1832176 – tcp reset packet is not sent after acl reject is added in special environment

Bug 1832176 - tcp reset packet is not sent after acl reject is added in special environment

Summary: tcp reset packet is not sent after acl reject is added in special environment

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	ovn2.13
Sub Component:
Version:	FDP 20.D
Hardware:	Unspecified
OS:	Unspecified
Priority:	medium
Severity:	medium
Target Milestone:	---
Target Release:	---
Assignee:	Numan Siddique
QA Contact:	Jianlin Shi
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2020-05-06 09:31 UTC by Jianlin Shi
Modified:	2020-07-15 13:01 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-07-15 13:00:54 UTC
Target Upstream Version:

Attachments	(Terms of Use)
ovnnb_db.db (21.52 KB, text/plain) 2020-05-06 09:53 UTC, Jianlin Shi	no flags	Details
ovnsb_db.db (128.91 KB, text/plain) 2020-05-06 09:54 UTC, Jianlin Shi	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Priority	Status	Summary	Last Updated
Github	ovn-org/ovn/commit/cfa5478211318b686ad0981e7b0620f96edd7168	None	None	None	2020-08-24 09:18:32 UTC
Red Hat Product Errata	RHBA-2020:2941	None	None	None	2020-07-15 13:01:30 UTC

Description Jianlin Shi 2020-05-06 09:31:12 UTC

Description of problem:
tcp reset packet is not sent after acl reject is added in special environment

Version-Release number of selected component (if applicable):
ovn2.13.0-21

How reproducible:
always

Steps to Reproduce:
1. topo:   ls1p1  ---  ls1  --- lr1 --- ls2 --- ls2p1
                        |                |
                       ls1p2            ls2p2
2. add port_group pg1="ls1p1 ls2p1", pg2="ls1p2 ls2p2"
3. add acl rules:
ovn-nbctl --type=port-group acl-add pg2 from-lport 1004 "inport == @pg2 && tcp" allow-related
ovn-nbctl --type=port-group acl-add pg1 to-lport 1004 "outport == @pg1 && tcp" allow-related

ovn-nbctl --type=port-group acl-add pg1 to-lport 1006 "outport == @pg1 && tcp.dst==22" reject

4. send tcp packet whose dst port as 22 to ls1p1 on ls1p2

Actual results:
no tcp reset packet sent

Expected results:
tcp reset packet should be sent

Additional info:


server:

systemctl start openvswitch                                    
systemctl start ovn-northd                                          
ovn-nbctl set-connection ptcp:6641                                       
ovn-sbctl set-connection ptcp:6642                                         
ovs-vsctl set open . external_ids:system-id=hv1 external_ids:ovn-remote=tcp:20.0.30.25:6642 external_ids:ovn-encap-type=geneve external_ids:ovn-encap-ip=20.0.30.25
systemctl restart ovn-controller                                      
                                                          
ip netns add server0                                      
ip link add veth0_s0 netns server0 type veth peer name veth0_s0_p
ip netns exec server0 ip link set lo up                       
ip netns exec server0 ip link set veth0_s0 up
ip netns exec server0 ip link set veth0_s0 address 00:00:00:01:01:02
ip netns exec server0 ip addr add 192.168.1.1/24 dev veth0_s0       
ip netns exec server0 ip -6 addr add 2001::1/64 dev veth0_s0
ip netns exec server0 ip route add default via 192.168.1.254 dev veth0_s0
ip netns exec server0 ip -6 route add default via 2001::a dev veth0_s0                       
ovs-vsctl add-port br-int veth0_s0_p                                                        
ip link set veth0_s0_p up                                    
ovs-vsctl set interface veth0_s0_p external_ids:iface-id=ls1p1                               
                                                                       
ip netns add server2                 
ip link add veth0_s2 netns server2 type veth peer name veth0_s2_p
ip netns exec server2 ip link set lo up
ip netns exec server2 ip link set veth0_s2 up
ip netns exec server2 ip link set veth0_s2 address 00:00:00:01:03:02
ip netns exec server2 ip addr add 192.168.2.3/24 dev veth0_s2
ip netns exec server2 ip -6 addr add 2002::3/64 dev veth0_s2
ip netns exec server2 ip route add default via 192.168.2.254 dev veth0_s2
ip netns exec server2 ip -6 route add default via 2002::a dev veth0_s2

ovs-vsctl add-port br-int veth0_s2_p
ip link set veth0_s2_p up
ovs-vsctl set interface veth0_s2_p external_ids:iface-id=ls2p1

ovn-nbctl lr-add lr1
ovn-nbctl lrp-add lr1 lr1-ls1 00:00:00:00:00:01 192.168.1.254/24 2001::a/64
ovn-nbctl lrp-add lr1 lr1-ls2 00:00:00:00:00:02 192.168.2.254/24 2002::a/64


