Ask Your Question

Revision history [back]

click to hide/show revision 1
initial version

(Newton) SNAT drop default traffic

Setup: one controller/network node (two other nodes are disabled for debugging purpose) running snat; 3x compute nodes with dvr.

Symptom: 1) VMs can reach provider network gw via FIP - OK; 2) VMSs without FIP can not reach provider network. Tracing packets reveal that arp can reach controller snat; then into br-int then br-ex. But flow rule show br-ex to drop the packet:

br-ex flow rules: ovs-ofctl dump-flows br-ex table=0 NXST_FLOW reply (xid=0x4): cookie=0xa17bdbc1ee2b5660, duration=6717.517s, table=0, n_packets=354, n_bytes=21600, idle_age=568, priority=2,in_port=1 actions=resubmit(,1) cookie=0xa17bdbc1ee2b5660, duration=6717.852s, table=0, n_packets=0, n_bytes=0, idle_age=9736, priority=0 actions=NORMAL cookie=0xa17bdbc1ee2b5660, duration=6717.516s, table=0, n_packets=4435, n_bytes=318022, idle_age=5, priority=1 actions=resubmit(,3)

ovs-ofctl dump-flows br-ex table=1 NXST_FLOW reply (xid=0x4): cookie=0xa17bdbc1ee2b5660, duration=6749.800s, table=1, n_packets=354, n_bytes=21600, idle_age=601, priority=0 actions=resubmit(,2)

ovs-ofctl dump-flows br-ex table=2 NXST_FLOW reply (xid=0x4): cookie=0xa17bdbc1ee2b5660, duration=6790.906s, table=2, n_packets=354, n_bytes=21600, idle_age=642, priority=2,in_port=1 actions=drop

ovs-vsctl show: Bridge br-int Controller "tcp:127.0.0.1:6633" fail_mode: secure Port "qg-14127f17-20" tag: 1 Interface "qg-14127f17-20" type: internal Port int-br-ex Interface int-br-ex type: patch options: {peer=phy-br-ex} Port "tap13d9a8d7-62" tag: 4 Interface "tap13d9a8d7-62" type: internal Port "qr-cb9d8b4b-33" tag: 2 Interface "qr-cb9d8b4b-33" type: internal Port "sg-35a9d87d-42" tag: 2 Interface "sg-35a9d87d-42" type: internal Port int-br-ex-pub Interface int-br-ex-pub type: patch options: {peer=phy-br-ex-pub} Port br-int Interface br-int type: internal Port patch-tun Interface patch-tun type: patch options: {peer=patch-int}

Bridge br-ex Controller "tcp:127.0.0.1:6633" fail_mode: secure Port "bond0.363" Interface "bond0.363" Port br-ex Interface br-ex type: internal Port phy-br-ex Interface phy-br-ex type: patch options: {peer=int-br-ex}