Bug 1651770

Summary: [RHOSP14] [ODL] L3 DVR Flow Discrepancy
Product: Red Hat OpenStack Reporter: Pradipta Kumar Sahoo <psahoo>
Component: opendaylightAssignee: lpeer <lpeer>
Status: CLOSED NOTABUG QA Contact: Noam Manos <nmanos>
Severity: high Docs Contact:
Priority: unspecified    
Version: 14.0 (Rocky)CC: mkolesni, nyechiel, psahoo
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-11-21 10:52:46 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pradipta Kumar Sahoo 2018-11-20 18:49:16 UTC
Description of problem:
During RHOSP14 testing, I came across a discrepancy scenario in OpenFlow when I am testing L3 DVR. In my ODL L3 DVR configuration, my instance floating IP has configured properly with Compute external nic and egress & ingress traffic is accessible as expected.

But while analyzing flow it seems packet is not forward from DMAC to FIB table(21) and resubmitted twice to dispatcher again 17 which doesn't make sense for me and again it forward to ARP_CHK and ELAN tables which is not expected.

While reviewing Netvirt pipeline I noticed there is no change in flow table number w.r.t FIB and L3. But I am wondering why the flow is redirected to ARP_CHK and ELAN table from ACL table. Is there any changes in OVS2.10 flow pipeline.

How reproducible:
In Lab
RHOSP14 + OpenDaylight Oxygen

Steps to Reproduce:
1. Instance Details.
$ openstack server list
+--------------------------------------+-----------+--------+---------------------------------+--------+---------+
| ID                                   | Name      | Status | Networks                        | Image  | Flavor  |
+--------------------------------------+-----------+--------+---------------------------------+--------+---------+
| 43487f69-8085-4e5d-b36d-bbc1ed740c21 | instance1 | ACTIVE | internal=192.168.1.8, 10.0.0.50 | cirros | m1.tiny |
+--------------------------------------+-----------+--------+---------------------------------+--------+---------+
(overcloud) [stack@undercloud-0 ~]$ nova interface-list instance1
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
| Port State | Port ID                              | Net ID                               | IP addresses | MAC Addr          |
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
| ACTIVE     | 4c9cd437-5418-48f8-b65f-faf65780d6bf | 1be640af-f38b-492a-b798-9d10ae1bd430 | 192.168.1.8  | fa:16:3e:e0:94:71 |
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+


2. External Gateway IP and Mac.
# ifconfig external
external: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.0.0.1  netmask 255.255.255.0  broadcast 10.0.0.255
        inet6 fe80::5054:ff:feca:77d8  prefixlen 64  scopeid 0x20<link>
        inet6 2620:52:0:13b8::fe  prefixlen 64  scopeid 0x0<global>
        ether 52:54:00:ca:77:d8  txqueuelen 1000  (Ethernet)
        RX packets 19893  bytes 1375416 (1.3 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 18291  bytes 14761114 (14.0 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0


3. Neutron Router Details

$ openstack router list --long -f json
[
  {
    "Status": "ACTIVE",
    "External gateway info": "{\"network_id\": \"f020fa7a-f94a-444d-a415-6e53b2422353\", \"enable_snat\": true, \"external_fixed_ips\": [{\"subnet_id\": \"15c4dcb3-228a-4474-8b15-e1bc1841207e\", \"ip_address\": \"10.0.0.69\"}]}",
    "Name": "router1",
    "Tags": "",
    "Distributed": false,
    "Project": "f7e5b33741bf4422ada5108919f4dd30",
    "State": "UP",
    "Routes": "",
    "HA": null,
    "ID": "648c455c-0425-4ae6-95bd-047797cc20fd"
  }
]

4. VM Instance and port details.
# virsh domiflist instance-00000002
Interface  Type       Source     Model       MAC
-------------------------------------------------------
tap4c9cd437-54 bridge     br-int     virtio      fa:16:3e:e0:94:71


5. Oftrace flow dump.

	# ovs-appctl ofproto/trace br-int "in_port=7,icmp,dl_src=fa:16:3e:e0:94:71,dl_dst=52:54:00:ca:77:d8,nw_src=192.168.1.8,nw_dst=10.0.0.1"
	Flow: icmp,in_port=7,vlan_tci=0x0000,dl_src=fa:16:3e:e0:94:71,dl_dst=52:54:00:ca:77:d8,nw_src=192.168.1.8,nw_dst=10.0.0.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0

