Ubuntu Cloud Archive

openvswitch port mirroring only mirrors egress traffic

Bug #1639273 reported by Dan Streetman
8
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Ubuntu Cloud Archive
Fix Released
Undecided
Unassigned
Liberty
Triaged
Medium
Unassigned
openvswitch
New
Undecided
Unassigned

Bug Description

with a liberty openstack installation (openvswitch 2.4.1-0ubuntu0.15.10.1~cloud0) with two VMs, when vm1's interface is mirrored to vm2's interface, only vm1's egress traffic is mirrored; ingress traffic does not appear on vm2's interface.

ubuntu@machine-15:~$ sudo ovs-vsctl list mirror
ubuntu@machine-15:~$ sudo ovs-vsctl -- set Bridge br-int mirrors=@m -- --id=@qvo07e7496c-a1 get Port qvo07e7496c-a1 -- --id=@qvo91feef0f-f9 get Port qvo91feef0f-f9 -- --id=@m create Mirror name=mirror3 select-src-port=@qvo07e7496c-a1 select-dst-port=@qvo07e7496c-a1 output-port=@qvo91feef0f-f9
7e9e725f-1d23-4b30-8e46-82f7f7e71353
ubuntu@machine-15:~$ sudo ovs-vsctl list mirror
_uuid : 7e9e725f-1d23-4b30-8e46-82f7f7e71353
external_ids : {}
name : "mirror3"
output_port : a0e92620-37dd-4fd6-b514-45d47526306a
output_vlan : []
select_all : false
select_dst_port : [cafc190f-e89a-4f2c-ab56-2072351bbe41]
select_src_port : [cafc190f-e89a-4f2c-ab56-2072351bbe41]
select_vlan : []
statistics : {}

ubuntu@machine-15:~$ ping -c 1 10.5.150.3
PING 10.5.150.3 (10.5.150.3) 56(84) bytes of data.
64 bytes from 10.5.150.3: icmp_seq=1 ttl=63 time=4.26 ms

--- 10.5.150.3 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 4.268/4.268/4.268/0.000 ms

on vm 1 both directions appear, as expected:

17:16:13.093469 IP 10.5.2.1 > 192.168.21.7: ICMP echo request, id 9031, seq 1, length 64
17:16:13.094792 IP 192.168.21.7 > 10.5.2.1: ICMP echo reply, id 9031, seq 1, length 64

on vm 2 only outgoing traffic is mirrored:

17:16:13.095066 IP 192.168.21.7 > 10.5.2.1: ICMP echo reply, id 9031, seq 1, length 64

---------------------------

[Impact]

This patch addresses an issue where no ingress traffic mirrored on the openvswitch
mirroring output port.

[Test Case]
Deploy an OpenStack cloud w/ trusty-liberty, spawed two vms into the same compute host, configuring ovs mirror with this two vms' interface, tcpdump on the output mirroring interface.

[Regression Potential]

None.

See original description
Tags: sts
Revision history for this message
Dan Streetman (ddstreet) wrote :

The problem appears to be fixed in the Mitaka release. There are numerous openvswitch mirroring changes between Liberty and Mitaka.

Revision history for this message
Xiang Hui (xianghui) wrote :

[ovs version]
trusty-liberty: 2.4.1-0ubuntu0.15.10.1~cloud0
xenial-mitaka: 2.5.0

[differ]
# dp flow (trusty-liberty) system@ovs-system: lookups: hit:21292 missed:2806 lost:0
        flows: 0
        masks: hit:38067 total:0 hit/pkt:1.58
        port 0: ovs-system (internal)
        port 1: br-int (internal)
        port 2: br-ex (internal)
        port 3: br-tun (internal)
        port 4: gre_sys (gre)
        port 5: br-data (internal)
        port 6: qvo07e7496c-a1
        port 7: qvo91feef0f-f9
        port 8: qvo06e27c00-43
        port 9: qvo57a80236-fc

tunnel(tun_id=0x5,src=10.5.1.254,dst=10.5.2.1,ttl=64,flags(-df-csum+key)),in_port(4),skb_mark(0),eth(src=fa:16:3e:fd:1f:98,dst=fa:16:3e:26:2b:d0),eth_type(0x0806), packets:0, bytes:0, used:never, actions:6

# dp flow (xenial-mitaka)
system@ovs-system:
        lookups: hit:409100 missed:25958 lost:0
        flows: 4
        masks: hit:1427427 total:4 hit/pkt:3.28
        port 0: ovs-system (internal)
        port 1: br-int (internal)
        port 2: br-ex (internal)
        port 3: br-data (internal)
        port 4: br-tun (internal)
        port 5: qvo48082a53-ee
        port 6: gre_sys (gre)
        port 7: qvo330b5535-cf

recirc_id(0),tunnel(tun_id=0x5,src=10.5.6.194,dst=10.5.6.197,ttl=64,flags(-df-csum+key)),in_port(6),skb_mark(0),eth(src=fa:16:3e:41:4c:6d,dst=fa:16:3e:cc:aa:4d),eth_type(0x0800),ipv4(frag=no), packets:12, bytes:1359, used:2.637s, actions:5,7

There was at least one mirror rewriting between this two version.
https://github.com/openvswitch/ovs/commit/7efbc3b7c4006caed79cc9afa799cd0f9b8f5d38

Revision history for this message
Xiang Hui (xianghui) wrote :

After applying this patch, ingress traffic are catched.
####
08:26:09.528646 fa:16:3e:92:5c:7c (oui Unknown) > fa:16:3e:06:48:2d (oui Unknown), ethertype IPv4 (0x0800), length 98: xianghui-bastion.openstacklocal > 192.168.21.5: ICMP echo request, id 32688, seq 1, length 64
08:26:09.529292 fa:16:3e:06:48:2d (oui Unknown) > fa:16:3e:92:5c:7c (oui Unknown), ethertype IPv4 (0x0800), length 98: 192.168.21.5 > xianghui-bastion.openstacklocal: ICMP echo reply, id 32688, seq 1, length 64

# dp flow
port 6: qvof33b94a9-bd
port 7: qvo8a0d7c3b-b2
tunnel(tun_id=0x5,src=10.5.6.210,dst=10.5.6.213,ttl=64,flags(-df-csum+key)),in_port(2),skb_mark(0),eth(src=fa:16:3e:92:5c:7c,dst=fa:16:3e:06:48:2d),eth_type(0x0800),ipv4(frag=no), packets:116, bytes:12356, used:1.776s, actions:6,7

Xiang Hui (xianghui)
description: updated
James Page (james-page)
Changed in cloud-archive:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.