neutron

Bug #1912450
Comment #3

Comment 3 for bug 1912450

Revision history for this message

uchenily (uchenily) wrote on 2021-01-21:

Hi, Bence, thanks for your suggestions, we are actively considering using openvswitch firewall driver.

Yes, this is a dvr environment and we use iptables_hybrid as the firewall dirver, but the neutron version is rocky(13.0.6)

In fact, it rarely happens before `sleep` func is added, but the probability is greater than 50% when add this. In my opinion, it's related to the load of host.

There is a traffic broken problem, becuase of the flow in table=61 which matches reg6 and dl_dst fields(this flow is added for non-openflow firewall drivers. https://review.opendev.org/738551)

# test20210121 is another vm in compute01
$ nova interface-list test20210121
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
| Port State | Port ID | Net ID | IP addresses | MAC Addr |
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
| ACTIVE | 8d971421-24a8-41ed-a4d8-df32e1218c0e | 5ea08661-ab6b-45dd-aba5-42346cb6ae70 | 172.16.0.10 | fa:16:3e:2c:56:3f |
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+

root@compute01:~# ovs-appctl ofproto/trace br-int in_port=qvo8d971421-24,dl_src=fa:16:3e:2c:56:3f,dl_dst=fa:16:3e:27:b5:63 -generate
Flow: in_port=3838,vlan_tci=0x0000,dl_src=fa:16:3e:2c:56:3f,dl_dst=fa:16:3e:27:b5:63,dl_type=0x0000

bridge("br-int")
----------------
0. in_port=3838, priority 9, cookie 0x64d2308a7b0a735a
    goto_table:25
25. in_port=3838,dl_src=fa:16:3e:2c:56:3f, priority 2, cookie 0x64d2308a7b0a735a
    goto_table:60
60. in_port=3838,dl_src=fa:16:3e:2c:56:3f, priority 9, cookie 0x64d2308a7b0a735a
    set_field:0x27->reg6
    resubmit(,61)
61. reg6=0x27,dl_dst=fa:16:3e:27:b5:63, priority 12, cookie 0x64d2308a7b0a735a
    output:3839
     >> Nonexistent output port

Final flow: reg6=0x27,in_port=3838,vlan_tci=0x0000,dl_src=fa:16:3e:2c:56:3f,dl_dst=fa:16:3e:27:b5:63,dl_type=0x0000
Megaflow: recirc_id=0,eth,in_port=3838,vlan_tci=0x0000/0x1fff,dl_src=fa:16:3e:2c:56:3f,dl_dst=fa:16:3e:27:b5:63,dl_type=0x0000
Datapath actions: 108

Hi, Bence, thanks for your suggestions, we are actively considering using openvswitch firewall driver.

Yes, this is a dvr environment and we use iptables_hybrid as the firewall dirver, but the neutron version is rocky(13.0.6)

In fact, it rarely happens before `sleep` func is added, but the probability is greater than 50% when add this. In my opinion, it's related to the load of host.

There is a traffic broken problem, becuase of the flow in table=61 which matches reg6 and dl_dst fields(this flow is added for non-openflow firewall drivers. https://review.opendev.org/738551)

# test20210121 is another vm in compute01
$ nova interface-list test20210121
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
| Port State | Port ID                              | Net ID                               | IP addresses | MAC Addr          |
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+
| ACTIVE     | 8d971421-24a8-41ed-a4d8-df32e1218c0e | 5ea08661-ab6b-45dd-aba5-42346cb6ae70 | 172.16.0.10  | fa:16:3e:2c:56:3f |
+------------+--------------------------------------+--------------------------------------+--------------+-------------------+

bridge("br-int")
----------------
 0. in_port=3838, priority 9, cookie 0x64d2308a7b0a735a
    goto_table:25
25. in_port=3838,dl_src=fa:16:3e:2c:56:3f, priority 2, cookie 0x64d2308a7b0a735a
    goto_table:60
60. in_port=3838,dl_src=fa:16:3e:2c:56:3f, priority 9, cookie 0x64d2308a7b0a735a
    set_field:0x27->reg6
    resubmit(,61)
61. reg6=0x27,dl_dst=fa:16:3e:27:b5:63, priority 12, cookie 0x64d2308a7b0a735a
    output:3839
     >> Nonexistent output port