[openstack-dev] (no subject)

Farhad Sunavala fsbiz at yahoo.com
Sun Jul 31 02:25:07 UTC 2016


Yes, this was intentionally done.The logical-source-port is important only at the point of classification.All successive classifications rely only on the 5 tuple and MPLS label (chain ID).
Consider an extension of the scenario you mention below.
Sources: (similar to your case)a b
Port-pairs: (added ppe and ppf)ppcppdppeppf
Port-pair-groups: (added ppge and ppgf)ppgcppgdppgeppgf
Flow-classifiers:fc1: logical-source-port of a && tcpfc2: logical-source-port of b && tcp
Port-chains:pc1: fc1 && (ppgc + ppge)pc2: fc2 && (ppgd + ppgc + ppgf)


The flow-classifier has logical-src-port and protocol=tcpThe logical-src-port has no relevance in the middle of the chain.
In the middle of the chain, the only relevant flow-classifier is protocol=tcp.
If we allow it, we cannot distinguish TCP traffic coming out of ppgc (and subsequently ppc) as to whether to mark it with the label for pc1 or the label for pc2.
In other words, within a tenant the flow-classifiers need to be unique wrt the 5 tuples.
thanks,Farhad.
Date: Fri, 29 Jul 2016 18:01:05 +0300
From: Artem Plakunov <artacc at lvk.cs.msu.su>
To: openstack at lists.openstack.org
Subject: [Openstack] [networking-sfc] Flow classifier conflict logic
Message-ID: <579B6FB1.3030505 at lvk.cs.msu.su>
Content-Type: text/plain; charset="utf-8"; Format="flowed"

Hello.
We have two deployments with networking-sfc:
mirantis 8.0 (liberty) and mirantis 9.0 (mitaka).

I noticed a difference in how flow classifiers conflict with each other 
which I do not understand. I'm not sure if it is a bug or not.

I did the following on mitaka:
1. Create tenant 1 and network 1
2. Launch vms A and B in network 1
3. Create tenant 2, share network 1 to it with RBAC policy, launch vm C 
in network 1
4. Create tenant 3, share network 1 to it with RBAC policy, launch vm D 
in network 1
5. Setup sfc:
    create two port pairs for vm C and vm D with a bidirectional port
    create two port pair groups with these pairs (one pair in one group)
    create flow classifier 1: logical-source-port = vm A port, protocol 
= tcp
    create flow classifier 2: logical-source-port = vm B port, protocol 
= tcp
    create chain with group 1 and classifier 1
    create chain with group 2 and classifier 2 - this step gives the 
following error:

Flow Classifier 7f37c1ba-abe6-44a0-9507-5b982c51028b conflicts with Flow 
Classifier 4e97a8a5-cb22-4c21-8e30-65758859f501 in port chain 
d1070955-fae9-4483-be9e-0e30f2859282.
Neutron server returns request_ids: 
['req-9d0eecec-2724-45e8-84b4-7ccf67168b03']

The only thing neutron logs have is this from server.log:
2016-07-29 14:15:57.889 18917 INFO neutron.api.v2.resource 
[req-9d0eecec-2724-45e8-84b4-7ccf67168b03 
0b807c8616614b84a4b16a318248d28c 9de9dcec18424398a75a518249707a61 - - -] 
create failed (client error): Flow Classifier 
7f37c1ba-abe6-44a0-9507-5b982c51028b conflicts with Flow Classifier 
4e97a8a5-cb22-4c21-8e30-65758859f501 in port chain 
d1070955-fae9-4483-be9e-0e30f2859282.

I tried the same in liberty and it works and sfc successfully routes 
traffic from both vms to their respective port groups

Liberty setup:
neutron version 7.0.4
neutronclient version 3.1.1
networking-sfc version 1.0.0 (from pip package)

Mitaka setup:
neutron version 8.1.1
neutronclient version 5.0.0 (tried using 3.1.1 with same outcome)
networking-sfc version 1.0.1.dev74 (from master branch commit 
6730b6810355761cf55f04a40cd645f065f15752)

I'll attach the output of commands neutron port-list, port-pair-list, 
port-pair-group-list, flow-classifier-list and port-chain-list.

