From 8a9f48c2f146476f1e46da4144b77e38d712673c Mon Sep 17 00:00:00 2001

From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>

Date: Wed, 9 Dec 2020 12:25:31 +0100

Subject: [PATCH 1/7] northd: add reject action for lb with no backends

Introduce the capability to create a load balancer with no backends and

with --reject option in order to send a TCP reset segment (for tcp) or

an ICMP port unreachable packet (for all other kind of traffic) whenever

an incoming packet is received for this load-balancer.

Tested-by: Antonio Ojea <aojeagar@redhat.com>

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>

Acked-by: Mark Michelson <mmichels@redhat.com>

Signed-off-by: Numan Siddique <numans@ovn.org>

(cherry-picked from master commit ebbcd8e8cc5000d50691e72edfde7ede4a906ade)

Change-Id: I5676901df564ecf978455319cfcddd24c2efdae4

---

 lib/lb.c                  |  2 ++

 lib/lb.h                  |  1 +

 northd/ovn-northd.8.xml   | 19 +++++++++++++++++

 northd/ovn-northd.c       | 44 ++++++++++++++++++++++++++-------------

 ovn-nb.ovsschema          |  9 ++++++--

 ovn-nb.xml                | 10 +++++++++

 tests/ovn-northd.at       | 25 ++++++++++++++++++++++

 tests/system-ovn.at       | 28 ++++++++++++++++++++++++-

 utilities/ovn-nbctl.8.xml | 11 +++++++++-

 utilities/ovn-nbctl.c     |  7 ++++++-

 10 files changed, 136 insertions(+), 20 deletions(-)

diff --git a/lib/lb.c b/lib/lb.c

index a90042e58..2517c02ef 100644

--- a/lib/lb.c

+++ b/lib/lb.c

@@ -189,6 +189,8 @@ ovn_northd_lb_create(const struct nbrec_load_balancer *nbrec_lb,

         struct ovn_lb_vip *lb_vip = &lb->vips[n_vips];

         struct ovn_northd_lb_vip *lb_vip_nb = &lb->vips_nb[n_vips];

+        lb_vip->empty_backend_rej = smap_get_bool(&nbrec_lb->options,

+                                                  "reject", false);

         if (!ovn_lb_vip_init(lb_vip, node->key, node->value)) {

             continue;

         }

diff --git a/lib/lb.h b/lib/lb.h

index 6644ad0d8..42c580bd1 100644

--- a/lib/lb.h

+++ b/lib/lb.h

@@ -49,6 +49,7 @@ struct ovn_lb_vip {

     struct ovn_lb_backend *backends;

     size_t n_backends;

+    bool empty_backend_rej;

 };

 struct ovn_lb_backend {

diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml

index a9a3a9f4f..d86f36ea6 100644

--- a/northd/ovn-northd.8.xml

+++ b/northd/ovn-northd.8.xml

@@ -700,6 +700,16 @@

         ct_lb(args), where args contains comma

         separated IP addresses of the same address family as VIP.

+

+      

+        If the load balancer is created with --reject option and

+        it has no active backends, a TCP reset segment (for tcp) or an ICMP

+        port unreachable packet (for all other kind of traffic) will be sent

+        whenever an incoming packet is received for this load-balancer.

+        Please note using --reject option will disable

+        empty_lb SB controller event for this load balancer.

+      

+

         A priority-100 flow commits packets to connection tracker using

         ct_commit; next; action based on a hint provided by

@@ -2592,6 +2602,15 @@ icmp6 {

         packets, the above action will be replaced by

         flags.force_snat_for_lb = 1; ct_dnat;.

+

+      

+        If the load balancer is created with --reject option and

+        it has no active backends, a TCP reset segment (for tcp) or an ICMP

+        port unreachable packet (for all other kind of traffic) will be sent

+        whenever an incoming packet is received for this load-balancer.

+        Please note using --reject option will disable

+        empty_lb SB controller event for this load balancer.

+      

     
Ingress Table 6: DNAT on Gateway Routers

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c

index 5a3227568..478f1a339 100644

--- a/northd/ovn-northd.c

+++ b/northd/ovn-northd.c

@@ -3436,12 +3436,12 @@ ovn_lb_svc_create(struct northd_context *ctx, struct ovn_northd_lb *lb,

 }

 static

-void build_lb_vip_ct_lb_actions(struct ovn_lb_vip *lb_vip,

-                                struct ovn_northd_lb_vip *lb_vip_nb,

-                                struct ds *action,

-                                char *selection_fields)

+void build_lb_vip_actions(struct ovn_lb_vip *lb_vip,

+                          struct ovn_northd_lb_vip *lb_vip_nb,

+                          struct ds *action, char *selection_fields,

+                          bool ls_dp)

