|
 |
bbaaef |
From 35a77738b9032480c3983ff93080cd1cada85fad Mon Sep 17 00:00:00 2001
|
|
|
bbaaef |
From: Numan Siddique <numans@ovn.org>
|
|
|
bbaaef |
Date: Thu, 12 Mar 2020 15:58:38 +0530
|
|
|
bbaaef |
Subject: [PATCH] ovn-northd: Add lflows to by pass the svc monitor packets
|
|
|
bbaaef |
from conntrack.
|
|
|
bbaaef |
MIME-Version: 1.0
|
|
|
bbaaef |
Content-Type: text/plain; charset=UTF-8
|
|
|
bbaaef |
Content-Transfer-Encoding: 8bit
|
|
|
bbaaef |
|
|
|
bbaaef |
The commit [1] added lflows to by pass the service monitor health check
|
|
|
bbaaef |
packets from conntrack. But it missed out adding in the ingress pre_acl
|
|
|
bbaaef |
and egress pre_acl of logical switch pipeline.
|
|
|
bbaaef |
|
|
|
bbaaef |
This patch adds these missing lflows. It also enhanced the system lb health
|
|
|
bbaaef |
check tests to add the acls to test this scenario.
|
|
|
bbaaef |
|
|
|
bbaaef |
[1] - bb9f2b9ce56c("ovn-northd: Consider load balancer active backends in router pipeline)
|
|
|
bbaaef |
Fixes: bb9f2b9ce56c("ovn-northd: Consider load balancer active backends in router pipeline)
|
|
|
bbaaef |
|
|
|
bbaaef |
Change-Id: I591f98dbb945ea63acf0d1f37f0bb09f43e205c7
|
|
|
bbaaef |
Reported-by: Maciej Józefczyk <mjozefcz@redhat.com>
|
|
|
bbaaef |
Acked-by: Dumitru Ceara <dceara@redhat.com>
|
|
|
bbaaef |
Acked-by: Maciej Jozefczyk <mjozefcz@redhat.com>
|
|
|
bbaaef |
Signed-off-by: Numan Siddique <numans@ovn.org>
|
|
|
bbaaef |
---
|
|
|
bbaaef |
ovn/northd/ovn-northd.8.xml | 22 +++++++++++++++++++++-
|
|
|
bbaaef |
ovn/northd/ovn-northd.c | 15 ++++++++++++++-
|
|
|
bbaaef |
tests/ovn.at | 22 ++++++++++++++++++++++
|
|
|
bbaaef |
tests/system-ovn.at | 22 ++++++++++++++++++++++
|
|
|
bbaaef |
4 files changed, 79 insertions(+), 2 deletions(-)
|
|
|
bbaaef |
|
|
|
bbaaef |
diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
|
|
|
bbaaef |
index c09e5ff44..f4d6c8f08 100644
|
|
|
bbaaef |
--- a/ovn/northd/ovn-northd.8.xml
|
|
|
bbaaef |
+++ b/ovn/northd/ovn-northd.8.xml
|
|
|
bbaaef |
@@ -283,6 +283,16 @@
|
|
|
bbaaef |
priority-110 flow is added to skip over stateful ACLs.
|
|
|
bbaaef |
|
|
|
bbaaef |
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+ This table also has a priority-110 flow with the match
|
|
|
bbaaef |
+ eth.dst == E for all logical switch
|
|
|
bbaaef |
+ datapaths to move traffic to the next table. Where E
|
|
|
bbaaef |
+ is the service monitor mac defined in the
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+ db="OVN_Northbound"/> colum of
|
|
|
bbaaef |
+ db="OVN_Northbound"/> table.
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+
|
|
|
bbaaef |
Ingress Table 4: Pre-LB
|
|
|
bbaaef |
|
|
|
bbaaef |
|
|
|
bbaaef |
@@ -310,7 +320,7 @@
|
|
|
bbaaef |
|
|
|
bbaaef |
|
|
|
bbaaef |
This table also has a priority-110 flow with the match
|
|
|
bbaaef |
- eth.src == E for all logical switch
|
|
|
bbaaef |
+ eth.dst == E for all logical switch
|
|
|
bbaaef |
datapaths to move traffic to the next table. Where E
|
|
|
bbaaef |
is the service monitor mac defined in the
|
|
|
bbaaef |
|
|
|
bbaaef |
@@ -1195,6 +1205,16 @@ output;
|
|
|
bbaaef |
to-lport traffic.
|
|
|
bbaaef |
|
|
|
bbaaef |
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+ This table also has a priority-110 flow with the match
|
|
|
bbaaef |
+ eth.src == E for all logical switch
|
|
|
bbaaef |
+ datapaths to move traffic to the next table. Where E
|
|
|
bbaaef |
+ is the service monitor mac defined in the
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+ db="OVN_Northbound"/> colum of
|
|
|
bbaaef |
+ db="OVN_Northbound"/> table.
