[Bug 2115795] Re: UDP fragmented packets not passing through in DPDK when destination port is defined

Brian Haley 2115795 at bugs.launchpad.net
Thu Jul 17 16:23:47 UTC 2025 

Just to add a note, when we do something like the following, things seem
to work:

ovs-ofctl -O OpenFlow13 add-flow br-int
"table=0,priority=101,ip,ct_state=-trk,actions=ct(table=0)"

ovs-ofctl -O OpenFlow13 add-flow br-int
"table=44,priority=2003,ip,ct_nw_proto=17,ct_tp_dst=5060,ct_state=+new+trk,actions=ct(commit),normal,resubmit(,45)"

The first command in essence matches IP packets that have not yet been
tracked by conntrack, and adds various attributes around the connection
tracker. The second command then matches the connection tracker
destination port that is UDP (ct_nw_proto=17) as required.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to ovn in Ubuntu.
https://bugs.launchpad.net/bugs/2115795

Title:
  UDP fragmented packets not passing through in DPDK when destination
  port is defined

Status in ovn package in Ubuntu:
  Confirmed

Bug description:
  [ Versions of Software]

  OS: jammy (22.04)
  Openstack: yoga
  openvswitch: 3.3.4
  dpdk: 23.11.4
  ovn: 22.03.3

  
  [ Test Scenario ]

  
  1. Create 2 instances in openstack on 2 different hypervisors
  2. Create a security group similar to something below

  
  $ openstack security group rule list 9c9f4cce-8f61-4f9a-b542-776fb6d55099 --long
  +--------------------------------------+-------------+-----------+------------+-----------+-----------+-----------------------+
  | ID                                   | IP Protocol | IP Range  | Port Range | Direction | Ethertype | Remote Security Group |
  +--------------------------------------+-------------+-----------+------------+-----------+-----------+-----------------------+
  | dda781f2-1517-44d7-91fe-ad095bd194c9 | udp         | 0.0.0.0/0 | 9080:9080  | ingress   | IPv4      | None                  |
  | eb7da79a-efd4-40d0-a0f6-21df88955185 | None        | None      |            | egress    | IPv4      | None                  |
  | 04c41dab-cf56-4aba-9082-6048a333fb62 | None        | None      |            | egress    | IPv6      | None                  |
  +--------------------------------------+-------------+-----------+------------+-----------+-----------+-----------------------+

  3. Add the security group to the second instance
  4. Create a scapy script similar to the contents in the attached file udp_pkt_gen.py
  5. Update the script to reflect the source IP/port and destination IP/port
  6. Run the script on the source host
  7. Monitor the tcpdump on the second host or the virtual interface on the hypervisor

  tcpdump -i <interface> not arp

  8. Now add all encompassing rule, and remove the security group for
  port 9080

  openstack security group rule create --ethertype IPv4 --protocol UDP
  --ingress 9c9f4cce-8f61-4f9a-b542-776fb6d55099

  9. Now you will see the packets coming through

  
  Looking through the OpenFlow tables in ovs, we see the following for just port 9080

  ```
  cookie=0xd5b295, duration=1754.469s, table=44, n_packets=0, n_bytes=0, priority=2002,udp,reg0=0x80/0x80,reg15=0x3,metadata=0x11,tp_dst=9080 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
  cookie=0xd5b295, duration=1754.469s, table=44, n_packets=1686, n_bytes=709806, priority=2002,udp,reg0=0x80/0x80,reg15=0x6,metadata=0x11,tp_dst=9080 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
  cookie=0x7933a8de, duration=1754.469s, table=44, n_packets=0, n_bytes=0, priority=2002,udp,reg0=0x100/0x100,reg15=0x6,metadata=0x11,tp_dst=9080 actions=resubmit(,45)
  cookie=0x7933a8de, duration=1754.469s, table=44, n_packets=0, n_bytes=0, priority=2002,udp,reg0=0x100/0x100,reg15=0x3,metadata=0x11,tp_dst=9080 actions=resubmit(,45)
  ```

  Now if you removed the port specific security group, you and add the
  all encompassing UDP port rule, yo will get he following rules in
  OpenFlow, and this is where we do get the packets through

  ```
  cookie=0x2e62bb04, duration=82.161s, table=44, n_packets=246, n_bytes=202868, priority=2002,udp,reg0=0x80/0x80,reg15=0x6,metadata=0x11 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
  cookie=0x2e62bb04, duration=82.161s, table=44, n_packets=146, n_bytes=146949, priority=2002,udp,reg0=0x80/0x80,reg15=0x3,metadata=0x11 actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
  cookie=0xf0c033d8, duration=82.161s, table=44, n_packets=0, n_bytes=0, priority=2002,udp,reg0=0x100/0x100,reg15=0x6,metadata=0x11 actions=resubmit(,45)
  cookie=0xf0c033d8, duration=82.161s, table=44, n_packets=0, n_bytes=0, priority=2002,udp,reg0=0x100/0x100,reg15=0x3,metadata=0x11 actions=resubmit(,45)
  ```

  As an added item to test, we also tried to add the following rule to
  the port only rule, to allow fragmented packets, but this would allow
  all packets no matter what the port was, so this was not the right
  route for this.

  ovs-ofctl -O OpenFlow13 add-flow br-int
  "table=44,priority=2005,ip,nw_frag=yes,reg0=0x200/0x200,reg15=0x3,metadata=0x11,actions=resubmit(,45)"

  
  [Things to look at]

  https://issues.redhat.com/browse/FDP-1175
  This issue was already solved in latest commits, and the version we were using has this change in 3.3.4

  https://issues.redhat.com/browse/FDP-684
  This issue, although suggests packets on fragments, but the codebase seems to only touch the LB functions.

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ovn/+bug/2115795/+subscriptions

More information about the Ubuntu-openstack-bugs mailing list