Is this an intended flow classifier behavior? If so, why? The port 
chains and all their participants are different.
-------------- next part --------------
root at node-8:~# neutron port-list
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| id                                  | name | mac_address      | fixed_ips                                                                            |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
| 0a75ef50-3d06-467b-8321-a0b9dc406a2b |      | fa:16:3e:e0:48:81 | {"subnet_id": "533598bc-0bfd-4e92-9133-33ffe5043d57", "ip_address": "172.20.2.168"}  |
| 0c88fc4a-83f7-4194-bb9c-1b5864795e18 |      | fa:16:3e:f3:e9:ea | {"subnet_id": "69838436-ff18-40c4-bc62-8811e4ef6c7c", "ip_address": "192.168.44.2"}  |
| 0f6bddbb-a5a6-459a-a9b3-d4ae0806e5a6 |      | fa:16:3e:f7:27:1f | {"subnet_id": "1e69d4a3-9696-49c0-a5b7-5de71d7db0b5", "ip_address": "10.0.40.3"}    |
| 1731aae5-cd3a-4373-b9b9-6bca775ea4c6 |      | fa:16:3e:d7:0f:87 | {"subnet_id": "69838436-ff18-40c4-bc62-8811e4ef6c7c", "ip_address": "192.168.44.6"}  |
| 1c15d87e-78dd-40b8-ba68-13f55017be01 |      | fa:16:3e:a8:fe:ca | {"subnet_id": "533598bc-0bfd-4e92-9133-33ffe5043d57", "ip_address": "172.20.2.130"}  |
| 1e707e4c-e75a-475a-b166-7d4e4d09df22 |      | fa:16:3e:40:72:00 | {"subnet_id": "569cf8d4-8580-48a7-a340-c302653ee42d", "ip_address": "192.168.111.4"} |
| 22498841-ae75-4c2e-923a-678d54da661b |      | fa:16:3e:e0:d4:cf | {"subnet_id": "569cf8d4-8580-48a7-a340-c302653ee42d", "ip_address": "192.168.111.6"} |
| 3a40b509-ac45-4fe0-8018-9d7b72b143b6 |      | fa:16:3e:b1:ae:8e | {"subnet_id": "5e3bdee7-577a-4f8a-898a-c0003822ac59", "ip_address": "10.20.30.2"}    |
| 3a85a5dc-1756-4106-a137-306bb0410b0c |      | fa:16:3e:3c:c2:2a | {"subnet_id": "533598bc-0bfd-4e92-9133-33ffe5043d57", "ip_address": "172.20.2.179"}  |
| 46e0cf0a-82a1-4b59-ad3e-d36b5d196a1f |      | fa:16:3e:1c:55:b3 | {"subnet_id": "c353ccc5-663e-44b7-b79a-f88f1c19ed58", "ip_address": "10.50.0.1"}    |
| 4e1a78f0-1c80-4e3d-a291-59ae023cc62c |      | fa:16:3e:cc:39:dd | {"subnet_id": "533598bc-0bfd-4e92-9133-33ffe5043d57", "ip_address": "172.20.2.180"}  |
| 53c26101-ad75-4dcb-8835-04d9604c850c |      | fa:16:3e:5a:b1:1f | {"subnet_id": "1e69d4a3-9696-49c0-a5b7-5de71d7db0b5", "ip_address": "10.0.40.2"}    |
| 5a309284-8248-4b54-b1f2-35e132b0d7ca |      | fa:16:3e:b2:54:8f | {"subnet_id": "569cf8d4-8580-48a7-a340-c302653ee42d", "ip_address": "192.168.111.5"} |
| 6b1e3937-1444-44f1-bb7c-c18998fae304 |      | fa:16:3e:52:9e:e1 | {"subnet_id": "e9a37f40-ee02-455f-90c8-c36e74a1054a", "ip_address": "10.50.0.2"}    |
| 8157c81d-9424-4e99-b3ff-2e47f7ebadc1 |      | fa:16:3e:08:4b:06 | {"subnet_id": "69838436-ff18-40c4-bc62-8811e4ef6c7c", "ip_address": "192.168.44.3"}  |
| 87a51a6a-c617-4c06-872a-6b697172f92f |      | fa:16:3e:34:30:05 | {"subnet_id": "a95946db-5a8e-4be9-bd26-57c3f4fcea2d", "ip_address": "10.0.10.3"}    |
| 8cc3df94-ae84-4884-b69e-e8b485ff16c6 |      | fa:16:3e:87:71:ea | {"subnet_id": "69838436-ff18-40c4-bc62-8811e4ef6c7c", "ip_address": "192.168.44.1"}  |
| 91b2ae94-5409-4efe-983f-761f09349f5b |      | fa:16:3e:3f:70:77 | {"subnet_id": "569cf8d4-8580-48a7-a340-c302653ee42d", "ip_address": "192.168.111.1"} |
| a09456bc-bd42-468f-ba40-6dd92c5c31e2 |      | fa:16:3e:d7:0f:f6 | {"subnet_id": "a95946db-5a8e-4be9-bd26-57c3f4fcea2d", "ip_address": "10.0.10.4"}    |
| a665d369-7bd1-4936-95f3-53065e344d36 |      | fa:16:3e:07:ed:67 | {"subnet_id": "569cf8d4-8580-48a7-a340-c302653ee42d", "ip_address": "192.168.111.7"} |
