OVS 2.17.3 TCP port + TCP flags matching doesn't work

[GraysonWu]

What I'm trying to do

I want to match the first packet which contains the actual data from a TCP connection. So I used tp_dst=80,tcp_flags=+psh to match the data packet instead of TCP handshake packets.

Issues I met

tp_dst=80,tcp_flags=+psh couldn't match the packet that should be matched in OVS 2.17.3. But in OVS 2.17.0, it works.

Another weird behavior:

If I only have one flow priority=201,tcp,tp_dst=80,tcp_flags=+psh, it doesn't match any packets. But if I add a flow with a lower priority without the port matching field like this: priority=200,tcp,tcp_flags=+psh, the first flow with priority=201 will start to match packets and priority=200 won't match any packets.

More details

I added the flow below, but it couldn't match any packets.

n_packets=0, n_bytes=0, priority=201,tcp,tp_dst=80,tcp_flags=+psh actions=drop

BTW, I use actions=drop just for debugging. In actual usage, I will send the packet to the controller for further processing. tcpdump results

22:52:17.906252 IP cl-765d6d854f-ws5nc.35490 > nuq04s42-in-f14.1e100.net.80: Flags [S], seq 541246701, win 64860, options [mss 1410,sackOK,TS val 453038453 ecr 0,nop,wscale 7], length 0
22:52:17.908491 IP nuq04s42-in-f14.1e100.net.80 > cl-765d6d854f-ws5nc.35490: Flags [S.], seq 20604252, ack 541246702, win 65535, options [mss 1360,sackOK,TS val 1430566167 ecr 453038453,nop,wscale 8], length 0
22:52:17.908521 IP cl-765d6d854f-ws5nc.35490 > nuq04s42-in-f14.1e100.net.80: Flags [.], ack 1, win 507, options [nop,nop,TS val 453038455 ecr 1430566167], length 0
22:52:17.908623 IP cl-765d6d854f-ws5nc.35490 > nuq04s42-in-f14.1e100.net.80: Flags [P.], seq 1:75, ack 1, win 507, options [nop,nop,TS val 453038455 ecr 1430566167], length 74: HTTP: GET / HTTP/1.1
22:52:17.911174 IP nuq04s42-in-f14.1e100.net.80 > cl-765d6d854f-ws5nc.35490: Flags [.], ack 75, win 256, options [nop,nop,TS val 1430566170 ecr 453038455], length 0
22:52:17.934166 IP nuq04s42-in-f14.1e100.net.80 > cl-765d6d854f-ws5nc.35490: Flags [P.], seq 1:529, ack 75, win 256, options [nop,nop,TS val 1430566192 ecr 453038455], length 528: HTTP: HTTP/1.1 301 Moved Permanently
22:52:17.934206 IP cl-765d6d854f-ws5nc.35490 > nuq04s42-in-f14.1e100.net.80: Flags [.], ack 529, win 503, options [nop,nop,TS val 453038481 ecr 1430566192], length 0
22:52:17.934413 IP cl-765d6d854f-ws5nc.35490 > nuq04s42-in-f14.1e100.net.80: Flags [F.], seq 75, ack 529, win 503, options [nop,nop,TS val 453038481 ecr 1430566192], length 0
22:52:17.936141 IP nuq04s42-in-f14.1e100.net.80 > cl-765d6d854f-ws5nc.35490: Flags [F.], seq 529, ack 76, win 256, options [nop,nop,TS val 1430566195 ecr 453038481], length 0
22:52:17.936173 IP cl-765d6d854f-ws5nc.35490 > nuq04s42-in-f14.1e100.net.80: Flags [.], ack 530, win 503, options [nop,nop,TS val 453038483 ecr 1430566195], length 0

As you can see the TCP request is successfully completed. The packet below is received by the server and not dropped.

