Tim Rozet trozet

## gist:72feb8e17e8297db09759a926d3ff130
2024-05-21T19:30:14.6972027Z I0521 19:30:14.678005   26393 obj_retry.go:432] Stop channel got triggered: will stop retrying failed objects of type *v1.Node
2024-05-21T19:30:14.6972926Z I0521 19:30:14.678044   26393 watch.go:183] Stopping fake watcher.
2024-05-21T19:30:14.6973869Z I0521 19:30:14.678154   26393 reflector.go:295] Stopping reflector *v1.Service (0s) from k8s.io/client-go/informers/factory.go:159
2024-05-21T19:30:14.6974905Z E0521 19:30:14.678081   26393 shared_informer.go:314] unable to sync caches for node-tracker-controller
2024-05-21T19:30:14.6975814Z I0521 19:30:14.678264   26393 services_controller.go:181] Shutting down controller ovn-lb-controller
2024-05-21T19:30:14.6976828Z E0521 19:30:14.678303   26393 ovn.go:458] Error running OVN Kubernetes Services controller: error syncing node tracker handler
2024-05-21T19:30:14.6977620Z I0521 19:30:14.678291   26393 watch.go:183] Stopping fake watcher.
2024-05-21T19:30:14.6978160Z I0521 19:30:14.678320   26393 watch.go:183] Stopping fake watcher.
2

## no_undnat_enable_router_port_acl
[root@ovn-worker2 ~]# ovs-dpctl dump-flows
recirc_id(0x48),in_port(2),ct_state(+new-est-rel-rpl-inv+trk),ct_mark(0/0x1),eth(src=66:49:b8:4b:12:3e,dst=0a:58:0a:f4:01:05),eth_type(0x0800),ipv4(src=10.244.1.2,dst=10.244.1.5,frag=no), packets:0, bytes:0, used:never, actions:ct(commit,zone=19,mark=0/0x1,nat(src)),6
recirc_id(0),in_port(3),skb_mark(0),eth(dst=02:42:ac:12:00:03),eth_type(0x0800),ipv4(proto=6,frag=no),tcp(dst=8192/0xe000), packets:797, bytes:70414, used:0.004s, flags:SP., actions:ct(zone=64000,nat),recirc(0x27)
recirc_id(0),in_port(3),eth(dst=02:42:ac:12:00:03),eth_type(0x0800),ipv4(proto=17,frag=no),udp(dst=6081), packets:1, bytes:132, used:0.753s, actions:4
recirc_id(0x46),tunnel(tun_id=0xff0003,src=172.18.0.2,dst=172.18.0.3,geneve({}{}),flags(-df+csum+key)),in_port(5),ct_state(+new-est-rel-rpl-inv+trk),ct_mark(0/0x1),eth(src=0a:58:0a:f4:01:01,dst=00:00:00:00:00:00/01:00:00:00:00:00),eth_type(0x0800),ipv4(src=10.244.0.0/255.255.255.0,frag=no), packets:0, bytes:0, used:never, actions:ct(commit,zone=

## basic.yaml
---
apiVersion: v1
kind: Pod
metadata:
  name: client
  labels:
    pod-name: client
    role: webserver
      #app: spk-coredns
spec:

## gist:627a77d5360e573c1919559f928ab812
[root@ovn-control-plane ~]# ovs-appctl ofproto/trace --ct-next trk,rpl --ct-next trk,rpl br-int in_port=3,tun_id=16711683,tun_metadata0=262147,dl_src=0a:58:2b:22:eb:86,dl_dst=0a:58:92:3f:71:e5,tcp6,tp_src=8080,tp_dst=43434,ipv6_dst=fd00:10:244:1::7,ipv6_src=fc00:f853:ccd:e793::4,nw_ttl=254 | ovn-detrace
Flow: tcp6,tun_id=0xff0003,in_port=3,vlan_tci=0x0000,dl_src=0a:58:2b:22:eb:86,dl_dst=0a:58:92:3f:71:e5,ipv6_src=fc00:f853:ccd:e793::4,ipv6_dst=fd00:10:244:1::7,ipv6_label=0x00000,nw_tos=0,nw_ecn=0,nw_ttl=254,nw_frag=no,tp_src=8080,tp_dst=43434,tcp_flags=0

bridge("br-int")
----------------
0. in_port=3, priority 100
move:NXM_NX_TUN_ID[0..23]->OXM_OF_METADATA[0..23]
-> OXM_OF_METADATA[0..23] is now 0xff0003
move:NXM_NX_TUN_METADATA0[16..30]->NXM_NX_REG14[0..14]
-> NXM_NX_REG14[0..14] is now 0x4

