-
Sub-task
-
Resolution: Done
-
Undefined
-
None
-
None
-
None
-
0
-
False
-
-
False
-
openvswitch3.1-3.1.0-149.el9fdp
-
rhel-9
-
rhel-sst-network-fastdatapath-ovsdpdk
-
-
-
ssg_networking
-
OVS/DPDK - FDP-25.B
-
1
Reported by amusil@redhat.com on slack:
I have the following flow
priority=120,ct_state=+new+trk,ct_nw_proto=17,ct_tp_dst=4242,ip,metadata=0x3,nw_dst=172.16.1.20 actions=load:0->NXM_NX_XXREG0[97],group:1which is able to match only on the first fragment, the later ones have ct_tp_ zero e.g.:
ufid:0e5ed43e-df35-4688-9746-5e122ce9b13a, recirc_id(0xb),dp_hash(0/0),skb_priority(0/0),in_port(ovs-client),skb_mark(0/0),ct_state(0x21/0x3f),ct_zone(0x3/0),ct_mark(0/0x1),ct_label(0/0),ct_tuple4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20/0.0.0.0,proto=17,tp_src=33704/0,tp_dst=4242),packet_type(ns=0,id=0),eth(src=f0:00:00:01:02:03/00:00:00:00:00:00,dst=00:00:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20,proto=17/0,tos=0/0,ttl=64/0,frag=first),udp(src=33704/0,dst=4242/0), packets:0, bytes:0, used:never, dp:ovs, actions:hash(l4(0)),recirc(0xc), dp-extra-info:miniflow_bits(5,3) ufid:aa5301ac-9799-4e05-abd5-839a5c71ea1b, recirc_id(0xb),dp_hash(0/0),skb_priority(0/0),in_port(ovs-client),skb_mark(0/0),ct_state(0x21/0x3f),ct_zone(0x3/0),ct_mark(0/0x3),ct_label(0/0),ct_tuple4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20/0.0.0.0,proto=17,tp_src=0/0,tp_dst=0),packet_type(ns=0,id=0),eth(src=f0:00:00:01:02:03,dst=00:00:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.2,dst=172.16.1.20,proto=17,tos=0/0,ttl=64,frag=later), packets:0, bytes:0, used:never, dp:ovs, actions:ct(commit,zone=3,mark=0/0x1,nat(src)),set(eth(src=00:00:01:01:02:04,dst=00:00:00:00:00:00)),set(ipv4(ttl=63)),userspace(pid=0,controller(reason=1,dont_send=0,continuation=0,recirc_id=14,rule_cookie=0xb41ca3db,controller_id=0,max_len=65535)), dp-extra-info:miniflow_bits(5,3)Full datapath flow chain:
ufid:39f92277-57e7-4002-8621-5b78835cf771, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(ovs-client),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=f0:00:00:01:02:03,dst=00:00:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20,proto=17,tos=0/0,ttl=64/0,frag=first),udp(src=60344/0,dst=4242), packets:0, bytes:0, used:never, dp:ovs, actions:ct(zone=3,nat),recirc(0xa), dp-extra-info:miniflow_bits(5,3) ufid:36b833e6-1bdc-4d80-a62a-e3322a6fec32, recirc_id(0xb),dp_hash(0/0),skb_priority(0/0),in_port(ovs-client),skb_mark(0/0),ct_state(0x21/0x3f),ct_zone(0x3/0),ct_mark(0/0x1),ct_label(0/0),ct_tuple4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20/0.0.0.0,proto=17,tp_src=60344/0,tp_dst=4242),packet_type(ns=0,id=0),eth(src=f0:00:00:01:02:03/00:00:00:00:00:00,dst=00:00:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20,proto=17/0,tos=0/0,ttl=64/0,frag=first),udp(src=60344/0,dst=4242/0), packets:0, bytes:0, used:never, dp:ovs, actions:hash(l4(0)),recirc(0xc), dp-extra-info:miniflow_bits(5,3) ufid:b7457dd1-9ccd-4de8-80e2-9f74d40a7c0a, recirc_id(0xc),dp_hash(0x7f03b0aa/0xf),skb_priority(0/0),in_port(ovs-client),skb_mark(0/0),ct_state(0x21/0),ct_zone(0x3/