This BZ is a follow up of https://bugzilla.redhat.com/show_bug.cgi?id=1939470 Right now, when the traffic comes from an external network through a localnet port, it gets delivered to the localport. The current implementation only takes into account dropping packets originated at a localport when they are destined to a tunnel or a remote hypervisor; however, localnet ports are local and should be accounted for as well. Since localports are present on every hypervisor sharing the same IP and MAC addresses, there may be situations where the MAC is seen in my places across the fabric. An example of such scenario is an upstream switch ARP querying the IP address of the localport (on a LS with a localnet port): The ARP request will come in through the localnet port to the OVN Logical Switch and will be processed on every hypervisor since it is a broadcast request. ovn-controllers will reply to this request with the same MAC address on different locations. Depending on the fabric and the size of the deployment this can cause a lot of trouble. Expected behavior: When the traffic comes from a localnet port, it should not be delivered to the localport(s). Similarly, when traffic is originated at a localport, it should not be delivered to localnet ports.
Upstream patch: http://patchwork.ozlabs.org/project/ovn/patch/8008fa9867d210cf18ad31f912535f2c14e85c43.1620151078.git.lorenzo.bianconi@redhat.com/
tested with following script: systemctl start openvswitch systemctl start ovn-northd ovn-nbctl set-connection ptcp:6641 ovn-sbctl set-connection ptcp:6642 ovs-vsctl set open . external_ids:system-id=hv1 external_ids:ovn-remote=tcp:1.1.40.25:6642 external_ids:ovn-encap-type=geneve external_ids:ovn-encap-ip=1.1.40.25 systemctl restart ovn-controller ovs-vsctl add-br br-phys ip link set br-phys up ovs-vsctl set open . external-ids:ovn-bridge-mappings=phys:br-phys ovn-nbctl ls-add ls \ -- lsp-add ls lp \ -- lsp-set-type lp localport \ -- lsp-set-addresses lp "00:00:00:00:00:01 10.0.0.1 2001::1" \ -- lsp-add ls ln \ -- lsp-set-type ln localnet \ -- lsp-set-addresses ln unknown \ -- lsp-set-options ln network_name=phys \ -- lsp-add ls lsp \ -- lsp-set-addresses lsp "00:00:00:00:00:02 10.0.0.2 2001::2" ovs-vsctl add-port br-int lp -- set interface lp type=internal external_ids:iface-id=lp ip netns add lp ip link set lp netns lp ip netns exec lp ip link set lp address 00:00:00:00:00:01 ip netns exec lp ip link set lp up ip netns exec lp ip addr add 10.0.0.1/24 dev lp ip netns exec lp ip addr add 2001::1/64 dev lp ovn-nbctl --wait=hv sync ovs-vsctl add-port br-int lsp -- set interface lsp type=internal external_ids:iface-id=lsp options:tx_pcap=lsp.pcap options:rxq_pcap=lsp-rx.pcap ip netns add lsp ip link set lsp netns lsp ip netns exec lsp ip link set lsp address 00:00:00:00:00:02 ip netns exec lsp ip link set lsp up ip netns exec lsp ip addr add 10.0.0.2/24 dev lsp ip netns exec lsp ip addr add 2001::2/64 dev lsp ovs-vsctl add-port br-phys ext1 -- set interface ext1 type=internal ip netns add ext1 ip link set ext1 netns ext1 ip netns exec ext1 ip link set ext1 up ip netns exec ext1 ip addr add 10.0.0.101/24 dev ext1 ip netns exec ext1 ip addr add 2001::101/64 dev ext1 sleep 2 ip netns exec ext1 ping 10.0.0.1 -c 1 -w 1 -W 1 ip netns exec lp ping 10.0.0.101 -c 1 -w 1 -W 1 ip netns exec ext1 ping6 2001::1 -c 1 -w 1 -W 1 ip netns exec lp ping6 2001::101 -c 1 -w 1 -W 1 ip netns exec lsp ping 10.0.0.101 -c 1 ip netns exec lsp ping6 2001::101 -c 1 reproduced on ovn2.13-20.12.0-104: [root@dell-per740-12 bz1942877]# rpm -qa | grep -E "openvswitch2.13|ovn2.13" openvswitch2.13-2.13.0-96.el7fdp.x86_64 ovn2.13-20.12.0-104.el7fdp.x86_64 