confirmed and finished for oxygen. I am leaving this open until the patches are merged on Fluorine.

Comment by Daniel Farrell [ 15/Mar/18 ]

shague - I'm going to change the "Affects Version" to Fluorine so it doesn't show up in our Oxygen blocker query, okay?

Comment by Aswin Suryanarayanan [ 06/Apr/18 ]

https://git.opendaylight.org/gerrit/#/c/70405/

Generated at Wed Feb 07 20:21:32 UTC 2024 using Jira 8.20.10#820010-sha1:ace47f9899e9ee25d7157d59aa17ab06aee30d3d.