From: Thomas Graf <tgraf@suug.ch>
To: Hannes Frederic Sowa <hannes@stressinduktion.org>
Cc: Jesse Gross <jesse@kernel.org>, David Wragg <david@weave.works>,
David Miller <davem@davemloft.net>,
dev@openvswitch.org,
Linux Kernel Network Developers <netdev@vger.kernel.org>
Subject: Re: [ovs-dev] [PATCH net 0/2] vxlan: Set a large MTU on ovs-created vxlan devices
Date: Sun, 10 Jan 2016 11:49:49 +0100 [thread overview]
Message-ID: <20160110104949.GE1190@pox.localdomain> (raw)
In-Reply-To: <56902A3D.4090508@stressinduktion.org>
On 01/08/16 at 10:29pm, Hannes Frederic Sowa wrote:
> On 07.01.2016 19:40, Thomas Graf wrote:
> >I think you are worried about an ICMP error from a hop which does not
> >decrement TTL. I think that's a good point and I think we should only
> >send an ICMP error if the TTL is decremented in the action list of
> >the flow for which we have seen a MTU based drop (or TTL=0).
>
> Also agreed, ovs must act in routing mode but at the same time must have an
> IP address on the path. I think this is actually the problem.
>
> Currently we have no way to feedback an error in current configurations with
> ovs sitting in another namespace for e.g. docker containers:
>
> We traverse a net namespace so we drop skb->sk, we don't hold any socket
> reference to enqueue an PtB error to the original socket.
>
> We mostly use netif_rx_internal queues the socket on the backlog, so we
> can't signal an error over the callstack either.
>
> And ovs does not necessarily have an ip address as the first hop of the
> namespace or the virtual machine, so it cannot know a valid ip address with
> which to reply, no?
[your last statement moved up here:]
> If we are doing L3 forwarding into a tunnel, this is absolutely correct and
> can be easily done.
OK, I can see where you are going with this. I was assuming pure
virtual networks due to the contexts of these patches.
So an ICMP is always UDP encapsulated or directly delivered to a veth or
tap which runs in its own netns or is a VM of which the IP stack
operates exclusively in the context of the virtual network. The stack of
the OVS host never gets to see the actual ICMPs and rp_filter never gets
into play.
In such a context, the virtual router IPs are typically programmed
into the flow table because they are only valid in the virtual network
context, assigning them to the OVS bridge would be wrong as it
represents the underlay context.
The virtual router address is known in the flow context of the virtual
network though and can be given to the icmp_send variant.
Can you elaborate a bit on your container scenario, is it ovs running
in host netns with veth pairs bridging into container netns?
Shouldn't that be solved with the above as the ICMPs sent back in
return by the local OVS are perfectly valid in the IP stack context of
the container netns?
next prev parent reply other threads:[~2016-01-10 10:49 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-01-06 13:33 [PATCH net 0/2] vxlan: Set a large MTU on ovs-created vxlan devices David Wragg
[not found] ` <1452087186-12926-1-git-send-email-david-1SEAoVOfG6VEzL6FDj/jAg@public.gmane.org>
2016-01-06 13:33 ` [PATCH net 1/2] vxlan: Relax the MTU constraint on " David Wragg
[not found] ` <1452087186-12926-2-git-send-email-david-1SEAoVOfG6VEzL6FDj/jAg@public.gmane.org>
2016-01-07 11:24 ` Thomas Graf
2016-01-07 11:31 ` David Wragg
2016-01-07 11:50 ` Thomas Graf
2016-01-09 18:39 ` roopa
2016-01-10 10:28 ` [ovs-dev] " Thomas Graf
2016-01-27 16:39 ` roopa
2016-01-06 20:59 ` [PATCH net 0/2] vxlan: Set a large MTU on ovs-created " David Miller
[not found] ` <20160106.155950.1007160228570301281.davem-fT/PcQaiUtIeIZ0/mPfg9Q@public.gmane.org>
2016-01-06 22:53 ` Jesse Gross
2016-01-06 23:25 ` David Wragg
2016-01-06 23:57 ` [ovs-dev] " Jesse Gross
2016-01-07 0:14 ` Hannes Frederic Sowa
2016-01-07 0:46 ` Jesse Gross
2016-01-07 11:49 ` Thomas Graf
[not found] ` <20160107114935.GJ32456-4EA/1caXOu0mYvmMESoHnA@public.gmane.org>
2016-01-07 16:35 ` Jesse Gross
2016-01-07 17:21 ` [ovs-dev] " Thomas Graf
2016-01-07 17:50 ` Hannes Frederic Sowa
[not found] ` <568EA55A.7070305-tFNcAqjVMyqKXQKiL6tip0B+6BGkLq7r@public.gmane.org>
2016-01-07 18:40 ` Thomas Graf
[not found] ` <20160107184042.GB24672-4EA/1caXOu0mYvmMESoHnA@public.gmane.org>
2016-01-08 21:29 ` Hannes Frederic Sowa
2016-01-10 10:49 ` Thomas Graf [this message]
[not found] ` <CAEh+42iWSZOyikNydU2Bs8meqYfrKfUJLDGFJ8HzQ06k64LP0g-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-01-07 0:29 ` David Wragg
[not found] ` <86wprmp6z6.fsf-1SEAoVOfG6VEzL6FDj/jAg@public.gmane.org>
2016-01-07 1:10 ` Jesse Gross
2016-01-07 21:47 ` David Miller
2016-01-07 23:42 ` David Wragg
2016-01-08 2:48 ` David Miller
2016-01-06 13:33 ` [PATCH net 2/2] " David Wragg
[not found] ` <1452087186-12926-3-git-send-email-david-1SEAoVOfG6VEzL6FDj/jAg@public.gmane.org>
2016-01-07 11:36 ` Thomas Graf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160110104949.GE1190@pox.localdomain \
--to=tgraf@suug.ch \
--cc=davem@davemloft.net \
--cc=david@weave.works \
--cc=dev@openvswitch.org \
--cc=hannes@stressinduktion.org \
--cc=jesse@kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).