| a774e963-2673-4141-8a3f-ae49eba380f3 |      | fa:16:3e:ae:cb:6a | {"subnet_id": "1e69d4a3-9696-49c0-a5b7-5de71d7db0b5", "ip_address": "10.0.40.1"}    |
| a77aa792-a7b0-4442-a4fa-db6cfd86e4a5 |      | fa:16:3e:56:76:80 | {"subnet_id": "38735191-b6be-487c-8f52-5fc4269cf4e1", "ip_address": "10.50.0.2"}    |
| b112ed35-97be-4114-b2a1-117b11a9f53b |      | fa:16:3e:ff:67:75 | {"subnet_id": "569cf8d4-8580-48a7-a340-c302653ee42d", "ip_address": "192.168.111.2"} |
| b2d3a5ef-47a6-420d-b9e1-9cd9381d1dff |      | fa:16:3e:7c:87:9a | {"subnet_id": "c353ccc5-663e-44b7-b79a-f88f1c19ed58", "ip_address": "10.50.0.2"}    |
| ba13ef3b-4862-4edc-9b15-c5e9f80dbf4b |      | fa:16:3e:f0:6b:8b | {"subnet_id": "0d8c8821-4a7e-44ba-8585-51321c453a2f", "ip_address": "192.168.45.1"}  |
| bbca9cfe-95cd-47d6-bb3c-7cee0af1e0d1 |      | fa:16:3e:4b:f3:92 | {"subnet_id": "5e3bdee7-577a-4f8a-898a-c0003822ac59", "ip_address": "10.20.30.3"}    |
| c10c0f39-c992-4a8d-b291-04daef23c47a |      | fa:16:3e:c3:89:7d | {"subnet_id": "0d8c8821-4a7e-44ba-8585-51321c453a2f", "ip_address": "192.168.45.2"}  |
| c662b531-69ec-4846-a5ad-93c1d3920325 |      | fa:16:3e:bd:6f:aa | {"subnet_id": "5e3bdee7-577a-4f8a-898a-c0003822ac59", "ip_address": "10.20.30.4"}    |
| ce67df9b-459c-40c0-90d3-16d12d45cc5b |      | fa:16:3e:da:0d:58 | {"subnet_id": "a95946db-5a8e-4be9-bd26-57c3f4fcea2d", "ip_address": "10.0.10.5"}    |
| d258aa11-43c0-4273-a8ed-24ac4317e407 |      | fa:16:3e:f1:40:d6 | {"subnet_id": "4e8728b4-3256-4025-a607-572f37c19eb1", "ip_address": "10.0.0.2"}      |
| d34c3b9d-b887-4289-a48b-5f37d28d279f |      | fa:16:3e:cb:3a:b9 | {"subnet_id": "d0da64ca-2e87-44da-a3bd-272370c0576b", "ip_address": "20.100.0.2"}    |
| dc83acb5-74e5-4b7a-bef3-4d15ffd135de |      | fa:16:3e:09:e3:23 | {"subnet_id": "7c303434-2b42-4c86-a46f-f33abd59526b", "ip_address": "10.0.0.2"}      |
| de75dcb9-057b-4829-a175-755b54862302 |      | fa:16:3e:39:34:31 | {"subnet_id": "69838436-ff18-40c4-bc62-8811e4ef6c7c", "ip_address": "192.168.44.5"}  |
| e755eec0-1c08-4845-ac98-19585cb517fd |      | fa:16:3e:52:b2:d8 | {"subnet_id": "69838436-ff18-40c4-bc62-8811e4ef6c7c", "ip_address": "192.168.44.4"}  |
| eb7b26ad-f919-49ff-9f3c-c63b962554e1 |      | fa:16:3e:d7:74:06 | {"subnet_id": "c353ccc5-663e-44b7-b79a-f88f1c19ed58", "ip_address": "10.50.0.3"}    |
| fdbe12fe-d3d6-4079-89fc-9a5c64a6205d |      | fa:16:3e:b3:77:e1 | {"subnet_id": "a95946db-5a8e-4be9-bd26-57c3f4fcea2d", "ip_address": "10.0.10.2"}    |
+--------------------------------------+------+-------------------+--------------------------------------------------------------------------------------+
root at node-8:~# neutron port-pair-list
+--------------------------------------+-------+--------------------------------------+--------------------------------------+
| id                                  | name  | ingress                              | egress                              |
+--------------------------------------+-------+--------------------------------------+--------------------------------------+
| 4cfdde43-aea7-4798-899c-b7c9828b665b | pair1 | de75dcb9-057b-4829-a175-755b54862302 | de75dcb9-057b-4829-a175-755b54862302 |
| c8800462-267e-49bb-ac39-b916dc97a20d | pair2 | 1731aae5-cd3a-4373-b9b9-6bca775ea4c6 | 1731aae5-cd3a-4373-b9b9-6bca775ea4c6 |
+--------------------------------------+-------+--------------------------------------+--------------------------------------+
root at node-8:~# neutron port-pair-group-list
+--------------------------------------+--------+-------------------------------------------+