	bridge("br-int")
	----------------
	 0. in_port=7,vlan_tci=0x0000/0x1fff, priority 4, cookie 0x8000000
	    write_metadata:0x180000000000/0xffffff0000000001
	    goto_table:17
	17. metadata=0x180000000000/0xffffff0000000000, priority 10, cookie 0x6900000
	    write_metadata:0x8000180000000000/0xfffffffffffffffe
	    goto_table:210
	210. ip,metadata=0x180000000000/0xfffff0000000000,dl_src=fa:16:3e:e0:94:71,nw_src=192.168.1.8, priority 61010, cookie 0x6900000
	    goto_table:211
	211. icmp, priority 100, cookie 0x6900000
	    write_metadata:0/0x2
	    goto_table:212
	212. ip,metadata=0x180000000000/0xfffff0000000000, priority 100, cookie 0x6900000
	    ct(table=213,zone=5502)
	    drop
	     -> A clone of the packet is forked to recirculate. The forked pipeline will be resumed at table 213.
	     -> Sets the packet to an untracked state, and clears all the conntrack fields.

	Final flow: icmp,metadata=0x8000180000000000,in_port=7,vlan_tci=0x0000,dl_src=fa:16:3e:e0:94:71,dl_dst=52:54:00:ca:77:d8,nw_src=192.168.1.8,nw_dst=10.0.0.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0
	Megaflow: recirc_id=0,eth,icmp,in_port=7,vlan_tci=0x0000/0x1fff,dl_src=fa:16:3e:e0:94:71,nw_src=192.168.1.8,nw_frag=no
	Datapath actions: ct(zone=5502),recirc(0x15ab)

	===============================================================================
	recirc(0x15ab) - resume conntrack with default ct_state=trk|new (use --ct-next to customize)
	===============================================================================

	Flow: recirc_id=0x15ab,ct_state=new|trk,ct_zone=5502,eth,icmp,metadata=0x8000180000000000,in_port=7,vlan_tci=0x0000,dl_src=fa:16:3e:e0:94:71,dl_dst=52:54:00:ca:77:d8,nw_src=192.168.1.8,nw_dst=10.0.0.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0

	bridge("br-int")
	----------------
	    thaw
		Resuming from table 213
	213. priority 0, cookie 0x6900000
	    goto_table:214
	    214. ip,metadata=0x180000000000/0xfffff0000000000, priority 2001, cookie 0x6900000
		    goto_table:217
		217. ip,metadata=0x180000000000/0xfffff0000000002, priority 100, cookie 0x6900000
		    ct(commit,zone=5502,exec(set_field:0x1->ct_mark))
		    set_field:0x1->ct_mark
		     -> Sets the packet to an untracked state, and clears all the conntrack fields.
		    ct_clear
		    resubmit(,17)
		17. metadata=0x8000180000000000/0xffffff0000000000, priority 10, cookie 0x8000001
		    load:0x19258->NXM_NX_REG3[0..24]
		    write_metadata:0x90001800000324b0/0xfffffffffffffffe
		    goto_table:19
### >>> The discripnecy has started from here where it again resubmitted flow to dispatcher instead for FIB(21) and forward to ARP_CHK which is not accurate.

		19. priority 0, cookie 0x1080000
		    resubmit(,17)
		17. metadata=0x9000180000000000/0xffffff0000000000, priority 10, cookie 0x8040000
		    load:0x18->NXM_NX_REG1[0..19]
		    load:0x157e->NXM_NX_REG7[0..15]
		    write_metadata:0xa00018157e000000/0xfffffffffffffffe
		    goto_table:43
		43. priority 0, cookie 0x8220000
		    goto_table:48
		48. priority 0, cookie 0x8500000
		    resubmit(,49)
		    49. No match.
		            drop
		    resubmit(,50)
		50. metadata=0x18157e000000/0xfffffffff000000,dl_src=fa:16:3e:e0:94:71, priority 20, cookie 0x805157e
		    goto_table:51
		51. priority 0, cookie 0x8030000
		    goto_table:52
		52. metadata=0x157e000000/0xffff000001, priority 5, cookie 0x870157e
		    write_actions(group:211004)
		     -> action set is: group:211004
	--. Executing action set:
	    group:211004
	    bucket 0
		    group:211003
		    bucket 0
		            set_field:0x18->tun_id
		            resubmit(,55)
		        55. tun_id=0x18,metadata=0x180000000000/0xfffff0000000000, priority 10, cookie 0x8800018
		            write_actions(drop)
		             -> action set is empty
	    bucket 1
		    set_field:0x44->tun_id
		    load:0xa00->NXM_NX_REG6[]
		    resubmit(,220)
		220. reg6=0xa00, priority 9, cookie 0x8000007
		    output:6
		     -> output to kernel tunnel
	    bucket 2
		    set_field:0x44->tun_id
		    load:0x300->NXM_NX_REG6[]
		    resubmit(,220)
		220. reg6=0x300, priority 9, cookie 0x8000007
		    output:4
		     -> output to kernel tunnel
	    bucket 3
		    set_field:0x44->tun_id
		    load:0x500->NXM_NX_REG6[]
		    resubmit(,220)
		220. reg6=0x500, priority 9, cookie 0x8000007
		    output:5
		     -> output to kernel tunnel