22:52:17.908623 IP cl-765d6d854f-ws5nc.35490 > nuq04s42-in-f14.1e100.net.80: Flags [P.], seq 1:75, ack 1, win 507, options [nop,nop,TS val 453038455 ecr 1430566167], length 74: HTTP: GET / HTTP/1.1

BUT, after I add a lower-priority flow, the higher-priority flow starts to work and only the higher-priority flow gets hit.

n_packets=14, n_bytes=1960, priority=201,tcp,tp_dst=80,tcp_flags=+psh actions=drop
n_packets=0, n_bytes=0, priority=200,tcp,tcp_flags=+psh actions=drop

tcpdump results

22:52:41.816364 IP cl-765d6d854f-ws5nc.57500 > nuq04s42-in-f14.1e100.net.80: Flags [S], seq 1191647410, win 64860, options [mss 1410,sackOK,TS val 453062363 ecr 0,nop,wscale 7], length 0
22:52:41.818742 IP nuq04s42-in-f14.1e100.net.80 > cl-765d6d854f-ws5nc.57500: Flags [S.], seq 984747537, ack 1191647411, win 65535, options [mss 1360,sackOK,TS val 3552515209 ecr 453062363,nop,wscale 8], length 0
22:52:41.818782 IP cl-765d6d854f-ws5nc.57500 > nuq04s42-in-f14.1e100.net.80: Flags [.], ack 1, win 507, options [nop,nop,TS val 453062365 ecr 3552515209], length 0
22:52:41.818864 IP cl-765d6d854f-ws5nc.57500 > nuq04s42-in-f14.1e100.net.80: Flags [P.], seq 1:75, ack 1, win 507, options [nop,nop,TS val 453062365 ecr 3552515209], length 74: HTTP: GET / HTTP/1.1
22:52:42.019271 IP cl-765d6d854f-ws5nc.57500 > nuq04s42-in-f14.1e100.net.80: Flags [P.], seq 1:75, ack 1, win 507, options [nop,nop,TS val 453062566 ecr 3552515209], length 74: HTTP: GET / HTTP/1.1
22:52:42.223276 IP cl-765d6d854f-ws5nc.57500 > nuq04s42-in-f14.1e100.net.80: Flags [P.], seq 1:75, ack 1, win 507, options [nop,nop,TS val 453062770 ecr 3552515209], length 74: HTTP: GET / HTTP/1.1
22:52:42.647289 IP cl-765d6d854f-ws5nc.57500 > nuq04s42-in-f14.1e100.net.80: Flags [P.], seq 1:75, ack 1, win 507, options [nop,nop,TS val 453063194 ecr 3552515209], length 74: HTTP: GET / HTTP/1.1
22:52:43.479294 IP cl-765d6d854f-ws5nc.57500 > nuq04s42-in-f14.1e100.net.80: Flags [P.], seq 1:75, ack 1, win 507, options [nop,nop,TS val 453064026 ecr 3552515209], length 74: HTTP: GET / HTTP/1.1

The client is keep resending the packet that is matched and dropped.

---

Hope someone could help me out. Thank you a lot!!! Also, I'm not an OVS expert, if I misunderstood anything please let me know.

[igsilya]

Hi. Thanks for the report! This turned out to be a bug in the classifier. I posted a potential fix here: https://patchwork.ozlabs.org/project/openvswitch/patch/20230217200959.307041-1-i.maximets@ovn.org/ If you can try it out, that would be great.

[GraysonWu]

Hi. Thanks for the report! This turned out to be a bug in the classifier. I posted a potential fix here: https://patchwork.ozlabs.org/project/openvswitch/patch/20230217200959.307041-1-i.maximets@ovn.org/ If you can try it out, that would be great.

Hi Ilya, thanks for the fix. I tested it in my use cases and it works!

[igsilya]

Thanks! The fix was applied as commit https://github.com/openvswitch/ovs/commit/489553b1c21692063931a9f50b6849b23128443c. Backported all the way down to 2.13.

On branch-2.17 it is https://github.com/openvswitch/ovs/commit/132fa24b656e1bc45b6ce8ee9ab0206fa6930f65.