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20/0.0.0.0,proto=17/0,tp_src=60344/0,tp_dst=4242/0),packet_type(ns=0,id=0),eth(src=f0:00:00:01:02:03/00:00:00:00:00:00,dst=00:00:01:01:02:03/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20/0.0.0.0,proto=17/0,tos=0/0,ttl=64/0,frag=first),udp(src=60344/0,dst=4242/0), packets:0, bytes:0, used:never, dp:ovs, actions:ct(commit,zone=3,mark=0x2/0x2,nat(dst=172.16.1.2:4242)),recirc(0xd), dp-extra-info:miniflow_bits(5,1) ufid:b998e30b-e88f-4467-8624-7328997c4eb6, recirc_id(0x3),dp_hash(0x2b550019/0xf),skb_priority(0/0),in_port(ovs-client),skb_mark(0/0),ct_state(0x21/0),ct_zone(0x3/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20/0.0.0.0,proto=17/0,tp_src=33704/0,tp_dst=4242/0),packet_type(ns=0,id=0),eth(src=f0:00:00:01:02:03/00:00:00:00:00:00,dst=00:00:01:01:02:03/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20/0.0.0.0,proto=17/0,tos=0/0,ttl=64/0,frag=first),udp(src=33704/0,dst=4242/0), packets:0, bytes:0, used:never, dp:ovs, actions:ct(commit,zone=3,mark=0x2/0x2,nat(dst=172.16.1.2:4242)),recirc(0x9), dp-extra-info:miniflow_bits(5,1) ufid:53f9aa4c-b1d8-4a7f-84d6-19391f9a689a, recirc_id(0),dp_hash(0/0),skb_priority(0/0),in_port(ovs-client),skb_mark(0/0),ct_state(0/0),ct_zone(0/0),ct_mark(0/0),ct_label(0/0),packet_type(ns=0,id=0),eth(src=f0:00:00:01:02:03,dst=00:00:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20,proto=17,tos=0/0,ttl=64/0,frag=later), packets:0, bytes:0, used:never, dp:ovs, actions:ct(zone=3,nat),recirc(0xb), dp-extra-info:miniflow_bits(5,2) ufid:bb9dabbe-0afd-4a93-afa4-bd5ea08bd540, recirc_id(0xb),dp_hash(0/0),skb_priority(0/0),in_port(ovs-client),skb_mark(0/0),ct_state(0x21/0x3f),ct_zone(0x3/0),ct_mark(0/0x3),ct_label(0/0),ct_tuple4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20/0.0.0.0,proto=17,tp_src=0/0,tp_dst=0),packet_type(ns=0,id=0),eth(src=f0:00:00:01:02:03,dst=00:00:01:01:02:03),eth_type(0x0800),ipv4(src=192.168.1.2,dst=172.16.1.20,proto=17,tos=0/0,ttl=64,frag=later), packets:0, bytes:0, used:never, dp:ovs, actions:ct(commit,zone=3,mark=0/0x1,nat(src)),set(eth(src=00:00:01:01:02:04,dst=00:00:00:00:00:00)),set(ipv4(ttl=63)),userspace(pid=0,controller(reason=1,dont_send=0,continuation=0,recirc_id=14,rule_cookie=0xd7586d92,controller_id=0,max_len=65535)), dp-extra-info:miniflow_bits(5,3) ufid:cf8329f3-8274-4e9b-b033-d12d01983f0b, recirc_id(0x3),dp_hash(0x6f36403/0xf),skb_priority(0/0),in_port(ovs-client),skb_mark(0/0),ct_state(0x21/0),ct_zone(0x3/0),ct_mark(0/0),ct_label(0/0),ct_tuple4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20/0.0.0.0,proto=17/0,tp_src=0/0,tp_dst=0/0),packet_type(ns=0,id=0),eth(src=f0:00:00:01:02:03/00:00:00:00:00:00,dst=00:00:01:01:02:03/00:00:00:00:00:00),eth_type(0x0800),ipv4(src=192.168.1.2/0.0.0.0,dst=172.16.1.20/0.0.0.0,proto=17/0,tos=0/0,ttl=64/0,frag=later), packets:0, bytes:0, used:never, dp:ovs, actions:ct(commit,zone=3,mark=0x2/0x2,nat(dst=172.16.1.2:4242)),recirc(0x9), dp-extra-info:miniflow_bits(5,1)
It looks like the metadata is being populated for the first IP fragment, but not for the second one.
This prevents OVN from fixing FD-2724.