	Final flow: recirc_id=0x15ab,eth,icmp,reg1=0x18,reg3=0x19258,reg7=0x157e,metadata=0xa00018157e000000,in_port=7,vlan_tci=0x0000,dl_src=fa:16:3e:e0:94:71,dl_dst=52:54:00:ca:77:d8,nw_src=192.168.1.8,nw_dst=10.0.0.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0
	Megaflow: recirc_id=0x15ab,ct_state=+new-est-rel-inv+trk,ct_mark=0/0x1,eth,icmp,tun_id=0,in_port=7,dl_src=fa:16:3e:e0:94:71,dl_dst=52:54:00:ca:77:d8,nw_ecn=0,nw_frag=no
	Datapath actions: ct(commit,zone=5502,mark=0x1/0xffffffff),ct_clear,set(tunnel(tun_id=0x44,src=172.17.2.19,dst=172.17.2.15,ttl=64,tp_dst=4789,flags(df|key))),9,set(tunnel(tun_id=0x44,src=172.17.2.19,dst=172.17.2.14,ttl=64,tp_dst=4789,flags(df|key))),9,set(tunnel(tun_id=0x44,src=172.17.2.19,dst=172.17.2.13,ttl=64,tp_dst=4789,flags(df|key))),9


Actual results:
Flow is not forwarding to L3 FIB table (21), then how the floating IP is accessible in ODL L3 DVR scenario.


Expected results:
With expected scenario, DMAC(19) should forward to L3-FIB(21).

Additional info:
For reference Netvirt Flow table captured by odltools.
# odltools netvirt show tables -i 172.17.1.28 -t 8081 -u admin -w redhat -p
  0:INGRESS
 17:DISPATCHER
 18:DHCP_EXT_TUN
 19:L3_GW_MAC
 20:L3_LFIB
 21:L3_FIB
 22:L3_SUBNET_RT
 23:L3VNI_EXT_TUN
 24:L2VNI_EXT_TUN
 25:PDNAT
 26:PSNAT
 27:DNAT
 28:SNAT
 36:INT_TUN
 38:EXT_TUN
 43:ARP_CHK
 44:IN_NAPT
 45:IPV6
 46:OUT_NAPT
 47:NAPT_FIB
 48:ELAN_BASE
 50:ELAN_SMAC
 51:ELAN_DMAC
 52:ELAN_UNK_DMAC
 55:ELAN_FILTER
 60:DHCP
 80:L3_INTF
 81:ARP_RESPONDER
 90:QOS_DSCP
210:IN_ACL_ASPF
211:IN_ACL_CTRK_CLASS
212:IN_ACL_CTRK_SNDR
213:IN_ACL_EXISTING
214:IN_ACL_FLTR_DISP
215:IN_ACL_RULE_FLTR
216:IN_ACL_REM
217:IN_ACL_CMTR
220:EG_LPORT_DISP
239:EG_ACL_DUMMY
240:EG_ACL_ASPF
241:EG_ACL_CTRK_CLASS
242:EG_ACL_CTRK_SNDR
243:EG_ACL_EXISTING
244:EG_ACL_FLTR_DISP
245:EG_ACL_RULE_FLTR
246:EG_ACL_REM
247:EG_ACL_CMTR

Regards,
Pradipta

Comment 2 Pradipta Kumar Sahoo 2018-11-21 10:52:46 UTC
Hi,

Sorry for trouble to you all. There is a mistake in my flow trace. When we flow trace changed dl_dst=fa:16:3e:93:ca:ab (router interface MAC), the sequence looks good to me. I am closing this BZ.

# ovs-appctl ofproto/trace br-int "in_port=7,icmp,dl_src=fa:16:3e:e0:94:71,dl_dst=fa:16:3e:93:ca:ab,nw_src=192.168.1.8,nw_dst=10.0.0.1"
Flow: icmp,in_port=7,vlan_tci=0x0000,dl_src=fa:16:3e:e0:94:71,dl_dst=fa:16:3e:93:ca:ab,nw_src=192.168.1.8,nw_dst=10.0.0.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0

bridge("br-int")
----------------
 0. in_port=7,vlan_tci=0x0000/0x1fff, priority 4, cookie 0x8000000
    write_metadata:0x180000000000/0xffffff0000000001
    goto_table:17
17. metadata=0x180000000000/0xffffff0000000000, priority 10, cookie 0x6900000
    write_metadata:0x8000180000000000/0xfffffffffffffffe
    goto_table:210
210. ip,metadata=0x180000000000/0xfffff0000000000,dl_src=fa:16:3e:e0:94:71,nw_src=192.168.1.8, priority 61010, cookie 0x6900000
    goto_table:211
211. icmp, priority 100, cookie 0x6900000
    write_metadata:0/0x2
    goto_table:212
212. ip,metadata=0x180000000000/0xfffff0000000000, priority 100, cookie 0x6900000
    ct(table=213,zone=5502)
    drop
     -> A clone of the packet is forked to recirculate. The forked pipeline will be resumed at table 213.
     -> Sets the packet to an untracked state, and clears all the conntrack fields.