 {

-    bool skip_hash_fields = false;

+    bool skip_hash_fields = false, reject = false;

     if (lb_vip_nb->lb_health_check) {

         ds_put_cstr(action, "ct_lb(backends=");

@@ -3463,18 +3463,30 @@ void build_lb_vip_ct_lb_actions(struct ovn_lb_vip *lb_vip,

         }

         if (!n_active_backends) {

-            skip_hash_fields = true;

-            ds_clear(action);

-            ds_put_cstr(action, "drop;");

+            if (!lb_vip->empty_backend_rej) {

+                ds_clear(action);

+                ds_put_cstr(action, "drop;");

+                skip_hash_fields = true;

+            } else {

+                reject = true;

+            }

         } else {

             ds_chomp(action, ',');

             ds_put_cstr(action, ");");

         }

+    } else if (lb_vip->empty_backend_rej && !lb_vip->n_backends) {

+        reject = true;

     } else {

         ds_put_format(action, "ct_lb(backends=%s);", lb_vip_nb->backend_ips);

     }

-    if (!skip_hash_fields && selection_fields && selection_fields[0]) {

+    if (reject) {

+        int stage = ls_dp ? ovn_stage_get_table(S_SWITCH_OUT_QOS_MARK)

+                          : ovn_stage_get_table(S_ROUTER_OUT_SNAT);

+        ds_clear(action);

+        ds_put_format(action, "reg0 = 0; reject { outport <-> inport; "

+                      "next(pipeline=egress,table=%d);};", stage);

+    } else if (!skip_hash_fields && selection_fields && selection_fields[0]) {

         ds_chomp(action, ';');

         ds_chomp(action, ')');

         ds_put_format(action, "; hash_fields=\"%s\");", selection_fields);

@@ -5084,7 +5096,8 @@ build_empty_lb_event_flow(struct ovn_datapath *od, struct hmap *lflows,

                           struct nbrec_load_balancer *lb,

                           int pl, struct shash *meter_groups)

 {

-    if (!controller_event_en || lb_vip->n_backends) {

+    if (!controller_event_en || lb_vip->n_backends ||

+        lb_vip->empty_backend_rej) {

         return;

     }

@@ -5974,8 +5987,8 @@ build_lb_rules(struct ovn_datapath *od, struct hmap *lflows,

         /* New connections in Ingress table. */

         struct ds action = DS_EMPTY_INITIALIZER;

-        build_lb_vip_ct_lb_actions(lb_vip, lb_vip_nb, &action,

-                                   lb->selection_fields);

+        build_lb_vip_actions(lb_vip, lb_vip_nb, &action,

+                             lb->selection_fields, true);

         struct ds match = DS_EMPTY_INITIALIZER;

         ds_put_format(&match, "ct.new && %s.dst == %s", ip_match,

@@ -9685,8 +9698,8 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,

                 struct ovn_lb_vip *lb_vip = &lb->vips[j];

                 struct ovn_northd_lb_vip *lb_vip_nb = &lb->vips_nb[j];

                 ds_clear(&actions);

-                build_lb_vip_ct_lb_actions(lb_vip, lb_vip_nb, &actions,

-                                           lb->selection_fields);

+                build_lb_vip_actions(lb_vip, lb_vip_nb, &actions,

+                                     lb->selection_fields, false);

                 if (!sset_contains(&all_ips, lb_vip->vip_str)) {

                     sset_add(&all_ips, lb_vip->vip_str);

@@ -9737,7 +9750,8 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports,

                     prio = 120;

                 }

-                if (od->l3redirect_port) {

+                if (od->l3redirect_port &&

+                    (lb_vip->n_backends || !lb_vip->empty_backend_rej)) {

                     ds_put_format(&match, " && is_chassis_resident(%s)",

                                   od->l3redirect_port->json_key);

                 }

diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema

index 269e3a888..af77dd138 100644

--- a/ovn-nb.ovsschema

+++ b/ovn-nb.ovsschema

@@ -1,7 +1,7 @@

 {

     "name": "OVN_Northbound",

-    "version": "5.28.0",

-    "cksum": "610359755 26847",

+    "version": "5.29.0",

+    "cksum": "328602112 27064",

     "tables": {

         "NB_Global": {

             "columns": {

@@ -188,6 +188,11 @@

                                 ["eth_src", "eth_dst", "ip_src", "ip_dst",

                                  "tp_src", "tp_dst"]]},

                              "min": 0, "max": "unlimited"}},

+                "options": {

+                     "type": {"key": "string",

+                              "value": "string",

+                              "min": 0,

+                              "max": "unlimited"}},

                 "external_ids": {

                     "type": {"key": "string", "value": "string",

                              "min": 0, "max": "unlimited"}}},

diff --git a/ovn-nb.xml b/ovn-nb.xml

index c9ab25ceb..e7a8d6833 100644

--- a/ovn-nb.xml

+++ b/ovn-nb.xml

@@ -1635,6 +1635,16 @@

         See External IDs at the beginning of this document.