Reproducer in a form of OVN system test: Here
- links to
-
RHSA-2025:146379
openvswitch3.1 security update
[FDP-1172] [RHEL-9 OVS-3.1] Userspace conntrack doesn't populate ct_tp_src/dst for later IP fragments
[root@dell-per730-51 ~]# ovs-appctl dpctl/dump-conntrack -m ovs-appctl dpctl/dump-flows -m ovn-sbctl --uuid dump-flows public ovs-ofctl dump-flows br-int table=21 tcp,orig=(src=10.72.112.75,dst=10.73.88.67,sport=33904,dport=22),reply=(src=10.73.88.67,dst=10.72.112.75,sport=22,dport=33904),id=2909776276,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,flags_orig=SACK_PERM|BE_LIBERAL|MAXACK_SET,flags_reply=SACK_PERM|BE_LIBERAL|MAXACK_SET) tcp,orig=(src=10.72.112.75,dst=10.73.88.67,sport=60276,dport=22),reply=(src=10.73.88.67,dst=10.72.112.75,sport=22,dport=60276),id=2181747236,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,flags_orig=SACK_PERM|BE_LIBERAL|MAXACK_SET,flags_reply=SACK_PERM|BE_LIBERAL|DATA_UNACKNOWLEDGED|MAXACK_SET) udp,orig=(src=0.0.0.0,dst=255.255.255.255,sport=68,dport=67),reply=(src=255.255.255.255,dst=0.0.0.0,sport=67,dport=68),id=430305580,status=CONFIRMED igmp,orig=(src=10.73.89.254,dst=224.0.0.1,sport=0,dport=0),reply=(src=224.0.0.1,dst=10.73.89.254,sport=0,dport=0),id=2160094687,status=CONFIRMED tcp,orig=(src=10.73.88.67,dst=10.72.112.75,sport=22,dport=54064),reply=(src=10.72.112.75,dst=10.73.88.67,sport=54064,dport=22),id=3595491387,status=SEEN_REPLY|ASSURED|CONFIRMED,protoinfo=(state_orig=ESTABLISHED,state_reply=ESTABLISHED,flags_orig=SACK_PERM|BE_LIBERAL|MAXACK_SET,flags_reply=SACK_PERM|BE_LIBERAL|MAXACK_SET) Datapath: "public" (303123d9-db88-4cd7-94b3-7a2944bc301b) Pipeline: ingress uuid=0xd98c19c2, table=0 (ls_in_check_port_sec), priority=120 , match=(((ip4 && icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) && eth.src == 00:00:01:01:02:03 && outport == "pub-lr" && flags.tunnel_rx == 1), action=(outport <-> inport; next;) uuid=0x9335b177, table=0 (ls_in_check_port_sec), priority=105 , match=(((ip4 && icmp4.type == 3 && icmp4.code == 4) || (ip6 && icmp6.type == 2 && icmp6.code == 0)) && flags.tunnel_rx == 1), action=(drop;) uuid=0x392653f6, table=0 (ls_in_check_port_sec), priority=100 , match=(eth.src[40]), action=(drop;) uuid=0x56bd1cd1, table=0 (ls_in_check_port_sec), priority=100 , match=(vlan.present), action=(drop;) uuid=0xcbc9d5d5, table=0 (ls_in_check_port_sec), priority=70 , match=(inport == "pub-lr"), action=(reg0[18] = 1; next;) uuid=0x16da0623, table=0 (ls_in_check_port_sec), priority=50 , match=(1), action=(reg0[15] = check_in_port_sec(); next;) uuid=0xd97a114f, table=1 (ls_in_apply_port_sec), priority=50 , match=(reg0[15] == 1), action=(drop;) uuid=0x0185c69e, table=1 (ls_in_apply_port_sec), priority=0 , match=(1), action=(next;) uuid=0x04f579ef, table=2 (ls_in_lookup_fdb ), priority=0 , match=(1), action=(next;) uuid=0x448b2c6c, table=3 (ls_in_put_fdb ), priority=0 , match=(1), action=(next;) uuid=0x5494eefd, table=4 (ls_in_pre_acl ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) uuid=0x7250984a, table=4 (ls_in_pre_acl ), priority=0 , match=(1), action=(next;) uuid=0x4c8a3b9e, table=5 (ls_in_pre_lb ), priority=110 , match=(((ip4 && icmp4.type == 3 && icmp4.code == 4) ||(ip6 && icmp6.type == 2 && icmp6.code == 0)) && flags.tunnel_rx == 1), action=(next;) uuid=0xda67de96, table=5 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) uuid=0xf58f95ec, table=5 (ls_in_pre_lb ), priority=110 , match=(eth.mcast), action=(next;) uuid=0xc5359e88, table=5 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "pub-lr"), action=(next;) uuid=0xf2b72b44, table=5 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) uuid=0xa90de3b8, table=5 (ls_in_pre_lb ), priority=110 , match=(reg0[16] == 1), action=(next;) uuid=0xe3055643, table=5 (ls_in_pre_lb ), priority=100 , match=(ip), action=(reg0[2] = 1; next;) uuid=0x842d349e, table=5 (ls_in_pre_lb ), priority=0 , match=(1), action=(next;) uuid=0x383ed74d, table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[2] == 1 && ip4.dst == 172.16.1.20 && udp.dst == 4242), action=(reg1 = 172.16.1.20; reg2[0..15] = 4242; ct_lb_mark;) uuid=0x359262ee, table=6 (ls_in_pre_stateful ), priority=115 , match=(reg0[2] == 1 && ip.is_frag), action=(reg0[19] = 1; ct_lb_mark;) uuid=0x2ef57879, table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[2] == 1), action=(ct_lb_mark;) uuid=0x464af844, table=6 (ls_in_pre_stateful ), priority=100 , match=(reg0[0] == 1), action=(ct_next;) uuid=0x9e654e2f, table=6 (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;) uuid=0x871f5bc4, table=7 (ls_in_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[7] = 1; reg0[9] = 1; next;) uuid=0x297672cd, table=7 (ls_in_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[7] = 1; reg0[9] = 1; next;) uuid=0x7912b166, table=7 (ls_in_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[8] = 1; reg0[9] = 1; next;) uuid=0xd1b072a3, table=7 (ls_in_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[8] = 1; reg0[10] = 1; next;) uuid=0x78bd33c7, table=7 (ls_in_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[9] = 1; next;) uuid=0x060291a0, table=7 (ls_in_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[9] = 1; next;) uuid=0x28d31608, table=7 (ls_in_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[10] = 1; next;) uuid=0x7dfad186, table=7 (ls_in_acl_hint ), priority=0 , match=(1), action=(next;) uuid=0x12425680, table=8 (ls_in_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg0[17] = 1; reg8[16] = 1; ct_commit_nat;) uuid=0x8d1a4cdf, table=8 (ls_in_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg0[9] = 0; reg0[10] = 0; reg0[17] = 1; reg8[16] = 1; next;) uuid=0x4f763f76, table=8 (ls_in_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[17] = 1; next;) uuid=0x1a78324d, table=8 (ls_in_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[16] = 1; next;) uuid=0xce404ed9, table=8 (ls_in_acl_eval ), priority=34000, match=(eth.dst == $svc_monitor_mac), action=(reg8[16] = 1; next;) uuid=0xc1913172, table=8 (ls_in_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[1] = 1; next;) uuid=0x9453e5bf, table=8 (ls_in_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[1] = 1; reg8[16] = 1; next;) uuid=0xdc405906, table=8 (ls_in_acl_eval ), priority=0 , match=(1), action=(next;) uuid=0x88ecb9bc, table=9 (ls_in_acl_sample ), priority=0 , match=(1), action=(next;) uuid=0x5eefa544, table=10(ls_in_acl_action ), priority=0 , match=(1), action=(next;) uuid=0x967d93e8, table=11(ls_in_qos ), priority=0 , match=(1), action=(next;) uuid=0xfd7e0e7a, table=12(ls_in_lb_aff_check ), priority=0 , match=(1), action=(next;) uuid=0xf7b35044, table=13(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 172.16.1.20 && udp.dst == 4242), action=(reg1 = 172.16.1.20; reg2[0..15] = 4242; ct_lb_mark(backends=172.16.1.2:4242);) uuid=0xa02c17e1, table=13(ls_in_lb ), priority=110 , match=(ct.trk && !ct.rpl && reg0[19] == 1 && ip4), action=(reg1 = ct_nw_dst(); reg2[0..15] = ct_tp_dst(); next;) uuid=0x954183f9, table=13(ls_in_lb ), priority=110 , match=(ct.trk && !ct.rpl && reg0[19] == 1 && ip6), action=(xxreg1 = ct_ip6_dst(); reg2[0..15] = ct_tp_dst(); next;) uuid=0xdc15049d, table=13(ls_in_lb ), priority=0 , match=(1), action=(next;) uuid=0x7719136f, table=14(ls_in_lb_aff_learn ), priority=0 , match=(1), action=(next;) uuid=0x2f54dafb, table=15(ls_in_pre_hairpin ), priority=100 , match=(ip && ct.trk), action=(reg0[6] = chk_lb_hairpin(); reg0[12] = chk_lb_hairpin_reply(); next;) uuid=0x398f1a24, table=15(ls_in_pre_hairpin ), priority=0 , match=(1), action=(next;) uuid=0x3e1c24d2, table=16(ls_in_nat_hairpin ), priority=100 , match=(ip && ct.est && ct.trk && reg0[6] == 1), action=(ct_snat;) uuid=0x12fdaa3d, table=16(ls_in_nat_hairpin ), priority=100 , match=(ip && ct.new && ct.trk && reg0[6] == 1), action=(ct_snat_to_vip; next;) uuid=0x073dce0f, table=16(ls_in_nat_hairpin ), priority=90 , match=(ip && reg0[12] == 1), action=(ct_snat;) uuid=0x24bd4d3e, table=16(ls_in_nat_hairpin ), priority=0 , match=(1), action=(next;) uuid=0x895250e4, table=17(ls_in_hairpin ), priority=1 , match=((reg0[6] == 1 || reg0[12] == 1)), action=(eth.dst <-> eth.src; outport = inport; flags.loopback = 1; output;) uuid=0xfb015002, table=17(ls_in_hairpin ), priority=0 , match=(1), action=(next;) uuid=0x94b5b9a9, table=18(ls_in_acl_after_lb_eval), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[16] = 1; next;) uuid=0x0bf0b9a3, table=18(ls_in_acl_after_lb_eval), priority=65532, match=(reg0[17] == 1), action=(reg8[16] = 1; next;) uuid=0xbb669907, table=18(ls_in_acl_after_lb_eval), priority=0 , match=(1), action=(next;) uuid=0x9decf90e, table=19(ls_in_acl_after_lb_sample), priority=0 , match=(1), action=(next;) uuid=0x630f90de, table=20(ls_in_acl_after_lb_action), priority=0 , match=(1), action=(next;) uuid=0x207907bf, table=21(ls_in_stateful ), priority=100 , match=(reg0[1] == 1 && reg0[13] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) uuid=0x5bcb716f, table=21(ls_in_stateful ), priority=100 , match=(reg0[1] == 1 && reg0[13] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[19..20]; ct_mark.obs_collector_id = reg8[8..15]; ct_label.obs_point_id = reg9; }; next;) uuid=0x48d1bd7f, table=21(ls_in_stateful ), priority=0 , match=(1), action=(next;) uuid=0x8932fc85, table=22(ls_in_arp_rsp ), priority=100 , match=(inport == "ln_port"), action=(next;) uuid=0x42ad118e, table=22(ls_in_arp_rsp ), priority=0 , match=(1), action=(next;) uuid=0xae6151e6, table=23(ls_in_dhcp_options ), priority=0 , match=(1), action=(next;) uuid=0x65831001, table=24(ls_in_dhcp_response), priority=0 , match=(1), action=(next;) uuid=0xd3698d3c, table=25(ls_in_dns_lookup ), priority=0 , match=(1), action=(next;) uuid=0x23918ad9, table=26(ls_in_dns_response ), priority=0 , match=(1), action=(next;) uuid=0x9e0c8d7b, table=27(ls_in_external_port), priority=0 , match=(1), action=(next;) uuid=0xdaf7bfbb, table=28(ls_in_l2_lkup ), priority=110 , match=(eth.dst == $svc_monitor_mac && (tcp || icmp || icmp6)), action=(handle_svc_check(inport);) uuid=0x9f265a79, table=28(ls_in_l2_lkup ), priority=80 , match=(flags[1] == 0 && arp.op == 1 && arp.tpa == 192.168.1.1), action=(clone {outport = "pub-lr"; output; }; outport = "_MC_flood_l2"; output;) uuid=0xc310443e, table=28(ls_in_l2_lkup ), priority=80 , match=(flags[1] == 0 && nd_ns && nd.target == fe80::200:1ff:fe01:203), action=(clone {outport = "pub-lr"; output; }; outport = "_MC_flood_l2"; output;) uuid=0xc9bafe22, table=28(ls_in_l2_lkup ), priority=75 , match=(eth.src == {00:00:01:01:02:03} && (arp.op == 1 || rarp.op == 3 || nd_ns)), action=(outport = "_MC_flood_l2"; output;) uuid=0x294d2a0b, table=28(ls_in_l2_lkup ), priority=70 , match=(eth.mcast), action=(outport = "_MC_flood"; output;) uuid=0xd290daa1, table=28(ls_in_l2_lkup ), priority=50 , match=(eth.dst == 00:00:01:01:02:03), action=(outport = "pub-lr"; output;) uuid=0x28e2c6c2, table=28(ls_in_l2_lkup ), priority=0 , match=(1), action=(outport = get_fdb(eth.dst); next;) uuid=0x6b8d6cc7, table=29(ls_in_l2_unknown ), priority=50 , match=(outport == "none"), action=(outport = "_MC_unknown"; output;) uuid=0x551e6623, table=29(ls_in_l2_unknown ), priority=0 , match=(1), action=(output;) Datapath: "public" (303123d9-db88-4cd7-94b3-7a2944bc301b) Pipeline: egress uuid=0x769e3155, table=0 (ls_out_pre_acl ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) uuid=0x231920c6, table=0 (ls_out_pre_acl ), priority=0 , match=(1), action=(next;) uuid=0x8592c4cf, table=1 (ls_out_pre_lb ), priority=110 , match=(eth.mcast), action=(next;) uuid=0xebd2d584, table=1 (ls_out_pre_lb ), priority=110 , match=(eth.src == $svc_monitor_mac), action=(next;) uuid=0x099487cc, table=1 (ls_out_pre_lb ), priority=110 , match=(ip && outport == "pub-lr"), action=(ct_clear; next;) uuid=0xd52cfdfa, table=1 (ls_out_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) uuid=0x78df40ea, table=1 (ls_out_pre_lb ), priority=110 , match=(reg0[16] == 1), action=(next;) uuid=0x91457d22, table=1 