## gist:ffd71554812969514c401b48c1033920
[root@ovn-control-plane ~]#  ovn-trace  --ct trk,rpl --ct trk,rpl transit_switch  'inport == "tstor-ovn-worker" && eth.src ==0a:58:2b:22:eb:86 && eth.dst==0a:58:92:3f:71:e5 && ip6  && ip.ttl==64 && ip6.src==fc00:f853:ccd:e793::4 && ip6.dst==fd00:10:244:1::7 && tcp && tcp.src == 8080 && tcp.dst ==43434'
2024-04-17T17:08:05Z|00001|ovntrace|WARN|ct.new && !ct.rel && ip6 && ip6.dst == ^NODEIP_IPv6_0 && tcp && tcp.dst == 30926: parsing expression failed (Syntax error at `NODEIP_IPv6_0' expecting constant.)
2024-04-17T17:08:05Z|00002|ovntrace|WARN|ct.new && ip6.dst == ^NODEIP_IPv6_0 && tcp.dst == 30926: parsing expression failed (Syntax error at `NODEIP_IPv6_0' expecting constant.)
2024-04-17T17:08:05Z|00003|ovntrace|WARN|reg0[2] == 1 && ip6.dst == ^NODEIP_IPv6_0 && tcp.dst == 30926: parsing expression failed (Syntax error at `NODEIP_IPv6_0' expecting constant.)
2024-04-17T17:08:05Z|00004|ovntrace|WARN|ip && ip6.dst == ^NODEIP_IPv6_0: parsing expression failed (Syntax error at `NODEIP_IPv6_0' expecting constant.)
#

## gist:a900192ce0a84396d466f27ce2796d0f
### ebpf
#include <linux/bpf.h>
#include <linux/if_ether.h>
#include <linux/ip.h>
#include <linux/in.h>
#include <linux/tcp.h>

struct data_t {
    __u32 src_ip;
    __u32 dst_ip;

## gist:41b4e8f381154e74e257d2e0693d8a3c
[trozet@fedora 250-nodetracker]$ cat must-gather.local.3877710284032856534/inspect.local.4295100335563262757/namespaces/openshift-ovn-kubernetes/pods/ovnkube-node-5ksf5/ovnkube-controller/ovnkube-controller/logs/current.log | grep -E 'Starting controller|router changed, syncing services| Node tracker sync took|Full service sync requested'
2024-01-16T02:33:18.213324326Z I0116 02:33:18.213311    3961 services_controller.go:163] Starting controller ovn-lb-controller
2024-01-16T02:33:18.213864591Z I0116 02:33:18.213856    3961 node_tracker.go:185] Node ip-10-0-236-9.us-west-2.compute.internal switch + router changed, syncing services
2024-01-16T02:33:18.214366306Z I0116 02:33:18.214357    3961 services_controller.go:513] Full service sync requested
2024-01-16T02:33:18.238191487Z I0116 02:33:18.238179    3961 node_tracker.go:185] Node ip-10-0-149-39.us-west-2.compute.internal switch + router changed, syncing services
2024-01-16T02:33:18.238242960Z I0116 02:33:18.238234    3961 services_controller.go:513] Full serv

## gist:4f54ec9f3fbdb6bc17c5515360cde1c3
pkt received on worker node:

01:30:41.176263   M 00:07:35:c0:23:cd ethertype IPv6 (0x86dd), length 88: (flowlabel 0x8e949, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::207:35ff:fec0:23cd > ff02::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fd2e:6f44:5dd8:c956::18, Flags [override]
          destination link-address option (2), length 8 (1): 00:07:35:c0:23:cd

datapath flow:
recirc_id(0xd),in_port(1),ct_state(-new-est-rel+trk),ct_mark(0),eth(src=00:07:35:c0:23:cd,dst=33:33:00:00:00:01),eth_type(0x86dd),ipv6(src=fe80::207:35ff:fec0:23cd,dst=ff02::1,proto=58,hlimit=255,frag=no),icmpv6(type=136,code=0), packets:27611, bytes:2374546, used:0.002s, actions:2,check_pkt_len(size=1414,gt(sample(sample=100.0%,actions(meter(3),userspace(pid=4294967295,controller(reason=1,dont_send=0,continuation=0,recirc_id=25194,rule_cookie=0x25862262,controller_id=0,max_len=65535))))),le(drop)


mac is not changing:

## gist:025d8afe714ef3c724d063bcfe1b4ac6
#### setup, client curling a service with session affinity that is backed by server and server-sdn pods


[trozet@fedora test]$ oc get service
NAME          TYPE           CLUSTER-IP       EXTERNAL-IP                            PORT(S)           AGE
kubernetes    ClusterIP      172.30.0.1       <none>                                 443/TCP           46m
my-service1   ClusterIP      172.30.189.139   <none>                                 1337/UDP,80/TCP   5m5s
openshift     ExternalName   <none>           kubernetes.default.svc.cluster.local   <none>            41m