       </column>

     </group>

+    <group title="Load_Balancer options">

+      <column name="options" key="reject" type='{"type": "boolean"}'>

+        If the load balancer is created with --reject option and

+        it has no active backends, a TCP reset segment (for tcp) or an ICMP

+        port unreachable packet (for all other kind of traffic) will be sent

+        whenever an incoming packet is received for this load-balancer.

+        Please note using --reject option will disable empty_lb

+        SB controller event for this load balancer.

+      </column>

+    </group>

diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at

index 90ca0a4db..50a4cae76 100644

--- a/tests/ovn-northd.at

+++ b/tests/ovn-northd.at

@@ -1233,6 +1233,31 @@ wait_row_count Service_Monitor 2

 ovn-nbctl --wait=sb lb-del lb2

 wait_row_count Service_Monitor 0

+check ovn-nbctl --reject lb-add lb3 10.0.0.10:80 10.0.0.3:80,20.0.0.3:80

+check ovn-nbctl --wait=sb set load_balancer lb3 ip_port_mappings:10.0.0.3=sw0-p1:10.0.0.2

+check ovn-nbctl --wait=sb set load_balancer lb3 ip_port_mappings:20.0.0.3=sw1-p1:20.0.0.2

+wait_row_count Service_Monitor 0

+

+check ovn-nbctl --wait=sb ls-lb-add sw0 lb3

+AT_CHECK([ovn-nbctl --wait=sb -- --id=@hc create \

+Load_Balancer_Health_Check vip="10.0.0.10\:80" -- add Load_Balancer lb3 \

+health_check @hc | uuidfilt], [0], [<0>

+])

+wait_row_count Service_Monitor 2

+

+# Set the service monitor for sw0-p1 and sw1-p1 to online

+sm_sw0_p1=$(fetch_column Service_Monitor _uuid logical_port=sw0-p1)

+sm_sw1_p1=$(fetch_column Service_Monitor _uuid logical_port=sw1-p1)

+

+ovn-sbctl set service_monitor $sm_sw0_p1 status=offline

+ovn-sbctl set service_monitor $sm_sw1_p1 status=offline

+

+AT_CAPTURE_FILE([sbflows12])

+OVS_WAIT_FOR_OUTPUT(

+  [ovn-sbctl dump-flows sw0 | tee sbflows12 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" | grep priority=120 | sed 's/table=..//'], [0], [dnl

+  (ls_in_stateful     ), priority=120  , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0 = 0; reject { outport <-> inport; next(pipeline=egress,table=6);};)

+])

+

 AT_CLEANUP

 AT_SETUP([ovn -- Load balancer VIP in NAT entries])

diff --git a/tests/system-ovn.at b/tests/system-ovn.at

index d59f7c97e..1e73001ab 100644

--- a/tests/system-ovn.at

+++ b/tests/system-ovn.at

@@ -1574,6 +1574,18 @@ OVS_WAIT_UNTIL([

     grep "selection_method=hash,fields(ip_src,ip_dst,sctp_src,sctp_dst)" -c) -eq 2

 ])

+ovn-nbctl --reject lb-add lb3 30.0.0.10:80 ""

+ovn-nbctl ls-lb-add foo lb3

+# Filter reset segments

+NS_CHECK_EXEC([foo1], [tcpdump -c 1 -neei foo1 ip[[33:1]]=0x14 > rst.pcap &])

+sleep 1

+NS_CHECK_EXEC([foo1], [wget -q 30.0.0.10],[4])

+

+OVS_WAIT_UNTIL([

+    n_reset=$(cat rst.pcap | wc -l)

+    test "${n_reset}" = "1"

+])

+

 OVS_APP_EXIT_AND_WAIT([ovn-controller])

 as ovn-sb

@@ -4151,7 +4163,7 @@ ovn-nbctl lsp-set-type sw1-lr0 router

 ovn-nbctl lsp-set-addresses sw1-lr0 router

 ovn-nbctl lsp-set-options sw1-lr0 router-port=lr0-sw1

-ovn-nbctl lb-add lb1 10.0.0.10:80 10.0.0.3:80,20.0.0.3:80

+ovn-nbctl --reject lb-add lb1 10.0.0.10:80 10.0.0.3:80,20.0.0.3:80

 ovn-nbctl --wait=sb set load_balancer . ip_port_mappings:10.0.0.3=sw0-p1:10.0.0.2

 ovn-nbctl --wait=sb set load_balancer . ip_port_mappings:20.0.0.3=sw1-p1:20.0.0.2