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[2] = 1; next;) uuid=0x58d8c3c3, table=1 (ls_out_pre_lb ), priority=0 , match=(1), action=(next;) uuid=0xeff1e472, table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[2] == 1), action=(ct_lb_mark;) uuid=0xab0a4058, table=2 (ls_out_pre_stateful), priority=100 , match=(reg0[0] == 1), action=(ct_next;) uuid=0xb0a38095, table=2 (ls_out_pre_stateful), priority=0 , match=(1), action=(next;) uuid=0xe4e2d7b0, table=3 (ls_out_acl_hint ), priority=7 , match=(ct.new && !ct.est), action=(reg0[7] = 1; reg0[9] = 1; next;) uuid=0x2f574c2f, table=3 (ls_out_acl_hint ), priority=6 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 1), action=(reg0[7] = 1; reg0[9] = 1; next;) uuid=0x280b31c8, table=3 (ls_out_acl_hint ), priority=5 , match=(!ct.trk), action=(reg0[8] = 1; reg0[9] = 1; next;) uuid=0x84106f14, table=3 (ls_out_acl_hint ), priority=4 , match=(!ct.new && ct.est && !ct.rpl && ct_mark.blocked == 0), action=(reg0[8] = 1; reg0[10] = 1; next;) uuid=0x964509f2, table=3 (ls_out_acl_hint ), priority=3 , match=(!ct.est), action=(reg0[9] = 1; next;) uuid=0xb288f792, table=3 (ls_out_acl_hint ), priority=2 , match=(ct.est && ct_mark.blocked == 1), action=(reg0[9] = 1; next;) uuid=0x790d1dfe, table=3 (ls_out_acl_hint ), priority=1 , match=(ct.est && ct_mark.blocked == 0), action=(reg0[10] = 1; next;) uuid=0x971739e3, table=3 (ls_out_acl_hint ), priority=0 , match=(1), action=(next;) uuid=0xe64b7762, table=4 (ls_out_acl_eval ), priority=65532, match=(!ct.est && ct.rel && !ct.new && !ct.inv && ct_mark.blocked == 0), action=(reg8[16] = 1; ct_commit_nat;) uuid=0xdbabb27f, table=4 (ls_out_acl_eval ), priority=65532, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.rpl && ct_mark.blocked == 0), action=(reg8[16] = 1; next;) uuid=0xb7ad46c8, table=4 (ls_out_acl_eval ), priority=65532, match=(ct.inv || (ct.est && ct.rpl && ct_mark.blocked == 1)), action=(reg8[17] = 1; next;) uuid=0x4d46f533, table=4 (ls_out_acl_eval ), priority=65532, match=(nd || nd_ra || nd_rs || mldv1 || mldv2), action=(reg8[16] = 1; next;) uuid=0xbfdbea19, table=4 (ls_out_acl_eval ), priority=34000, match=(eth.src == $svc_monitor_mac), action=(reg8[16] = 1; next;) uuid=0x7f5833e1, table=4 (ls_out_acl_eval ), priority=1 , match=(ip && !ct.est), action=(reg0[1] = 1; next;) uuid=0x0cf4eb69, table=4 (ls_out_acl_eval ), priority=1 , match=(ip && ct.est && ct_mark.blocked == 1), action=(reg0[1] = 1; reg8[16] = 1; next;) uuid=0xce91fe17, table=4 (ls_out_acl_eval ), priority=0 , match=(1), action=(next;) uuid=0xfdf522d8, table=5 (ls_out_acl_sample ), priority=0 , match=(1), action=(next;) uuid=0x5c6bb2bc, table=6 (ls_out_acl_action ), priority=0 , match=(1), action=(next;) uuid=0xbd5e17bf, table=7 (ls_out_qos ), priority=0 , match=(1), action=(next;) uuid=0xab65ba5f, table=8 (ls_out_stateful ), priority=100 , match=(reg0[1] == 1 && reg0[13] == 0), action=(ct_commit { ct_mark.blocked = 0; }; next;) uuid=0x3e056313, table=8 (ls_out_stateful ), priority=100 , match=(reg0[1] == 1 && reg0[13] == 1), action=(ct_commit { ct_mark.blocked = 0; ct_mark.obs_stage = reg8[19..20]; ct_mark.obs_collector_id = reg8[8..15]; ct_label.obs_point_id = reg9; }; next;) uuid=0x64a54b2d, table=8 (ls_out_stateful ), priority=0 , match=(1), action=(next;) uuid=0xad33b08d, table=9 (ls_out_check_port_sec), priority=100 , match=(eth.mcast), action=(reg0[15] = 0; next;) uuid=0x617b1105, table=9 (ls_out_check_port_sec), priority=0 , match=(1), action=(reg0[15] = check_out_port_sec(); next;) uuid=0xe890dd45, table=10(ls_out_apply_port_sec), priority=50 , match=(reg0[15] == 1), action=(drop;) uuid=0xd73be545, table=10(ls_out_apply_port_sec), priority=0 , match=(1), action=(output;) cookie=0xf7b35044, duration=58.697s, table=21, n_packets=1, n_bytes=4042, priority=120,ct_state=+new+trk,udp,metadata=0x3,nw_dst=172.16.1.20,tp_dst=4242 actions=load:0xac100114->NXM_NX_XXREG0[64..95],load:0x1092->NXM_NX_XXREG0[32..47],group:1 