Final flow: icmp,metadata=0x8000180000000000,in_port=7,vlan_tci=0x0000,dl_src=fa:16:3e:e0:94:71,dl_dst=fa:16:3e:93:ca:ab,nw_src=192.168.1.8,nw_dst=10.0.0.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0
Megaflow: recirc_id=0,eth,icmp,in_port=7,vlan_tci=0x0000/0x1fff,dl_src=fa:16:3e:e0:94:71,nw_src=192.168.1.8,nw_frag=no
Datapath actions: ct(zone=5502),recirc(0x17f7)

===============================================================================
recirc(0x17f7) - resume conntrack with default ct_state=trk|new (use --ct-next to customize)
===============================================================================

Flow: recirc_id=0x17f7,ct_state=new|trk,ct_zone=5502,eth,icmp,metadata=0x8000180000000000,in_port=7,vlan_tci=0x0000,dl_src=fa:16:3e:e0:94:71,dl_dst=fa:16:3e:93:ca:ab,nw_src=192.168.1.8,nw_dst=10.0.0.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0

bridge("br-int")
----------------
    thaw
        Resuming from table 213
213. priority 0, cookie 0x6900000
    goto_table:214
214. ip,metadata=0x180000000000/0xfffff0000000000, priority 2001, cookie 0x6900000
    goto_table:217
217. ip,metadata=0x180000000000/0xfffff0000000002, priority 100, cookie 0x6900000
    ct(commit,zone=5502,exec(set_field:0x1->ct_mark))
    set_field:0x1->ct_mark
     -> Sets the packet to an untracked state, and clears all the conntrack fields.
    ct_clear
    resubmit(,17)
17. metadata=0x8000180000000000/0xffffff0000000000, priority 10, cookie 0x8000001
    load:0x19258->NXM_NX_REG3[0..24]
    write_metadata:0x90001800000324b0/0xfffffffffffffffe
    goto_table:19
19. metadata=0x324b0/0xfffffe,dl_dst=fa:16:3e:93:ca:ab, priority 20, cookie 0x8000009
    goto_table:21
21. ip,metadata=0x324b0/0xfffffe, priority 10, cookie 0x8000006
    goto_table:26
26. ip,metadata=0x324b0/0xfffffe,nw_src=192.168.1.8, priority 10, cookie 0x8000004
    set_field:10.0.0.50->ip_src
    write_metadata:0x324be/0xfffffe
    goto_table:28
28. ip,metadata=0x324be/0xfffffe,nw_src=10.0.0.50, priority 10, cookie 0x8000004
    set_field:fa:16:3e:0d:da:81->eth_src
    resubmit(,21)
21. ip,metadata=0x324be/0xfffffe,nw_dst=10.0.0.1, priority 42, cookie 0x8000003
    set_field:52:54:00:ca:77:d8->eth_dst
    load:0x1c00->NXM_NX_REG6[]
    resubmit(,220)
220. reg6=0x1c00, priority 9, cookie 0x8000007
    output:1

bridge("br-provider")
---------------------
 0. priority 0
    NORMAL
     -> forwarding to learned port

Final flow: recirc_id=0x17f7,eth,icmp,reg3=0x19258,reg6=0x1c00,metadata=0x90001800000324be,in_port=7,vlan_tci=0x0000,dl_src=fa:16:3e:0d:da:81,dl_dst=52:54:00:ca:77:d8,nw_src=10.0.0.50,nw_dst=10.0.0.1,nw_tos=0,nw_ecn=0,nw_ttl=0,icmp_type=0,icmp_code=0
Megaflow: recirc_id=0x17f7,ct_state=+new-est-rel-inv+trk,ct_mark=0/0x1,eth,icmp,in_port=7,vlan_tci=0x0000/0x1fff,dl_src=fa:16:3e:e0:94:71,dl_dst=fa:16:3e:93:ca:ab,nw_src=192.168.1.8,nw_dst=10.0.0.1,nw_frag=no
Datapath actions: ct(commit,zone=5502,mark=0x1/0xffffffff),ct_clear,set(eth(src=fa:16:3e:0d:da:81,dst=52:54:00:ca:77:d8)),set(ipv4(src=10.0.0.50,dst=10.0.0.1)),3