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+
|
|
|
bbaaef |
Egress Table 2: Pre-stateful
|
|
|
bbaaef |
|
|
|
bbaaef |
|
|
|
bbaaef |
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
|
|
|
bbaaef |
index abe5508c3..c2ac5ce07 100644
|
|
|
bbaaef |
--- a/ovn/northd/ovn-northd.c
|
|
|
bbaaef |
+++ b/ovn/northd/ovn-northd.c
|
|
|
bbaaef |
@@ -4502,6 +4502,16 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
|
|
|
bbaaef |
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 0, "1", "next;");
|
|
|
bbaaef |
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 0, "1", "next;");
|
|
|
bbaaef |
|
|
|
bbaaef |
+ char *svc_check_match = xasprintf("eth.dst == %s", svc_monitor_mac);
|
|
|
bbaaef |
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, svc_check_match,
|
|
|
bbaaef |
+ "next;");
|
|
|
bbaaef |
+ free(svc_check_match);
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+ svc_check_match = xasprintf("eth.src == %s", svc_monitor_mac);
|
|
|
bbaaef |
+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, svc_check_match,
|
|
|
bbaaef |
+ "next;");
|
|
|
bbaaef |
+ free(svc_check_match);
|
|
|
bbaaef |
+
|
|
|
bbaaef |
/* If there are any stateful ACL rules in this datapath, we must
|
|
|
bbaaef |
* send all IP packets through the conntrack action, which handles
|
|
|
bbaaef |
* defragmentation, in order to match L4 headers. */
|
|
|
bbaaef |
@@ -4672,9 +4682,12 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows,
|
|
|
bbaaef |
"nd || nd_rs || nd_ra", "next;");
|
|
|
bbaaef |
|
|
|
bbaaef |
/* Do not send service monitor packets to conntrack. */
|
|
|
bbaaef |
- char *svc_check_match = xasprintf("eth.src == %s", svc_monitor_mac);
|
|
|
bbaaef |
+ char *svc_check_match = xasprintf("eth.dst == %s", svc_monitor_mac);
|
|
|
bbaaef |
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110,
|
|
|
bbaaef |
svc_check_match, "next;");
|
|
|
bbaaef |
+ free(svc_check_match);
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+ svc_check_match = xasprintf("eth.src == %s", svc_monitor_mac);
|
|
|
bbaaef |
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110,
|
|
|
bbaaef |
svc_check_match, "next;");
|
|
|
bbaaef |
free(svc_check_match);
|
|
|
bbaaef |
diff --git a/tests/ovn.at b/tests/ovn.at
|
|
|
bbaaef |
index dd94776e6..9fb6e4f98 100644
|
|
|
bbaaef |
--- a/tests/ovn.at
|
|
|
bbaaef |
+++ b/tests/ovn.at
|
|
|
bbaaef |
@@ -17032,12 +17032,34 @@ ovn-nbctl lsp-set-port-security sw0-p1 "50:54:00:00:00:03 10.0.0.3"
|
|
|
bbaaef |
ovn-nbctl lsp-set-addresses sw0-p2 "50:54:00:00:00:04 10.0.0.4"
|
|
|
bbaaef |
ovn-nbctl lsp-set-port-security sw0-p2 "50:54:00:00:00:04 10.0.0.4"
|
|
|
bbaaef |
|
|
|
bbaaef |
+# Create port group and ACLs for sw0 ports.
|
|
|
bbaaef |
+ovn-nbctl pg-add pg0_drop sw0-p1 sw0-p2
|
|
|
bbaaef |
+ovn-nbctl acl-add pg0_drop from-lport 1001 "inport == @pg0_drop && ip" drop
|
|
|
bbaaef |
+ovn-nbctl acl-add pg0_drop to-lport 1001 "outport == @pg0_drop && ip" drop
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+ovn-nbctl pg-add pg0 sw0-p1 sw0-p2
|
|
|
bbaaef |
+ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4" allow-related
|
|
|
bbaaef |
+ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" allow-related
|
|
|
bbaaef |
+ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 80" allow-related
|
|
|
bbaaef |
+ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst == 80" allow-related
|
|
|
bbaaef |
+
|
|
|
bbaaef |
# Create the second logical switch with one port
|
|
|
bbaaef |
ovn-nbctl ls-add sw1
|
|
|
bbaaef |
ovn-nbctl lsp-add sw1 sw1-p1
|
|
|
bbaaef |
ovn-nbctl lsp-set-addresses sw1-p1 "40:54:00:00:00:03 20.0.0.3"
|
|
|
bbaaef |
ovn-nbctl lsp-set-port-security sw1-p1 "40:54:00:00:00:03 20.0.0.3"
|
|
|
bbaaef |
|
|
|
bbaaef |
+# Create port group and ACLs for sw1 ports.
|
|
|
bbaaef |
+ovn-nbctl pg-add pg1_drop sw1-p1
|
|
|
bbaaef |
+ovn-nbctl acl-add pg1_drop from-lport 1001 "inport == @pg1_drop && ip" drop
|
|
|
bbaaef |
+ovn-nbctl acl-add pg1_drop to-lport 1001 "outport == @pg1_drop && ip" drop
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+ovn-nbctl pg-add pg1 sw1-p1
|
|
|
bbaaef |
+ovn-nbctl acl-add pg1 from-lport 1002 "inport == @pg1 && ip4" allow-related
|
|
|
bbaaef |
+ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" allow-related
|
|
|
bbaaef |
+ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 80" allow-related
|
|
|
bbaaef |
+ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst == 80" allow-related
|
|
|
bbaaef |
+
|
|
|
bbaaef |
# Create a logical router and attach both logical switches
|
|
|
bbaaef |
ovn-nbctl lr-add lr0
|
|
|
bbaaef |
ovn-nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01 10.0.0.1/24
|
|
|
bbaaef |
diff --git a/tests/system-ovn.at b/tests/system-ovn.at
|
|
|
bbaaef |
index 7d1c65d85..22e9a5926 100644
|
|
|
bbaaef |
--- a/tests/system-ovn.at
|
|
|
bbaaef |
+++ b/tests/system-ovn.at
|
|
|
bbaaef |
@@ -2552,12 +2552,34 @@ ovn-nbctl lsp-add sw0 sw0-p2
|
|
|
bbaaef |
ovn-nbctl lsp-set-addresses sw0-p2 "50:54:00:00:00:04 10.0.0.4"
|
|
|
bbaaef |
ovn-nbctl lsp-set-port-security sw0-p2 "50:54:00:00:00:04 10.0.0.4"
|
|
|
bbaaef |
|
|
|
bbaaef |
+# Create port group and ACLs for sw0 ports.
|
|
|
bbaaef |
+ovn-nbctl pg-add pg0_drop sw0-p1 sw0-p2
|
|
|
bbaaef |
+ovn-nbctl acl-add pg0_drop from-lport 1001 "inport == @pg0_drop && ip" drop
|
|
|
bbaaef |
+ovn-nbctl acl-add pg0_drop to-lport 1001 "outport == @pg0_drop && ip" drop
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+ovn-nbctl pg-add pg0 sw0-p1 sw0-p2
|
|
|
bbaaef |
+ovn-nbctl acl-add pg0 from-lport 1002 "inport == @pg0 && ip4" allow-related
|
|
|
bbaaef |
+ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" allow-related
|
|
|
bbaaef |
+ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 80" allow-related
|
|
|
bbaaef |
+ovn-nbctl acl-add pg0 to-lport 1002 "outport == @pg0 && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst == 80" allow-related
|
|
|
bbaaef |
+
|
|
|
bbaaef |
# Create the second logical switch with one port
|
|
|
bbaaef |
ovn-nbctl ls-add sw1
|
|
|
bbaaef |
ovn-nbctl lsp-add sw1 sw1-p1
|
|
|
bbaaef |
ovn-nbctl lsp-set-addresses sw1-p1 "40:54:00:00:00:03 20.0.0.3"
|
|
|
bbaaef |
ovn-nbctl lsp-set-port-security sw1-p1 "40:54:00:00:00:03 20.0.0.3"
|
|
|
bbaaef |
|
|
|
bbaaef |
+# Create port group and ACLs for sw1 ports.
|
|
|
bbaaef |
+ovn-nbctl pg-add pg1_drop sw1-p1
|
|
|
bbaaef |
+ovn-nbctl acl-add pg1_drop from-lport 1001 "inport == @pg1_drop && ip" drop
|
|
|
bbaaef |
+ovn-nbctl acl-add pg1_drop to-lport 1001 "outport == @pg1_drop && ip" drop
|
|
|
bbaaef |
+
|
|
|
bbaaef |
+ovn-nbctl pg-add pg1 sw1-p1
|
|
|
bbaaef |
+ovn-nbctl acl-add pg1 from-lport 1002 "inport == @pg1 && ip4" allow-related
|
|
|
bbaaef |
+ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == 0.0.0.0/0 && icmp4" allow-related
|
|
|
bbaaef |
+ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == 0.0.0.0/0 && tcp && tcp.dst == 80" allow-related
|
|
|
bbaaef |
+ovn-nbctl acl-add pg1 to-lport 1002 "outport == @pg1 && ip4 && ip4.src == 0.0.0.0/0 && udp && udp.dst == 80" allow-related
|
|
|
bbaaef |
+
|
|
|
bbaaef |
# Create a logical router and attach both logical switches
|
|
|
bbaaef |
ovn-nbctl lr-add lr0
|
|
|
bbaaef |
ovn-nbctl lrp-add lr0 lr0-sw0 00:00:00:00:ff:01 10.0.0.1/24
|
|
|
bbaaef |
--
|
|
|
bbaaef |
2.24.1
|
|
|
bbaaef |
|