cookie=0xa02c17e1, duration=58.697s, table=21, n_packets=0, n_bytes=0, priority=110,ct_state=-rpl+trk,ip,reg0=0x80000/0x80000,metadata=0x3 actions=load:0->NXM_NX_REG1[],resubmit(,81),move:NXM_NX_REG1[]->NXM_NX_XXREG0[64..95],load:0->NXM_NX_REG2[0..15],resubmit(,83),move:NXM_NX_REG2[0..15]->NXM_NX_XXREG0[32..47],resubmit(,22) cookie=0x954183f9, duration=58.697s, table=21, n_packets=0, n_bytes=0, priority=110,ct_state=-rpl+trk,ipv6,reg0=0x80000/0x80000,metadata=0x3 actions=load:0->NXM_NX_XXREG1[0..63],load:0->NXM_NX_XXREG1[64..127],resubmit(,82),move:NXM_NX_XXREG1[]->NXM_NX_XXREG1[],load:0->NXM_NX_REG2[0..15],resubmit(,83),move:NXM_NX_REG2[0..15]->NXM_NX_XXREG0[32..47],resubmit(,22) cookie=0xdc15049d, duration=58.914s, table=21, n_packets=8, n_bytes=384, priority=0,metadata=0x3 actions=resubmit(,22) cookie=0xdc15049d, duration=58.912s, table=21, n_packets=10, n_bytes=4768, priority=0,metadata=0x2 actions=resubmit(,22) cookie=0xf9ad3b23, duration=58.908s, table=21, n_packets=5, n_bytes=4322, priority=0,metadata=0x1 actions=load:0->NXM_NX_XXREG1[0..31],resubmit(,22) [root@dell-per730-51 ~]#
[root@dell-per730-51 ~]# tcpdump -r server.pcap -nevv
reading from file server.pcap, link-type EN10MB (Ethernet), snapshot length 262144
dropped privs to tcpdump
05:06:33.331194 00:00:01:01:02:04 > f0:00:0f:01:02:03, ethertype IPv4 (0x0800), length 514: (tos 0x0, ttl 63, id 60780, offset 0, flags [+], proto UDP (17), length 500)
192.168.1.2.40683 > 172.16.1.2.4242: UDP, length 4000
05:06:33.331195 00:00:01:01:02:04 > f0:00:0f:01:02:03, ethertype IPv4 (0x0800), length 514: (tos 0x0, ttl 63, id 60780, offset 480, flags [+], proto UDP (17), length 500)
192.168.1.2 > 172.16.1.2: ip-proto-17
05:06:33.331196 00:00:01:01:02:04 > f0:00:0f:01:02:03, ethertype IPv4 (0x0800), length 514: (tos 0x0, ttl 63, id 60780, offset 960, flags [+], proto UDP (17), length 500)
192.168.1.2 > 172.16.1.2: ip-proto-17
05:06:33.331196 00:00:01:01:02:04 > f0:00:0f:01:02:03, ethertype IPv4 (0x0800), length 514: (tos 0x0, ttl 63, id 60780, offset 1440, flags [+], proto UDP (17), length 500)
192.168.1.2 > 172.16.1.2: ip-proto-17
05:06:33.331197 00:00:01:01:02:04 > f0:00:0f:01:02:03, ethertype IPv4 (0x0800), length 514: (tos 0x0, ttl 63, id 60780, offset 1920, flags [+], proto UDP (17), length 500)
192.168.1.2 > 172.16.1.2: ip-proto-17
05:06:33.331198 00:00:01:01:02:04 > f0:00:0f:01:02:03, ethertype IPv4 (0x0800), length 514: (tos 0x0, ttl 63, id 60780, offset 2400, flags [+], proto UDP (17), length 500)
192.168.1.2 > 172.16.1.2: ip-proto-17
05:06:33.331198 00:00:01:01:02:04 > f0:00:0f:01:02:03, ethertype IPv4 (0x0800), length 514: (tos 0x0, ttl 63, id 60780, offset 2880, flags [+], proto UDP (17), length 500)
192.168.1.2 > 172.16.1.2: ip-proto-17
05:06:33.331199 00:00:01:01:02:04 > f0:00:0f:01:02:03, ethertype IPv4 (0x0800), length 514: (tos 0x0, ttl 63, id 60780, offset 3360, flags [+], proto UDP (17), length 500)
192.168.1.2 > 172.16.1.2: ip-proto-17
05:06:33.331199 00:00:01:01:02:04 > f0:00:0f:01:02:03, ethertype IPv4 (0x0800), length 202: (tos 0x0, ttl 63, id 60780, offset 3840, flags [none], proto UDP (17), length 188)
192.168.1.2 > 172.16.1.2: ip-proto-17
[root@dell-per730-51 ~]# sh -x commands-step-fdp-1190.sh
+ modprobe openvswitch
+ systemctl status openvswitch
○ openvswitch.service - Open vSwitch
Loaded: loaded (/usr/lib/systemd/system/openvswitch.service; disabled; preset: disabled)
Active: inactive (dead) since Tue 2025-03-18 05:03:56 EDT; 2min 30s ago
Duration: 5min 49.178s
Main PID: 5998 (code=exited, status=0/SUCCESS)
CPU: 1ms
Mar 18 04:58:07 dell-per730-51.rhts.eng.pek2.redhat.com systemd[1]: Starting Open vSwitch...
Mar 18 04:58:07 dell-per730-51.rhts.eng.pek2.redhat.com systemd[1]: Finished Open vSwitch.
Mar 18 05:03:56 dell-per730-51.rhts.eng.pek2.redhat.com systemd[1]: Stopping Open vSwitch...
Mar 18 05:03:56 dell-per730-51.rhts.eng.pek2.redhat.com systemd[1]: openvswitch.service: Deactivated successfully.
Mar 18 05:03:56 dell-per730-51.rhts.eng.pek2.redhat.com systemd[1]: Stopped Open vSwitch.