ovn-nbctl ls-add ls1
ovn-nbctl lsp-add ls1 ls1-lr1
ovn-nbctl lsp-set-type ls1-lr1 router
ovn-nbctl lsp-set-addresses ls1-lr1 router
ovn-nbctl lsp-set-options ls1-lr1 router-port=lr1-ls1

ovn-nbctl lsp-add ls1 ls1p1
ovn-nbctl lsp-set-addresses ls1p1 "00:00:00:01:01:02 192.168.1.1 2001::1"
ovn-nbctl lsp-add ls1 ls1p2
ovn-nbctl lsp-set-addresses ls1p2 "00:00:00:01:02:02 192.168.1.2 2001::2"

ovn-nbctl ls-add ls2
ovn-nbctl lsp-add ls2 ls2-lr1
ovn-nbctl lsp-set-type ls2-lr1 router
ovn-nbctl lsp-set-addresses ls2-lr1 router
ovn-nbctl lsp-set-options ls2-lr1 router-port=lr1-ls2

ovn-nbctl lsp-add ls2 ls2p1
ovn-nbctl lsp-set-addresses ls2p1 "00:00:00:01:03:02 192.168.2.3 2002::3"
ovn-nbctl lsp-add ls2 ls2p2
ovn-nbctl lsp-set-addresses ls2p2 "00:00:00:01:04:02 192.168.2.4 2002::4"

ls1p1_uuid=`ovn-nbctl get logical_switch_port ls1p1 _uuid`
ls1p2_uuid=`ovn-nbctl get logical_switch_port ls1p2 _uuid`
ls2p1_uuid=`ovn-nbctl get logical_switch_port ls2p1 _uuid`
ls2p2_uuid=`ovn-nbctl get logical_switch_port ls2p2 _uuid`

ovn-nbctl create Port_Group name=pg1 ports="$ls1p1_uuid $ls2p1_uuid"
ovn-nbctl create Port_Group name=pg2 ports="$ls1p2_uuid $ls2p2_uuid"
ovn-nbctl list Port_Group

ovn-nbctl --type=port-group acl-add pg2 from-lport 1004 "inport == @pg2 && tcp" allow-related
ovn-nbctl --type=port-group acl-add pg1 to-lport 1004 "outport == @pg1 && tcp" allow-related

ovn-nbctl --type=port-group acl-add pg1 to-lport 1006 "outport == @pg1 && tcp.dst==22" reject

client:


systemctl start openvswitch                          
ovs-vsctl set open . external_ids:system-id=hv0 external_ids:ovn-remote=tcp:20.0.30.25:6642 external_ids:ovn-encap-type=geneve external_ids:ovn-encap-ip=20.0.30.26
systemctl restart ovn-controller

ip netns add server1
ip link add veth0_s1 netns server1 type veth peer name veth0_s1_p
ip netns exec server1 ip link set lo up
ip netns exec server1 ip link set veth0_s1 up
ip netns exec server1 ip link set veth0_s1 address 00:00:00:01:02:02
ip netns exec server1 ip addr add 192.168.1.2/24 dev veth0_s1
ip netns exec server1 ip -6 addr add 2001::2/64 dev veth0_s1
ip netns exec server1 ip route add default via 192.168.1.254 dev veth0_s1
ip netns exec server1 ip -6 route add default via 2001::a dev veth0_s1

ovs-vsctl add-port br-int veth0_s1_p
ip link set veth0_s1_p up
ovs-vsctl set interface veth0_s1_p external_ids:iface-id=ls1p2

ip netns add server3
ip link add veth0_s3 netns server3 type veth peer name veth0_s3_p
ip netns exec server3 ip link set lo up
ip netns exec server3 ip link set veth0_s3 up
ip netns exec server3 ip link set veth0_s3 address 00:00:00:01:04:02
ip netns exec server3 ip addr add 192.168.2.4/24 dev veth0_s3
ip netns exec server3 ip -6 addr add 2002::4/64 dev veth0_s3
ip netns exec server3 ip route add default via 192.168.2.254 dev veth0_s3
ip netns exec server3 ip -6 route add default via 2002::a dev veth0_s3

ovs-vsctl add-port br-int veth0_s3_p
ip link set veth0_s3_p up
ovs-vsctl set interface veth0_s3_p external_ids:iface-id=ls2p2


after setup, run test on server:

[root@dell-per740-12 test]# ip netns exec server2  nc 192.168.1.1 22 <<< h
Ncat: Connection timed out.   

<=== no tcp reset sent, should be refused, (the same as 192.168.1.2)                                
[root@dell-per740-12 test]# ip netns exec server2  nc 192.168.1.2 22 <<< h
Ncat: Connection refused.

<=== tcp reset sent

[root@dell-per740-12 test]# rpm -qa | grep -E "openvswitch|ovn"
kernel-kernel-networking-openvswitch-ovn-basic-1.0-24.noarch
openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch
ovn2.13-central-2.13.0-21.el8fdp.x86_64
python3-openvswitch2.13-2.13.0-9.el8fdp.x86_64
ovn2.13-host-2.13.0-21.el8fdp.x86_64
kernel-kernel-networking-openvswitch-ovn-common-1.0-7.noarch
ovn2.13-2.13.0-21.el8fdp.x86_64
openvswitch2.13-2.13.0-9.el8fdp.x86_64

[root@dell-per740-12 test]# ovn-nbctl acl-list pg1
  to-lport  1006 (outport == @pg1 && tcp.dst==22) reject
  to-lport  1004 (outport == @pg1 && tcp) allow-related
[root@dell-per740-12 test]# ovn-nbctl acl-list pg2
from-lport  1004 (inport == @pg2 && tcp) allow-related

Comment 1 Jianlin Shi 2020-05-06 09:32:41 UTC

the issue doesn't exist on ovn2.13.0-11, set regression

Comment 2 Jianlin Shi 2020-05-06 09:53:43 UTC

Created attachment 1685619 [details]
ovnnb_db.db

Comment 3 Jianlin Shi 2020-05-06 09:54:12 UTC

Created attachment 1685620 [details]
ovnsb_db.db

Comment 4 Numan Siddique 2020-05-06 10:33:47 UTC

In this case the first tcp  pkt goes from ls2p1 -> ls2 -> lr1 -> ls1 -> ovn-controller (and it generates the tcp rst)
and this tcp rst goes from ovn-controller -> ls1 (ingress pipeline) > lr1 -> ls2 -> and the pkt gets dropped in table 42.

 table=42, priority=100,ip,reg0=0x1/0x1,metadata=0x3 actions=ct(table=43,zone=NXM_NX_REG13[0..15])

We see the below warning logs in ovs-vswitchd

2020-05-06T10:29:05.084Z|00025|ofproto_dpif_upcall(handler1)|INFO|received packet on unassociated datapath port 4294967295
2020-05-06T10:29:05.251Z|00080|ofproto_dpif_upcall(revalidator37)|WARN|Failed to acquire udpif_key corresponding to unexpected flow (Invalid argument): ufid:0daac824-bda7-44d8-ad38-cdd9c5f0fc97
2020-05-06T10:29:06.127Z|00001|ofproto_dpif_upcall(handler12)|INFO|received packet on unassociated datapath port 4294967295
2020-05-06T10:29:06.253Z|00081|ofproto_dpif_upcall(revalidator37)|WARN|Failed to acquire udpif_key corresponding to unexpected flow (Invalid argument): ufid:e8e88f04-c1bd-4f64-87e6-9698b78c195f


Earlier, it worked because we were by passing the tcp rst packets from conntrack.

I'll debug further to see why the pkt is getting dropped by ovs-vswitchd during upcall.

Comment 5 Dan Williams 2020-06-16 11:44:24 UTC

http://patchwork.ozlabs.org/project/openvswitch/patch/20200615094727.3133392-1-numans@ovn.org/

Comment 9 Jianlin Shi 2020-06-28 07:52:23 UTC

Verified on ovn2.13-2.13.0-37.el8fdp.x86_64:

[root@dell-per740-12 bz1832176]# rpm -qa | grep -E "openvswitch|ovn"
openvswitch2.13-2.13.0-40.el8fdb.x86_64                                                                         
ovn2.13-2.13.0-37.el8fdp.x86_64                                                                                 
openvswitch-selinux-extra-policy-1.0-23.el8fdp.noarch                                                           
ovn2.13-central-2.13.0-37.el8fdp.x86_64                                                                         
ovn2.13-host-2.13.0-37.el8fdp.x86_64                                                                            
[root@dell-per740-12 bz1832176]# ip netns exec server2  nc 192.168.1.1 22 <<< h                                 
Ncat: Connection refused.           

<=== tcp reset sent
                                                                            
[root@dell-per740-12 bz1832176]# ip netns exec server2  nc 192.168.1.2 22 <<< h                                 
Ncat: Connection refused.

Comment 10 Jianlin Shi 2020-06-28 07:54:08 UTC

Verified on ovn2.13-2.13.0-37.el7fdp.x86_64:

[root@dell-per740-42 bz1832176]# rpm -qa | grep -E "openvswitch|ovn"                                            
ovn2.13-central-2.13.0-37.el7fdp.x86_64
openvswitch2.13-2.13.0-30.el7fdp.x86_64                                                                         
ovn2.13-host-2.13.0-37.el7fdp.x86_64
ovn2.13-2.13.0-37.el7fdp.x86_64
openvswitch-selinux-extra-policy-1.0-15.el7fdp.noarch                                                           
[root@dell-per740-42 bz1832176]# ip netns exec server2  nc 192.168.1.1 22 <<< h                                 
Ncat: Connection refused.

<=== tcp reset sent

[root@dell-per740-42 bz1832176]# ip netns exec server2  nc 192.168.1.2 22 <<< h                                 
Ncat: Connection refused.

Comment 12 errata-xmlrpc 2020-07-15 13:00:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:2941

Note You need to log in before you can comment on or make changes to this bug.