## np_portrange.txt
## NP with port range

---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: default-deny-egress
spec:
  podSelector:
  policyTypes:
	2024-05-21T19:30:14.6972027Z I0521 19:30:14.678005 26393 obj_retry.go:432] Stop channel got triggered: will stop retrying failed objects of type *v1.Node
	2024-05-21T19:30:14.6972926Z I0521 19:30:14.678044 26393 watch.go:183] Stopping fake watcher.
	2024-05-21T19:30:14.6973869Z I0521 19:30:14.678154 26393 reflector.go:295] Stopping reflector *v1.Service (0s) from k8s.io/client-go/informers/factory.go:159
	2024-05-21T19:30:14.6974905Z E0521 19:30:14.678081 26393 shared_informer.go:314] unable to sync caches for node-tracker-controller
	2024-05-21T19:30:14.6975814Z I0521 19:30:14.678264 26393 services_controller.go:181] Shutting down controller ovn-lb-controller
	2024-05-21T19:30:14.6976828Z E0521 19:30:14.678303 26393 ovn.go:458] Error running OVN Kubernetes Services controller: error syncing node tracker handler
	2024-05-21T19:30:14.6977620Z I0521 19:30:14.678291 26393 watch.go:183] Stopping fake watcher.
	2024-05-21T19:30:14.6978160Z I0521 19:30:14.678320 26393 watch.go:183] Stopping fake watcher.
	2
	[root@ovn-worker2 ~]# ovs-dpctl dump-flows
	recirc_id(0x48),in_port(2),ct_state(+new-est-rel-rpl-inv+trk),ct_mark(0/0x1),eth(src=66:49:b8:4b:12:3e,dst=0a:58:0a:f4:01:05),eth_type(0x0800),ipv4(src=10.244.1.2,dst=10.244.1.5,frag=no), packets:0, bytes:0, used:never, actions:ct(commit,zone=19,mark=0/0x1,nat(src)),6
	recirc_id(0),in_port(3),skb_mark(0),eth(dst=02:42:ac:12:00:03),eth_type(0x0800),ipv4(proto=6,frag=no),tcp(dst=8192/0xe000), packets:797, bytes:70414, used:0.004s, flags:SP., actions:ct(zone=64000,nat),recirc(0x27)
	recirc_id(0),in_port(3),eth(dst=02:42:ac:12:00:03),eth_type(0x0800),ipv4(proto=17,frag=no),udp(dst=6081), packets:1, bytes:132, used:0.753s, actions:4
	recirc_id(0x46),tunnel(tun_id=0xff0003,src=172.18.0.2,dst=172.18.0.3,geneve({}{}),flags(-df+csum+key)),in_port(5),ct_state(+new-est-rel-rpl-inv+trk),ct_mark(0/0x1),eth(src=0a:58:0a:f4:01:01,dst=00:00:00:00:00:00/01:00:00:00:00:00),eth_type(0x0800),ipv4(src=10.244.0.0/255.255.255.0,frag=no), packets:0, bytes:0, used:never, actions:ct(commit,zone=
	---
	apiVersion: v1
	kind: Pod
	metadata:
	name: client
	labels:
	pod-name: client
	role: webserver
	#app: spk-coredns
	spec:
	[root@ovn-control-plane ~]# ovs-appctl ofproto/trace --ct-next trk,rpl --ct-next trk,rpl br-int in_port=3,tun_id=16711683,tun_metadata0=262147,dl_src=0a:58:2b:22:eb:86,dl_dst=0a:58:92:3f:71:e5,tcp6,tp_src=8080,tp_dst=43434,ipv6_dst=fd00:10:244:1::7,ipv6_src=fc00:f853:ccd:e793::4,nw_ttl=254 \| ovn-detrace
	Flow: tcp6,tun_id=0xff0003,in_port=3,vlan_tci=0x0000,dl_src=0a:58:2b:22:eb:86,dl_dst=0a:58:92:3f:71:e5,ipv6_src=fc00:f853:ccd:e793::4,ipv6_dst=fd00:10:244:1::7,ipv6_label=0x00000,nw_tos=0,nw_ecn=0,nw_ttl=254,nw_frag=no,tp_src=8080,tp_dst=43434,tcp_flags=0