+ systemctl restart openvswitch
+ systemctl restart ovn-northd
+ systemctl stop ovn-controller
+ ovs-vsctl --if-exists del-br br-int
+ ovs-vsctl --if-exists del-br br-ext
+ ovs-vsctl add-br br-int
+ ovs-vsctl add-br br-ext
+ ovs-ofctl add-flow br-ext action=normal
+ ovs-vsctl -- set Open_vSwitch . external-ids:system-id=hv1 -- set Open_vSwitch . external-ids:ovn-remote=unix:/var/run/ovn/ovnsb_db.sock -- set Open_vSwitch . external-ids:ovn-encap-type=geneve -- set Open_vSwitch . external-ids:ovn-encap-ip=169.0.0.1 -- set bridge br-int fail-mode=secure other-config:disable-in-band=true -- set Open_vSwitch . external-ids:ovn-bridge-mappings=phynet:br-ext
+ systemctl start ovn-controller
+ ovn-nbctl lr-del lr
+ ovn-nbctl lr-add lr
+ ovn-nbctl ls-del internal
+ ovn-nbctl ls-add internal
+ ovn-nbctl ls-del public
+ ovn-nbctl ls-add public
+ ovn-nbctl show
switch 08aa6f1c-d9b5-4543-931f-c400c1099b2a (internal)
switch 5bc47f9d-a61d-4b73-a5bd-3dac0df3f9f7 (public)
router c5af4676-2ca8-46b4-a5fa-0f98fb06745a (lr)
+ ovn-nbctl lrp-add lr lr-pub 00:00:01:01:02:03 192.168.1.1/24
+ ovn-nbctl lsp-add public pub-lr -- set Logical_Switch_Port pub-lr type=router options:router-port=lr-pub 'addresses="00:00:01:01:02:03"'
+ ovn-nbctl lrp-add lr lr-internal 00:00:01:01:02:04 172.16.1.1/24
+ ovn-nbctl lsp-add internal internal-lr -- set Logical_Switch_Port internal-lr type=router options:router-port=lr-internal 'addresses="00:00:01:01:02:04"'
+ ovn-nbctl lsp-add internal server -- lsp-set-addresses server 'f0:00:0f:01:02:03 172.16.1.2'
+ ovn-nbctl lsp-add public ln_port -- lsp-set-addresses ln_port unknown -- lsp-set-type ln_port localnet -- lsp-set-options ln_port network_name=phynet
+ ovn-nbctl set logical_router lr options:chassis=hv1
+ ovs-vsctl --if-exists del-port br-ext veth-client
+ ovs-vsctl --if-exists del-port br-int veth-server
+ modprobe -r veth
tcpdump: pcap_loop: The interface disappeared
9 packets captured
9 packets received by filter
0 packets dropped by kernel
+ ip netns del client
+ ip netns add client
+ ip link add client type veth peer name veth-client
+ ip link set client netns client
+ ovs-vsctl add-port br-ext veth-client
+ ip addr add 192.168.1.2/24 dev veth-client
+ ip link set veth-client up
+ ip netns exec client ip addr add 192.168.1.2/24 dev client
+ ip netns exec client ip link set client up
+ ip netns exec client ip route add default via 192.168.1.1
+ ip netns exec client ip link set dev client mtu 500
+ ip netns del server
+ ip netns add server
+ ip link add server type veth peer name veth-server
+ ip link set server netns server
+ ovs-vsctl add-port br-int veth-server
+ ovs-vsctl set Interface veth-server external_ids:iface-id=server
+ ip addr add 172.16.1.2/24 dev veth-server
+ ip link set veth-server up
+ ip netns exec server ip addr add 172.16.1.2/24 dev server
+ ip netns exec server ip link set server up
+ ip netns exec server ip route add default via 172.16.1.1
+ ovn-nbctl lb-del lb1
+ ovn-nbctl lb-add lb1 172.16.1.20:4242 172.16.1.2:4242 udp
+ ovn-nbctl ls-lb-add public lb1
+ ovn-nbctl --wait=hv sync
+ ovs-appctl dpctl/flush-conntrack
+ SERVER_PID=7825
+ ip netns exec server nc -l -u 172.16.1.2 4242
+ TCPDUMP1_PID=7826
+ exit 0
+ ip netns exec server tcpdump -l -U -i server -vnne 'udp and ip[6:2] > 0 and not ip[6] = 64' -w server.pcap
[root@dell-per730-51 ~]# dropped privs to tcpdump
tcpdump: listening on server, link-type EN10MB (Ethernet), snapshot length 262144 bytes
^Ct 9
[root@dell-per730-51 ~]#
[root@dell-per730-51 ~]# rpm -qa | grep ovn
ovn24.09-24.09.2-26.el9fdp.x86_64
ovn24.09-host-24.09.2-26.el9fdp.x86_64
ovn24.09-central-24.09.2-26.el9fdp.x86_64
ovn24.09-vtep-24.09.2-26.el9fdp.x86_64
[root@dell-per730-51 ~]# rpm -qa | grep openv
openvswitch-selinux-extra-policy-1.0-38.el9fdp.noarch
openvswitch3.1-3.1.0-149.el9fdp.x86_64
python3-openvswitch3.1-3.1.0-149.el9fdp.x86_64
openvswitch3.1-test-3.1.0-149.el9fdp.noarch