We are adding ACLs to allow DHCP traffic for every subnet but those are not needed since ovn-northd is adding the necessary logical flows to handle the requests/responses. (Actually due to a bug, we weren't adding them after the Port Groups support got merged and this is how I realized).
First it's adding REGBIT_CONNTRACK_DEFRAG to the pre_acl table in the Ingress pipeline [0] and later it's getting sent to conntrack [1] which eventually will hit the DHCP responder [2]
[0] https://github.com/openvswitch/ovs/blob/v2.10.0/ovn/northd/ovn-northd.c#L3191
[1] https://github.com/openvswitch/ovs/blob/v2.10.0/ovn/northd/ovn-northd.c#L3318
[2] https://github.com/openvswitch/ovs/blob/v2.10.0/ovn/northd/ovn-northd.c#L2767
I tried to remove the ACLS that we're adding in networking-ovn and request DHCP from a server. The VM got the response (10.0.0.3) and I'm attaching both the flows getting hit plus the ovn-trace output.
Flows:
table=0, n_packets=245, n_bytes=31200, idle_age=2, priority=100,in_port=2 actions=load:0x8->NXM_NX_REG13[],load:0x4->NXM_NX_REG11[],load:0x5->NXM_NX_REG12[],load:0x1->OXM_OF_METADATA[],load:0x5->NXM_NX_REG14[],resubmit(,8)
table=8, n_packets=245, n_bytes=31200, idle_age=2, priority=50,reg14=0x5,metadata=0x1,dl_src=fa:16:3e:00:14:fe actions=resubmit(,9)
table=9, n_packets=8, n_bytes=2656, idle_age=2, priority=90,udp,reg14=0x5,metadata=0x1,dl_src=fa:16:3e:00:14:fe,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=resubmit(,10)
table=10, n_packets=1624, n_bytes=192059, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,11)
table=11, n_packets=498, n_bytes=59819, idle_age=2, priority=100,ip,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[96],resubmit(,12)
table=12, n_packets=515, n_bytes=60829, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,13)
table=13, n_packets=498, n_bytes=59819, idle_age=2, hard_age=65534, priority=100,ip,reg0=0x1/0x1,metadata=0x1 actions=ct(table=14,zone=NXM_NX_REG13[0..15])
table=14, n_packets=26, n_bytes=4250, idle_age=2, priority=2002,ct_state=+new-est+trk,ip,reg14=0x5,metadata=0x1 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,15)
table=15, n_packets=1627, n_bytes=192017, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,16)
table=16, n_packets=1627, n_bytes=192017, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,17)
table=17, n_packets=1627, n_bytes=192017, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,18)
table=18, n_packets=36, n_bytes=5110, idle_age=2, hard_age=65534, priority=100,ip,reg0=0x2/0x2,metadata=0x1 actions=ct(commit,zone=NXM_NX_REG13[0..15],exec(load:0->NXM_NX_CT_LABEL[0])),resubmit(,19)
table=19, n_packets=1614, n_bytes=191399, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,20)
table=20, n_packets=8, n_bytes=2656, idle_age=2, priority=100,udp,reg14=0x5,metadata=0x1,dl_src=fa:16:3e:00:14:fe,nw_src=0.0.0.0,nw_dst=255.255.255.255,tp_src=68,tp_dst=67 actions=controller(userdata=00.00.00.02.00.00.00.00.00.01.de.10.00.00.00.63.0a.00.00.03.79.0e.20.a9.fe.a9.fe.0a.00.00.02.00.0a.00.00.01.06.0c.0a.c8.10.03.0a.c8.10.02.0a.c8.10.04.33.04.00.00.a8.c0.1a.02.05.a2.01.04.ff.ff.ff.c0.03.04.0a.00.00.01.36.04.0a.00.00.01,pause),resubmit(,21)
table=43, n_packets=547, n_bytes=64394, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,44)
table=44, n_packets=8, n_bytes=2816, idle_age=2, priority=34000,udp,reg15=0x5,metadata=0x1,dl_src=fa:16:3e:8c:ca:24,nw_src=10.0.0.1,tp_src=67,tp_dst=68 actions=ct(commit,zone=NXM_NX_REG13[0..15]),resubmit(,45)
table=45, n_packets=542, n_bytes=63976, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,46)
table=46, n_packets=542, n_bytes=63976, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,47)
table=47, n_packets=522, n_bytes=62424, idle_age=2, hard_age=65534, priority=0,metadata=0x1 actions=resubmit(,48)
table=48, n_packets=268, n_bytes=31773, idle_age=2, priority=90,ip,reg15=0x5,metadata=0x1,dl_dst=fa:16:3e:00:14:fe,nw_dst=10.0.0.3 actions=resubmit(,49)
table=49, n_packets=274, n_bytes=32025, idle_age=2, priority=50,reg15=0x5,metadata=0x1,dl_dst=fa:16:3e:00:14:fe actions=resubmit(,64)
table=64, n_packets=14, n_bytes=3068, idle_age=2, priority=100,reg10=0x1/0x1,reg15=0x5,metadata=0x1 actions=push:NXM_OF_IN_PORT[],load:0->NXM_OF_IN_PORT[],resubmit(,65),pop:NXM_OF_IN_PORT[]
table=65, n_packets=290, n_bytes=33873, idle_age=2, priority=100,reg15=0x5,metadata=0x1 actions=output:2
OVN_TRACE:
ovn-trace --detailed neutron-cdc8d3ed-9510-4e60-929b-3bbf2c35e2df 'inport == "edd9d341-1bb1-4743-8b51-b37a35ba0a97" && eth.src == fa:16:3e:00:14:fe && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && eth.dst == ff:ff:ff:ff:ff:ff && ip && udp && udp.src == 68 && udp.dst == 67'
# udp,reg14=0x5,vlan_tci=0x0000,dl_src=fa:16:3e:00:14:fe,dl_dst=ff:ff:ff:ff:ff:ff,nw_src=0.0.0.0,nw_dst=255.255.255.255,nw_tos=0,nw_ecn=0,nw_ttl=0,tp_src=68,tp_dst=67
ingress(dp="private", inport="edd9d3")
--------------------------------------
0. ls_in_port_sec_l2 (ovn-northd.c:4060): inport == "edd9d3" && eth.src == {fa:16:3e:00:14:fe}, priority 50, uuid 8de482a7
next;
1. ls_in_port_sec_ip (ovn-northd.c:2776): inport == "edd9d3" && eth.src == fa:16:3e:00:14:fe && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67, priority 90, uuid d41a3488
next;
3. ls_in_pre_acl (ovn-northd.c:3192): ip, priority 100, uuid c4cd96ef
reg0[0] = 1;
next;
5. ls_in_pre_stateful (ovn-northd.c:3319): reg0[0] == 1, priority 100, uuid ce8c6d37
ct_next;
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
6. ls_in_acl (ovn-northd.c:3506): !ct.new && ct.est && !ct.rpl && ct_label.blocked == 0 && (inport == @pg_d7264c6c_5c0b_48e8_a1a3_d4840bf5ddf4 && ip4), priority 2002, uuid 2a4a36b1
next;
12. ls_in_dhcp_options (ovn-northd.c:4239): inport == "edd9d3" && eth.src == fa:16:3e:00:14:fe && ip4.src == 0.0.0.0 && ip4.dst == 255.255.255.255 && udp.src == 68 && udp.dst == 67, priority 100, uuid ae83388c
reg0[3] = put_dhcp_opts(offerip = 10.0.0.3, classless_static_route = {169.254.169.254/32, 10.0.0.2, 0.0.0.0/0, 10.0.0.1}, dns_server = {10.200.16.3, 10.200.16.2, 10.200.16.4}, lease_time = 43200, mtu = 1442, netmask = 255.255.255.192, router = 10.0.0.1, server_id = 10.0.0.1);
/* We assume that this packet is DHCPDISCOVER or DHCPREQUEST. */
next;
13. ls_in_dhcp_response (ovn-northd.c:4268): inport == "edd9d3" && eth.src == fa:16:3e:00:14:fe && ip4 && udp.src == 68 && udp.dst == 67 && reg0[3], priority 100, uuid ea0c55a3
eth.dst = eth.src;
eth.src = fa:16:3e:8c:ca:24;
ip4.dst = 10.0.0.3;
ip4.src = 10.0.0.1;
udp.src = 67;
udp.dst = 68;
outport = inport;
flags.loopback = 1;
output;
egress(dp="private", inport="edd9d3", outport="edd9d3")
-------------------------------------------------------
1. ls_out_pre_acl (ovn-northd.c:3194): ip, priority 100, uuid e0a1ca39
reg0[0] = 1;
next;
2. ls_out_pre_stateful (ovn-northd.c:3321): reg0[0] == 1, priority 100, uuid 56b4f089
ct_next;
ct_next(ct_state=est|trk /* default (use --ct to customize) */)
---------------------------------------------------------------
4. ls_out_acl (ovn-northd.c:3781): outport == "edd9d3" && eth.src == fa:16:3e:8c:ca:24 && ip4.src == 10.0.0.1 && udp && udp.src == 67 && udp.dst == 68, priority 34000, uuid daad37f2
ct_commit;
next;
8. ls_out_port_sec_ip (ovn-northd.c:2815): outport == "edd9d3" && eth.dst == fa:16:3e:00:14:fe && ip4.dst == {255.255.255.255, 224.0.0.0/4, 10.0.0.3}, priority 90, uuid 2c84f2ee
next;
9. ls_out_port_sec_l2 (ovn-northd.c:4518): outport == "edd9d3" && eth.dst == {fa:16:3e:00:14:fe}, priority 50, uuid 0683d60e
output;
/* output to "edd9d3", type "" */
At this point I think that we can safely drop the code which adds this ACLs, ie. not creating/maintaining the Port Groups associated to the subnets anymore as they're not needed.
Reviewed: https:/ /review. openstack. org/600365 /git.openstack. org/cgit/ openstack/ networking- ovn/commit/ ?id=d5a0de26150 7192b61f2cdf80a 537ceaa0792dc3
Committed: https:/
Submitter: Zuul
Branch: master
commit d5a0de261507192 b61f2cdf80a537c eaa0792dc3
Author: Daniel Alvarez <email address hidden>
Date: Thu Sep 6 07:29:45 2018 +0000
Drop subnet Port Groups
This patch is dropping the code that creates and handles the
subnet Port Groups. Those were used to place the ACLs that
allowed DHCP traffic to reach the responder in the OVN
pipeline but as explained in the bug description, it's
not needed anymore.
Change-Id: I30bee5c5576554 b162e66e1b5dfbe 734522ab363
Closes-Bug: #1790900
Signed-off-by: Daniel Alvarez <email address hidden>