@@ -4266,6 +4278,20 @@ ovn-sbctl list service_monitor

 OVS_WAIT_UNTIL([test 2 = `ovn-sbctl --bare --columns status find \

 service_monitor protocol=udp | sed '/^$/d' | grep offline | wc -l`])

+# Stop webserer in sw1-p1

+pid_file=$(cat l7_pid_file)

+NS_CHECK_EXEC([sw1-p1], [kill $(cat $pid_file)])

+

+NS_CHECK_EXEC([sw0-p2], [tcpdump -c 1 -neei sw0-p2 ip[[33:1]]=0x14 > rst.pcap &])

+OVS_WAIT_UNTIL([test 2 = `ovn-sbctl --bare --columns status find \

+service_monitor protocol=tcp | sed '/^$/d' | grep offline | wc -l`])

+NS_CHECK_EXEC([sw0-p2], [wget 10.0.0.10 -v -o wget$i.log],[4])

+

+OVS_WAIT_UNTIL([

+    n_reset=$(cat rst.pcap | wc -l)

+    test "${n_reset}" = "1"

+])

+

 OVS_APP_EXIT_AND_WAIT([ovn-controller])

 as ovn-sb

diff --git a/utilities/ovn-nbctl.8.xml b/utilities/ovn-nbctl.8.xml

index 59302296b..e5a35f307 100644

--- a/utilities/ovn-nbctl.8.xml

+++ b/utilities/ovn-nbctl.8.xml

@@ -903,7 +903,7 @@

     
Load Balancer Commands

-      
[--may-exist | --add-duplicate] lb-add lb vip ips [protocol]

+        
[--may-exist | --add-duplicate | --reject] lb-add lb vip ips [protocol]

          Creates a new load balancer named lb with the provided

@@ -936,6 +936,15 @@

          creates a new load balancer with a duplicate name.

+        

+         If the load balancer is created with --reject option and

+         it has no active backends, a TCP reset segment (for tcp) or an ICMP

+         port unreachable packet (for all other kind of traffic) will be sent

+         whenever an incoming packet is received for this load-balancer.

+         Please note using --reject option will disable

+         empty_lb SB controller event for this load balancer.

+        

+

          The following example adds a load balancer.

diff --git a/utilities/ovn-nbctl.c b/utilities/ovn-nbctl.c

index d19e1b6c6..3a95f6b1f 100644

--- a/utilities/ovn-nbctl.c

+++ b/utilities/ovn-nbctl.c

@@ -2821,6 +2821,7 @@ nbctl_lb_add(struct ctl_context *ctx)

     bool may_exist = shash_find(&ctx->options, "--may-exist") != NULL;

     bool add_duplicate = shash_find(&ctx->options, "--add-duplicate") != NULL;

+    bool empty_backend_rej = shash_find(&ctx->options, "--reject") != NULL;

     const char *lb_proto;

     bool is_update_proto = false;

@@ -2934,6 +2935,10 @@ nbctl_lb_add(struct ctl_context *ctx)

     smap_add(CONST_CAST(struct smap *, &lb->vips),

             lb_vip_normalized, ds_cstr(&lb_ips_new));

     nbrec_load_balancer_set_vips(lb, &lb->vips);

+    if (empty_backend_rej) {

+        const struct smap options = SMAP_CONST1(&options, "reject", "true");

+        nbrec_load_balancer_set_options(lb, &options);

+    }

 out:

     ds_destroy(&lb_ips_new);

@@ -6588,7 +6593,7 @@ static const struct ctl_command_syntax nbctl_commands[] = {

       nbctl_lr_nat_set_ext_ips, NULL, "--is-exempted", RW},

     /* load balancer commands. */

     { "lb-add", 3, 4, "LB VIP[:PORT] IP[:PORT]... [PROTOCOL]", NULL,

-      nbctl_lb_add, NULL, "--may-exist,--add-duplicate", RW },

+      nbctl_lb_add, NULL, "--may-exist,--add-duplicate,--reject", RW },

     { "lb-del", 1, 2, "LB [VIP]", NULL, nbctl_lb_del, NULL,

         "--if-exists", RW },

     { "lb-list", 0, 1, "[LB]", NULL, nbctl_lb_list, NULL, "", RO },

-- 

2.28.0