| id                                  | name  | port_pairs                                |
+--------------------------------------+--------+-------------------------------------------+
| 3e1547c4-c970-4218-8ac8-a32b23d3e11a | group1 | [u'4cfdde43-aea7-4798-899c-b7c9828b665b'] |
| 3e3173c4-b4fd-4701-91f4-94220d8b8e41 | grout2 | [u'c8800462-267e-49bb-ac39-b916dc97a20d'] |
+--------------------------------------+--------+-------------------------------------------+
root at node-8:~# neutron flow-classifier-list
+--------------------------------------+-------+------------------------------------------------------------+
| id                                  | name  | summary                                                    |
+--------------------------------------+-------+------------------------------------------------------------+
| 4e97a8a5-cb22-4c21-8e30-65758859f501 | flow1 | protocol: TCP,                                            |
|                                      |      | source[port]: any[any:any],                                |
|                                      |      | destination[port]: any[any:any],                          |
|                                      |      | neutron_source_port: 8157c81d-9424-4e99-b3ff-2e47f7ebadc1, |
|                                      |      | neutron_destination_port: None,                            |
|                                      |      | l7_parameters: {}                                          |
| 7f37c1ba-abe6-44a0-9507-5b982c51028b | flow2 | protocol: TCP,                                            |
|                                      |      | source[port]: any[any:any],                                |
|                                      |      | destination[port]: any[any:any],                          |
|                                      |      | neutron_source_port: 0c88fc4a-83f7-4194-bb9c-1b5864795e18, |
|                                      |      | neutron_destination_port: None,                            |
|                                      |      | l7_parameters: {}                                          |
+--------------------------------------+-------+------------------------------------------------------------+
root at node-8:~# neutron port-chain-list
+--------------------------------------+--------+-------------------------------------------+-------------------------------------------+
| id                                  | name  | port_pair_groups                          | flow_classifiers                          |
+--------------------------------------+--------+-------------------------------------------+-------------------------------------------+
| d1070955-fae9-4483-be9e-0e30f2859282 | chain1 | [u'3e1547c4-c970-4218-8ac8-a32b23d3e11a'] | [u'4e97a8a5-cb22-4c21-8e30-65758859f501'] |
+--------------------------------------+--------+-------------------------------------------+-------------------------------------------+
root at node-8:~# neutron port-chain-create --flow-classifier 7f37c1ba-abe6-44a0-9507-5b982c51028b --port-pair-group 3e3173c4-b4fd-4701-91f4-94220d8b8e41 chain2
Flow Classifier 7f37c1ba-abe6-44a0-9507-5b982c51028b conflicts with Flow Classifier 4e97a8a5-cb22-4c21-8e30-65758859f501 in port chain d1070955-fae9-4483-be9e-0e30f2859282.
Neutron server returns request_ids: ['req-d70465cb-add9-4e35-ba9e-4ffca1233896']


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openstack.org/pipermail/openstack-dev/attachments/20160731/3c0c5157/attachment.html>


More information about the OpenStack-dev mailing list