ovn2.13-host-20.12.0-104.el7fdp.x86_64 ovn2.13-central-20.12.0-104.el7fdp.x86_64 + ip netns exec ext1 ping 10.0.0.1 -c 1 -w 1 -W 1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=1.28 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.289/1.289/1.289/0.000 ms + ip netns exec lp ping 10.0.0.101 -c 1 -w 1 -W 1 PING 10.0.0.101 (10.0.0.101) 56(84) bytes of data. 64 bytes from 10.0.0.101: icmp_seq=1 ttl=64 time=0.066 ms --- 10.0.0.101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.066/0.066/0.066/0.000 ms + ip netns exec ext1 ping6 2001::1 -c 1 -w 1 -W 1 PING 2001::1(2001::1) 56 data bytes 64 bytes from 2001::1: icmp_seq=1 ttl=64 time=1.22 ms --- 2001::1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.221/1.221/1.221/0.000 ms + ip netns exec lp ping6 2001::101 -c 1 -w 1 -W 1 PING 2001::101(2001::101) 56 data bytes 64 bytes from 2001::101: icmp_seq=1 ttl=64 time=0.068 ms --- 2001::101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.068/0.068/0.068/0.000 ms <=== traffic between localnet and localport passed + ip netns exec lsp ping 10.0.0.101 -c 1 PING 10.0.0.101 (10.0.0.101) 56(84) bytes of data. 64 bytes from 10.0.0.101: icmp_seq=1 ttl=64 time=0.891 ms --- 10.0.0.101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.891/0.891/0.891/0.000 ms + ip netns exec lsp ping6 2001::101 -c 1 PING 2001::101(2001::101) 56 data bytes 64 bytes from 2001::101: icmp_seq=1 ttl=64 time=1.14 ms --- 2001::101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.148/1.148/1.148/0.000 ms Verified on ovn2.13-20.12.0-135: [root@dell-per740-12 bz1942877]# rpm -qa | grep -E "openvswitch2.13|ovn2.13" openvswitch2.13-2.13.0-96.el7fdp.x86_64 ovn2.13-20.12.0-135.el7fdp.x86_64 ovn2.13-central-20.12.0-135.el7fdp.x86_64 ovn2.13-host-20.12.0-135.el7fdp.x86_64 + ip netns exec ext1 ping 10.0.0.1 -c 1 -w 1 -W 1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms + ip netns exec lp ping 10.0.0.101 -c 1 -w 1 -W 1 PING 10.0.0.101 (10.0.0.101) 56(84) bytes of data. --- 10.0.0.101 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms + ip netns exec ext1 ping6 2001::1 -c 1 -w 1 -W 1 PING 2001::1(2001::1) 56 data bytes --- 2001::1 ping statistics --- 2 packets transmitted, 0 received, 100% packet loss, time 999ms + ip netns exec lp ping6 2001::101 -c 1 -w 1 -W 1 PING 2001::101(2001::101) 56 data bytes --- 2001::101 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms <== traffic between localnet and localport failed + ip netns exec lsp ping 10.0.0.101 -c 1 PING 10.0.0.101 (10.0.0.101) 56(84) bytes of data. 64 bytes from 10.0.0.101: icmp_seq=1 ttl=64 time=1.00 ms --- 10.0.0.101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.007/1.007/1.007/0.000 ms + ip netns exec lsp ping6 2001::101 -c 1 PING 2001::101(2001::101) 56 data bytes 64 bytes from 2001::101: icmp_seq=1 ttl=64 time=1.37 ms --- 2001::101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 1.370/1.370/1.370/0.000 ms
Verified on ovn-2021-21.03.0-40.el8fdp.x86_64: [root@dell-per730-03 bz1942877]# rpm -qa | grep -E "openvswitch2.15|ovn-2021" openvswitch2.15-2.15.0-23.el8fdp.x86_64 ovn-2021-central-21.03.0-40.el8fdp.x86_64 ovn-2021-21.03.0-40.el8fdp.x86_64 ovn-2021-host-21.03.0-40.el8fdp.x86_64 + ip netns exec ext1 ping 10.0.0.1 -c 1 -w 1 -W 1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms + ip netns exec lp ping 10.0.0.101 -c 1 -w 1 -W 1 PING 10.0.0.101 (10.0.0.101) 56(84) bytes of data. --- 10.0.0.101 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms + ip netns exec ext1 ping6 2001::1 -c 1 -w 1 -W 1 PING 2001::1(2001::1) 56 data bytes --- 2001::1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms + ip netns exec lp ping6 2001::101 -c 1 -w 1 -W 1 PING 2001::101(2001::101) 56 data bytes --- 2001::101 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms + ip netns exec lsp ping 10.0.0.101 -c 1 PING 10.0.0.101 (10.0.0.101) 56(84) bytes of data. 64 bytes from 10.0.0.101: icmp_seq=1 ttl=64 time=0.749 ms --- 10.0.0.101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.749/0.749/0.749/0.000 ms + ip netns exec lsp ping6 2001::101 -c 1 PING 2001::101(2001::101) 56 data bytes 64 bytes from 2001::101: icmp_seq=1 ttl=64 time=0.611 ms --- 2001::101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.611/0.611/0.611/0.000 ms
reproduced on ovn2.13-20.12.0-104.el8: [root@dell-per730-03 bz1942877]# rpm -qa | grep -E "openvswitch2.15|ovn2.13" openvswitch2.15-2.15.0-23.el8fdp.x86_64 ovn2.13-host-20.12.0-104.el8fdp.x86_64 ovn2.13-central-20.12.0-104.el8fdp.x86_64 ovn2.13-20.12.0-104.el8fdp.x86_64 + ip netns exec ext1 ping 10.0.0.1 -c 1 -w 1 -W 1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. 64 bytes from 10.0.0.1: icmp_seq=1 ttl=64 time=0.686 ms --- 10.0.0.1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.686/0.686/0.686/0.000 ms + ip netns exec lp ping 10.0.0.101 -c 1 -w 1 -W 1 PING 10.0.0.101 (10.0.0.101) 56(84) bytes of data. 64 bytes from 10.0.0.101: icmp_seq=1 ttl=64 time=0.034 ms --- 10.0.0.101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.034/0.034/0.034/0.000 ms + ip netns exec ext1 ping6 2001::1 -c 1 -w 1 -W 1 PING 2001::1(2001::1) 56 data bytes 64 bytes from 2001::1: icmp_seq=1 ttl=64 time=0.476 ms --- 2001::1 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.476/0.476/0.476/0.000 ms + ip netns exec lp ping6 2001::101 -c 1 -w 1 -W 1 PING 2001::101(2001::101) 56 data bytes 64 bytes from 2001::101: icmp_seq=1 ttl=64 time=0.028 ms --- 2001::101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.028/0.028/0.028/0.000 ms + ip netns exec lsp ping 10.0.0.101 -c 1 PING 10.0.0.101 (10.0.0.101) 56(84) bytes of data. 64 bytes from 10.0.0.101: icmp_seq=1 ttl=64 time=0.436 ms --- 10.0.0.101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.436/0.436/0.436/0.000 ms + ip netns exec lsp ping6 2001::101 -c 1 PING 2001::101(2001::101) 56 data bytes 64 bytes from 2001::101: icmp_seq=1 ttl=64 time=0.562 ms --- 2001::101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.562/0.562/0.562/0.000 ms Verified on ovn2.13-20.12.0-135.el8: + ip netns exec ext1 ping 10.0.0.1 -c 1 -w 1 -W 1 PING 10.0.0.1 (10.0.0.1) 56(84) bytes of data. --- 10.0.0.1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms + ip netns exec lp ping 10.0.0.101 -c 1 -w 1 -W 1 PING 10.0.0.101 (10.0.0.101) 56(84) bytes of data. --- 10.0.0.101 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms + ip netns exec ext1 ping6 2001::1 -c 1 -w 1 -W 1 PING 2001::1(2001::1) 56 data bytes --- 2001::1 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms + ip netns exec lp ping6 2001::101 -c 1 -w 1 -W 1 PING 2001::101(2001::101) 56 data bytes --- 2001::101 ping statistics --- 1 packets transmitted, 0 received, 100% packet loss, time 0ms + ip netns exec lsp ping 10.0.0.101 -c 1 PING 10.0.0.101 (10.0.0.101) 56(84) bytes of data. 64 bytes from 10.0.0.101: icmp_seq=1 ttl=64 time=0.742 ms --- 10.0.0.101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.742/0.742/0.742/0.000 ms + ip netns exec lsp ping6 2001::101 -c 1 PING 2001::101(2001::101) 56 data bytes 64 bytes from 2001::101: icmp_seq=1 ttl=64 time=0.576 ms --- 2001::101 ping statistics --- 1 packets transmitted, 1 received, 0% packet loss, time 0ms rtt min/avg/max/mdev = 0.576/0.576/0.576/0.000 ms
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ovn2.13 bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2507