	bridge("br-int")
	----------------
	0. in_port=3, priority 100
	move:NXM_NX_TUN_ID[0..23]->OXM_OF_METADATA[0..23]
	-> OXM_OF_METADATA[0..23] is now 0xff0003
	move:NXM_NX_TUN_METADATA0[16..30]->NXM_NX_REG14[0..14]
	-> NXM_NX_REG14[0..14] is now 0x4
	[root@ovn-control-plane ~]# ovn-trace --ct trk,rpl --ct trk,rpl transit_switch 'inport == "tstor-ovn-worker" && eth.src ==0a:58:2b:22:eb:86 && eth.dst==0a:58:92:3f:71:e5 && ip6 && ip.ttl==64 && ip6.src==fc00:f853:ccd:e793::4 && ip6.dst==fd00:10:244:1::7 && tcp && tcp.src == 8080 && tcp.dst ==43434'
	2024-04-17T17:08:05Z\|00001\|ovntrace\|WARN\|ct.new && !ct.rel && ip6 && ip6.dst == ^NODEIP_IPv6_0 && tcp && tcp.dst == 30926: parsing expression failed (Syntax error at `NODEIP_IPv6_0' expecting constant.)
	2024-04-17T17:08:05Z\|00002\|ovntrace\|WARN\|ct.new && ip6.dst == ^NODEIP_IPv6_0 && tcp.dst == 30926: parsing expression failed (Syntax error at `NODEIP_IPv6_0' expecting constant.)
	2024-04-17T17:08:05Z\|00003\|ovntrace\|WARN\|reg0[2] == 1 && ip6.dst == ^NODEIP_IPv6_0 && tcp.dst == 30926: parsing expression failed (Syntax error at `NODEIP_IPv6_0' expecting constant.)
	2024-04-17T17:08:05Z\|00004\|ovntrace\|WARN\|ip && ip6.dst == ^NODEIP_IPv6_0: parsing expression failed (Syntax error at `NODEIP_IPv6_0' expecting constant.)
	#
	### ebpf
	#include <linux/bpf.h>
	#include <linux/if_ether.h>
	#include <linux/ip.h>
	#include <linux/in.h>
	#include <linux/tcp.h>

	struct data_t {
	__u32 src_ip;
	__u32 dst_ip;
	[trozet@fedora 250-nodetracker]$ cat must-gather.local.3877710284032856534/inspect.local.4295100335563262757/namespaces/openshift-ovn-kubernetes/pods/ovnkube-node-5ksf5/ovnkube-controller/ovnkube-controller/logs/current.log \| grep -E 'Starting controller\|router changed, syncing services\| Node tracker sync took\|Full service sync requested'
	2024-01-16T02:33:18.213324326Z I0116 02:33:18.213311 3961 services_controller.go:163] Starting controller ovn-lb-controller
	2024-01-16T02:33:18.213864591Z I0116 02:33:18.213856 3961 node_tracker.go:185] Node ip-10-0-236-9.us-west-2.compute.internal switch + router changed, syncing services
	2024-01-16T02:33:18.214366306Z I0116 02:33:18.214357 3961 services_controller.go:513] Full service sync requested
	2024-01-16T02:33:18.238191487Z I0116 02:33:18.238179 3961 node_tracker.go:185] Node ip-10-0-149-39.us-west-2.compute.internal switch + router changed, syncing services
	2024-01-16T02:33:18.238242960Z I0116 02:33:18.238234 3961 services_controller.go:513] Full serv
	pkt received on worker node:

	01:30:41.176263 M 00:07:35:c0:23:cd ethertype IPv6 (0x86dd), length 88: (flowlabel 0x8e949, hlim 255, next-header ICMPv6 (58) payload length: 32) fe80::207:35ff:fec0:23cd > ff02::1: [icmp6 sum ok] ICMP6, neighbor advertisement, length 32, tgt is fd2e:6f44:5dd8:c956::18, Flags [override]
	destination link-address option (2), length 8 (1): 00:07:35:c0:23:cd

	datapath flow:
	recirc_id(0xd),in_port(1),ct_state(-new-est-rel+trk),ct_mark(0),eth(src=00:07:35:c0:23:cd,dst=33:33:00:00:00:01),eth_type(0x86dd),ipv6(src=fe80::207:35ff:fec0:23cd,dst=ff02::1,proto=58,hlimit=255,frag=no),icmpv6(type=136,code=0), packets:27611, bytes:2374546, used:0.002s, actions:2,check_pkt_len(size=1414,gt(sample(sample=100.0%,actions(meter(3),userspace(pid=4294967295,controller(reason=1,dont_send=0,continuation=0,recirc_id=25194,rule_cookie=0x25862262,controller_id=0,max_len=65535))))),le(drop)


	mac is not changing:
	#### setup, client curling a service with session affinity that is backed by server and server-sdn pods


	[trozet@fedora test]$ oc get service
	NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
	kubernetes ClusterIP 172.30.0.1 <none> 443/TCP 46m
	my-service1 ClusterIP 172.30.189.139 <none> 1337/UDP,80/TCP 5m5s
	openshift ExternalName <none> kubernetes.default.svc.cluster.local <none> 41m
	## NP with port range

	---
	apiVersion: networking.k8s.io/v1
	kind: NetworkPolicy
	metadata:
	name: default-deny-egress
	spec:
	podSelector:
	policyTypes: