rpms / ovn

Clone
Source Code
GIT

Files

c8-sig-nfv-openvswitch-2.11 c8-sig-nfv-openvswitch-2.13 c8-sig-nfv-ovn-2021 c8s-sig-nfv-ovn22 c9s-sig-nfv-ovn-2021 c9s-sig-nfv-ovn22 c9s-sig-nfv-ovn23.09 c9s-sig-nfv-ovn24.03
  1.   c8-sig-nfv-openvswitch-2.11
  2.   SOURCES
  3.   0002-Manage-ARP-process-locally-in-a-DVR-scenario.patch
Blob Blame History Raw 
From 13895b0543721db71569134d101d472e482c3997 Mon Sep 17 00:00:00 2001
Message-Id: <13895b0543721db71569134d101d472e482c3997.1583175283.git.lorenzo.bianconi@redhat.com>
In-Reply-To: <b4ddab6aa4d08a04eb7b55337b3fbdcc30b916a6.1583175283.git.lorenzo.bianconi@redhat.com>
References: <b4ddab6aa4d08a04eb7b55337b3fbdcc30b916a6.1583175283.git.lorenzo.bianconi@redhat.com>
From: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Date: Mon, 2 Mar 2020 10:37:49 +0100
Subject: [PATCH 2/2] Manage ARP process locally in a DVR scenario

OVN currently performs L2 address resolution and IP buffering on the
gw node. If the system relies on FIPs, OVN will re-inject the buffered
IP packets on the gw node, while following packets will go though
the localnet port on the compute node resulting in a ToR switch
misconfiguration. This patch addresses the issue managing ARP
and IP buffering locally if FIPs are configured on the node

Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Numan Siddique <numans@ovn.org>
---
 ovn/northd/ovn-northd.8.xml | 37 +++++++++++++++++++++++--
 ovn/northd/ovn-northd.c     | 55 ++++++++++++++++++++++++++++++++++++-
 tests/ovn.at                | 14 ++++++++++
 3 files changed, 103 insertions(+), 3 deletions(-)

--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -2290,11 +2290,44 @@ output;
 
       <li>
         <p>
+          For distributed logical routers where one of the logical router ports
+          specifies a <code>redirect-chassis</code>, a priority-400 logical
+          flow for each <code>dnat_and_snat</code> NAT rules configured.
+          These flows will allow to properly forward traffic to the external
+          connections if available and avoid sending it through the tunnel.
+          Assuming the following NAT rule has been configured:
+        </p>
+
+        <pre>
+external_ip = <var>A</var>;
+external_mac = <var>B</var>;
+logical_ip = <var>C</var>;
+        </pre>
+
+        <p>
+          the following action will be applied:
+        </p>
+
+        <pre>
+ip.ttl--;
+reg0 = <var>ip.dst</var>;
+reg1 = <var>A</var>;
+eth.src = <var>B</var>;
+outport = <var>router-port</var>;
+next;
+        </pre>
+
+      </li>
+
+      <li>
+        <p>
           IPv4 routing table.  For each route to IPv4 network <var>N</var> with
           netmask <var>M</var>, on router port <var>P</var> with IP address
           <var>A</var> and Ethernet
           address <var>E</var>, a logical flow with match <code>ip4.dst ==
-          <var>N</var>/<var>M</var></code>, whose priority is the number of
+          <var>N</var>/<var>M</var></code>, whose priority is <code>400</code>
+          + the number of 1-bits in <var>M</var> if the router port is not a
+          distributed gateway port, else the priority is the number of
           1-bits in <var>M</var>, has the following actions:
         </p>
 
@@ -2621,7 +2654,7 @@ icmp4 {
 
       <li>
         For each NAT rule in the OVN Northbound database that can
-        be handled in a distributed manner, a priority-100 logical
+        be handled in a distributed manner, a priority-200 logical
         flow with match <code>ip4.src == <var>B</var> &amp;&amp;
         outport == <var>GW</var></code>, where <var>GW</var> is
         the logical router distributed gateway port, with actions
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -6598,6 +6598,43 @@ build_routing_policy_flow(struct hmap *l
     ds_destroy(&actions);
 }
 
+/* default logical flow prioriry for distributed routes */
+#define DROUTE_PRIO 400
+
+static void
+add_distributed_routes(struct hmap *lflows, struct ovn_datapath *od)
+{
+    struct ds actions = DS_EMPTY_INITIALIZER;
+    struct ds match = DS_EMPTY_INITIALIZER;
+
+    for (size_t i = 0; i < od->nbr->n_nat; i++) {
+        const struct nbrec_nat *nat = od->nbr->nat[i];
+
+        if (strcmp(nat->type, "dnat_and_snat") ||
+            !nat->external_mac) {
+            continue;
+        }
+
+        bool is_ipv4 = strchr(nat->logical_ip, '.') ? true : false;
+        ds_put_format(&match, "ip%s.src == %s && is_chassis_resident(\"%s\")",
+                      is_ipv4 ? "4" : "6", nat->logical_ip,
+                      nat->logical_port);
+        char *prefix = is_ipv4 ? "" : "xx";
+        ds_put_format(&actions, "outport = %s; eth.src = %s; "
+                      "%sreg0 = ip%s.dst; %sreg1 = %s; next;",
+                      od->l3dgw_port->json_key, nat->external_mac,
+                      prefix, is_ipv4 ? "4" : "6",
+                      prefix, nat->external_ip);
+        ovn_lflow_add(lflows, od, S_ROUTER_IN_IP_ROUTING, DROUTE_PRIO,
+                      ds_cstr(&match), ds_cstr(&actions));
+        ds_clear(&match);
+        ds_clear(&actions);
+    }
+
+    ds_destroy(&actions);
+    ds_destroy(&match);
+}
+
 static void
 add_route(struct hmap *lflows, const struct ovn_port *op,
           const char *lrp_addr_s, const char *network_s, int plen,
@@ -6616,6 +6653,13 @@ add_route(struct hmap *lflows, const str
         priority = (plen * 2) + 1;
     }
 
+    /* traffic for internal IPs of logical switch ports must be sent to
+     * the gw controller through the overlay tunnels
+     */
+    if (op->nbrp && !op->nbrp->n_gateway_chassis) {
+        priority += DROUTE_PRIO;
+    }
+
     /* IPv6 link-local addresses must be scoped to the local router port. */
     if (!is_ipv4) {
         struct in6_addr network;
@@ -8256,7 +8300,7 @@ build_lrouter_flows(struct hmap *datapat
                               is_v6 ? "6" : "4",
                               nat->logical_ip,
                               od->l3dgw_port->json_key);
-                ovn_lflow_add(lflows, od, S_ROUTER_IN_GW_REDIRECT, 100,
+                ovn_lflow_add(lflows, od, S_ROUTER_IN_GW_REDIRECT, 200,
                               ds_cstr(&match), "next;");
             }
 
@@ -8532,6 +8576,15 @@ build_lrouter_flows(struct hmap *datapat
         ovn_lflow_add(lflows, od, S_ROUTER_IN_ND_RA_RESPONSE, 0, "1", "next;");
     }
 
+    /* Logical router ingress table IP_ROUTING - IP routing for distributed
+     * logical router
+     */
+    HMAP_FOR_EACH (od, key_node, datapaths) {
+        if (od->nbr && od->l3dgw_port) {
+            add_distributed_routes(lflows, od);
+        }
+    }
+
     /* Logical router ingress table 7: IP Routing.
      *
      * A packet that arrives at this table is an IP packet that should be
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -9440,6 +9440,20 @@ AT_CHECK([as hv3 ovs-vsctl set Open_vSwi
 OVS_WAIT_UNTIL([test 1 = `as hv3 ovs-vsctl show | \
 grep "Port patch-br-int-to-ln_port" | wc -l`])
 
+AT_CHECK([test 1 = `ovn-sbctl dump-flows lr0 | grep lr_in_ip_routing | \
+grep "ip4.src == 10.0.0.3 && is_chassis_resident(\"foo1\")" -c`])
+AT_CHECK([test 1 = `ovn-sbctl dump-flows lr0 | grep lr_in_ip_routing | \
+grep "ip4.src == 10.0.0.4 && is_chassis_resident(\"foo2\")" -c`])
+
+key=`ovn-sbctl --bare --columns tunnel_key list datapath_Binding lr0`
+# Check that the OVS flows appear for the dnat_and_snat entries in
+# lr_in_ip_routing table.
+OVS_WAIT_UNTIL([test 1 = `as hv3 ovs-ofctl dump-flows br-int table=17 | \
+grep "priority=400,ip,metadata=0x$key,nw_src=10.0.0.3" -c`])
+
+OVS_WAIT_UNTIL([test 1 = `as hv3 ovs-ofctl dump-flows br-int table=17 | \
+grep "priority=400,ip,metadata=0x$key,nw_src=10.0.0.4" -c`])
+
 # Re-add nat-addresses option
 ovn-nbctl lsp-set-options lrp0-rp router-port=lrp0 nat-addresses="router"

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation