Patch Detail
get:
Show a patch.
patch:
Update a patch.
put:
Update a patch.
GET /api/patches/1529570/?format=api
{ "id": 1529570, "url": "http://patchwork.ozlabs.org/api/patches/1529570/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ovn/patch/20210917215602.10633-1-odivlad@gmail.com/", "project": { "id": 68, "url": "http://patchwork.ozlabs.org/api/projects/68/?format=api", "name": "Open Virtual Network development", "link_name": "ovn", "list_id": "ovs-dev.openvswitch.org", "list_email": "ovs-dev@openvswitch.org", "web_url": "http://openvswitch.org/", "scm_url": "", "webscm_url": "", "list_archive_url": "", "list_archive_url_format": "", "commit_url_format": "" }, "msgid": "<20210917215602.10633-1-odivlad@gmail.com>", "list_archive_url": null, "date": "2021-09-17T21:56:02", "name": "[ovs-dev] northd: support HW VTEP with stateful datapath", "commit_ref": null, "pull_url": null, "state": "accepted", "archived": false, "hash": "006561c0eb62cc74967054ec45b87127e5e69607", "submitter": { "id": 80943, "url": "http://patchwork.ozlabs.org/api/people/80943/?format=api", "name": "Vladislav Odintsov", "email": "odivlad@gmail.com" }, "delegate": null, "mbox": "http://patchwork.ozlabs.org/project/ovn/patch/20210917215602.10633-1-odivlad@gmail.com/mbox/", "series": [ { "id": 262888, "url": "http://patchwork.ozlabs.org/api/series/262888/?format=api", "web_url": "http://patchwork.ozlabs.org/project/ovn/list/?series=262888", "date": "2021-09-17T21:56:02", "name": "[ovs-dev] northd: support HW VTEP with stateful datapath", "version": 1, "mbox": "http://patchwork.ozlabs.org/series/262888/mbox/" } ], "comments": "http://patchwork.ozlabs.org/api/patches/1529570/comments/", "check": "fail", "checks": "http://patchwork.ozlabs.org/api/patches/1529570/checks/", "tags": {}, "related": [], "headers": { "Return-Path": "<ovs-dev-bounces@openvswitch.org>", "X-Original-To": [ "incoming@patchwork.ozlabs.org", "dev@openvswitch.org" ], "Delivered-To": [ "patchwork-incoming@ozlabs.org", "ovs-dev@lists.linuxfoundation.org" ], "Authentication-Results": [ "ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (2048-bit key;\n unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256\n header.s=20210112 header.b=WKKXQ7c/;\n\tdkim-atps=neutral", "ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)", "smtp2.osuosl.org (amavisd-new);\n dkim=pass (2048-bit key) header.d=gmail.com" ], "Received": [ "from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 4HB77d6DWHz9sPf\n\tfor <incoming@patchwork.ozlabs.org>; Sat, 18 Sep 2021 07:56:13 +1000 (AEST)", "from localhost (localhost [127.0.0.1])\n\tby smtp4.osuosl.org (Postfix) with ESMTP id 02ABC425B0;\n\tFri, 17 Sep 2021 21:56:10 +0000 (UTC)", "from smtp4.osuosl.org ([127.0.0.1])\n\tby localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id X-0C8oyfV0Qk; Fri, 17 Sep 2021 21:56:09 +0000 (UTC)", "from lists.linuxfoundation.org (lf-lists.osuosl.org\n [IPv6:2605:bc80:3010:104::8cd3:938])\n\tby smtp4.osuosl.org (Postfix) with ESMTPS id F38C04255A;\n\tFri, 17 Sep 2021 21:56:08 +0000 (UTC)", "from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id A5ECDC000F;\n\tFri, 17 Sep 2021 21:56:08 +0000 (UTC)", "from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])\n by lists.linuxfoundation.org (Postfix) with ESMTP id 3CF8FC000D\n for <dev@openvswitch.org>; Fri, 17 Sep 2021 21:56:07 +0000 (UTC)", "from localhost (localhost [127.0.0.1])\n by smtp2.osuosl.org (Postfix) with ESMTP id 38F45407D7\n for <dev@openvswitch.org>; Fri, 17 Sep 2021 21:56:07 +0000 (UTC)", "from smtp2.osuosl.org ([127.0.0.1])\n by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n with ESMTP id DmWr5omh_SDm for <dev@openvswitch.org>;\n Fri, 17 Sep 2021 21:56:06 +0000 (UTC)", "from mail-lf1-x131.google.com (mail-lf1-x131.google.com\n [IPv6:2a00:1450:4864:20::131])\n by smtp2.osuosl.org (Postfix) with ESMTPS id A1F5C40172\n for <dev@openvswitch.org>; Fri, 17 Sep 2021 21:56:05 +0000 (UTC)", "by mail-lf1-x131.google.com with SMTP id x27so38564256lfu.5\n for <dev@openvswitch.org>; Fri, 17 Sep 2021 14:56:05 -0700 (PDT)", "from localhost.localdomain (109-252-131-59.dynamic.spd-mgts.ru.\n [109.252.131.59])\n by smtp.gmail.com with ESMTPSA id j20sm618863lfu.165.2021.09.17.14.56.02\n (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);\n Fri, 17 Sep 2021 14:56:02 -0700 (PDT)" ], "X-Virus-Scanned": [ "amavisd-new at osuosl.org", "amavisd-new at osuosl.org" ], "X-Greylist": "whitelisted by SQLgrey-1.8.0", "DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;\n h=from:to:cc:subject:date:message-id:mime-version\n :content-transfer-encoding;\n bh=N2+pYucvOMZLZTd5Ag7nPNXdcaes6YBwgyzCX3JaHXU=;\n b=WKKXQ7c/+4I6ez7qXoANt1EvXNmHyvJvcj1g15pSpPcVVQoHGBSEv3czyfrFMpvllI\n XFHxyJO8pmtbeZcLG3cE10wSdviCfdX+dp/Yzz2gwbpd+xpf0D2Q3LMLsuztya7/t2o6\n OlrkPs56x6gkh7h2IFE22PxkhkP7lmoeah3qYn+yELuS+bMQPC5jo3xbuQrQqy40PGiY\n LtQdhkdhv6XoOsVEdNMmRgGFg697LZxSllb5LiOzbzgjsYo1Of4ht4mb0TcP30NwbBgk\n 4g5RrrlNCV1DzlMO4sLt798hgAp4n4QVETnr1b1hqiVJ7yV9PoMohYJuq+bois90BubD\n Wj0w==", "X-Google-DKIM-Signature": "v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20210112;\n h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version\n :content-transfer-encoding;\n bh=N2+pYucvOMZLZTd5Ag7nPNXdcaes6YBwgyzCX3JaHXU=;\n b=DCLXAkeCbWUnI86p52iIui4BhBinRJCnurJMyf6RcbkUBpC79u0xiTeXda8XTb7lYm\n tJ8fhjembpYXnVH8krqen+o3Ofc8FesWt8UOk+/Dedt/dBVsjYUj2tYXm12LT/5O723t\n ZIVg9QIgZPg9KiKnlYXIgNeaKBO2hvIij2Ja45E1f8EMMR47kR8XTKfJrKOsZovi9k9t\n 26CDeAfBBI4UjRCb9+0kB3ZwPgIZ1cWwmRnYp5rPwmGbW4uvBAnR3vLKuOwKT/Q/Znwh\n cmwsyW6Bv0T1V3X/I6Qezk6f4RU/pqBCPI77vzfq3FR8QC8P9dOtlslBsqWGQ7h3/Qo5\n 6hZg==", "X-Gm-Message-State": "AOAM5334cMB6fzQ1or5aw7WAqp2T5OEhLIroMzznmC1m4UTQSOx/irs2\n Y28Mf2kqkjx3+OFUvF8ugQoMMWxN2hU=", "X-Google-Smtp-Source": "\n ABdhPJy3aBMUcu8CINff8dWzwX3xh/8x7MFyQwfbrHEEiEj6sSHcL9PiW+A3AgSn5zMho/qhzYDbyw==", "X-Received": "by 2002:ac2:4f8f:: with SMTP id z15mr9541912lfs.361.1631915763381;\n Fri, 17 Sep 2021 14:56:03 -0700 (PDT)", "From": "Vladislav Odintsov <odivlad@gmail.com>", "To": "dev@openvswitch.org", "Date": "Sat, 18 Sep 2021 00:56:02 +0300", "Message-Id": "<20210917215602.10633-1-odivlad@gmail.com>", "X-Mailer": "git-send-email 2.30.0", "MIME-Version": "1.0", "Cc": "Vladislav Odintsov <odivlad@gmail.com>", "Subject": "[ovs-dev] [PATCH ovn] northd: support HW VTEP with stateful datapath", "X-BeenThere": "ovs-dev@openvswitch.org", "X-Mailman-Version": "2.1.15", "Precedence": "list", "List-Id": "<ovs-dev.openvswitch.org>", "List-Unsubscribe": "<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>", "List-Archive": "<http://mail.openvswitch.org/pipermail/ovs-dev/>", "List-Post": "<mailto:ovs-dev@openvswitch.org>", "List-Help": "<mailto:ovs-dev-request@openvswitch.org?subject=help>", "List-Subscribe": "<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>", "Content-Type": "text/plain; charset=\"us-ascii\"", "Content-Transfer-Encoding": "7bit", "Errors-To": "ovs-dev-bounces@openvswitch.org", "Sender": "\"dev\" <ovs-dev-bounces@openvswitch.org>" }, "content": "A packet going from HW VTEP device to VIF port when arrives to\nhypervisor chassis should go through LS ingress pipeline to l2_lkp\nstage without any match. In l2_lkp stage an output port is\ndetermined and then packet passed to LS egress pipeline for futher\nprocessing and to VIF port delivery.\n\nPrior to this commit a packet, which was received from HW VTEP\ndevice was dropped in an LS ingress datapath, where stateful services\nwere defined (ACLs, LBs).\n\nTo fix this issue we add a special flag-bit which can be used in LS\npipelines, to check whether the packet came from HW VTEP devices.\nIn ls_in_pre_acl and ls_in_pre_lb we add new flow with priority 110\nto skip such packets.\n\nSigned-off-by: Vladislav Odintsov <odivlad@gmail.com>\n---\n northd/northd.c | 14 ++++++++++++++\n northd/ovn-northd.8.xml | 29 +++++++++++++++++++++++++++++\n northd/ovn_northd.dl | 33 +++++++++++++++++++++++++++++++--\n tests/ovn-northd.at | 2 ++\n 4 files changed, 76 insertions(+), 2 deletions(-)", "diff": "diff --git a/northd/northd.c b/northd/northd.c\nindex 688a6e4ef..1b84874a7 100644\n--- a/northd/northd.c\n+++ b/northd/northd.c\n@@ -196,6 +196,7 @@ enum ovn_stage {\n #define REGBIT_LKUP_FDB \"reg0[11]\"\n #define REGBIT_HAIRPIN_REPLY \"reg0[12]\"\n #define REGBIT_ACL_LABEL \"reg0[13]\"\n+#define REGBIT_FROM_RAMP \"reg0[14]\"\n \n #define REG_ORIG_DIP_IPV4 \"reg1\"\n #define REG_ORIG_DIP_IPV6 \"xxreg1\"\n@@ -5112,6 +5113,11 @@ build_lswitch_input_port_sec_op(\n if (queue_id) {\n ds_put_format(actions, \"set_queue(%s); \", queue_id);\n }\n+\n+ if (!strcmp(op->nbsp->type, \"vtep\")) {\n+ ds_put_format(actions, REGBIT_FROM_RAMP\" = 1; \");\n+ }\n+\n ds_put_cstr(actions, \"next;\");\n ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2,\n 50, ds_cstr(match), ds_cstr(actions),\n@@ -5359,6 +5365,10 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *port_groups,\n \"nd || nd_rs || nd_ra || mldv1 || mldv2 || \"\n \"(udp && udp.src == 546 && udp.dst == 547)\", \"next;\");\n \n+ /* Do not send coming from RAMP switch packets to conntrack. */\n+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,\n+ REGBIT_FROM_RAMP\" == 1\", \"next;\");\n+\n /* Ingress and Egress Pre-ACL Table (Priority 100).\n *\n * Regardless of whether the ACL is \"from-lport\" or \"to-lport\",\n@@ -5463,6 +5473,10 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows,\n ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110,\n \"eth.src == $svc_monitor_mac\", \"next;\");\n \n+ /* Do not send coming from RAMP switch packets to conntrack. */\n+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110,\n+ REGBIT_FROM_RAMP\" == 1\", \"next;\");\n+\n /* Allow all packets to go to next tables by default. */\n ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, \"1\", \"next;\");\n ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, \"1\", \"next;\");\ndiff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml\nindex eebf0d717..7bb39d2ab 100644\n--- a/northd/ovn-northd.8.xml\n+++ b/northd/ovn-northd.8.xml\n@@ -262,6 +262,18 @@\n logical ports on which port security is not enabled, these advance all\n packets that match the <code>inport</code>.\n </li>\n+ <li>\n+ Logical flows for RAMP (controller-vtep) devices are created for each\n+ physical switch. Packets came from such devices hit these flows and set\n+ the 14'th bit of OVS register 0 (REG0[14]) to 1. This regbit indicates\n+ that packet came from RAMP (controller-vtep) device. Later in logical\n+ switch ingress pipeline this register is checked in ls_in_acl_pre and\n+ ls_in_lb_pre stages whether to skip sending packet to conntrack in\n+ ingress pipeline or not. Packets from RAMP devices should go though\n+ ingress pipeline without any flow match till ls_in_l2_lkup stage to\n+ determine output port. Stateful ACLs for coming from RAMP device\n+ packets are checked within logical switch egress pipeline.\n+ </li>\n </ul>\n \n <p>\n@@ -453,6 +465,14 @@\n processing.\n </p>\n \n+ <p>\n+ This table has a priority-110 flow with the match\n+ <code>reg0[14] == 1</code> for all logical switch datapaths to resubmit\n+ traffic to the next table. <code>reg0[14]</code> is the register bit,\n+ which indicates that packet was received from RAMP device. Packets from\n+ RAMP device are handled by ACLs only in Logical Switch egress pipeline.\n+ </p>\n+\n <p>\n This table also has a priority-110 flow with the match\n <code>eth.dst == <var>E</var></code> for all logical switch\n@@ -512,6 +532,15 @@\n configured. We can now add a lflow to drop ct.inv packets.\n </p>\n \n+ <p>\n+ This table has a priority-110 flow with the match\n+ <code>reg0[14] == 1</code> for all logical switch datapaths to resubmit\n+ traffic to the next table. <code>reg0[14]</code> is the register bit,\n+ which indicates that packet was received from RAMP device. Packets from\n+ RAMP device could be handled by load balancing flows only in Logical\n+ Switch egress pipeline.\n+ </p>\n+\n <p>\n This table also has a priority-110 flow with the match\n <code>eth.dst == <var>E</var></code> for all logical switch\ndiff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl\nindex 669728497..0202af5dc 100644\n--- a/northd/ovn_northd.dl\n+++ b/northd/ovn_northd.dl\n@@ -1631,6 +1631,7 @@ function rEGBIT_ACL_HINT_BLOCK() : istring = i\"reg0[10]\"\n function rEGBIT_LKUP_FDB() : istring = i\"reg0[11]\"\n function rEGBIT_HAIRPIN_REPLY() : istring = i\"reg0[12]\"\n function rEGBIT_ACL_LABEL() : istring = i\"reg0[13]\"\n+function rEGBIT_FROM_RAMP() : istring = i\"reg0[14]\"\n \n function rEG_ORIG_DIP_IPV4() : istring = i\"reg1\"\n function rEG_ORIG_DIP_IPV6() : istring = i\"xxreg1\"\n@@ -2070,6 +2071,16 @@ for (&Switch(._uuid = ls_uuid, .has_stateful_acl = true)) {\n .io_port = None,\n .controller_meter = None);\n \n+ /* Do not send coming from RAMP switch packets to conntrack. */\n+ Flow(.logical_datapath = ls_uuid,\n+ .stage = s_SWITCH_IN_PRE_ACL(),\n+ .priority = 110,\n+ .__match = i\"${rEGBIT_FROM_RAMP()} == 1\",\n+ .actions = i\"next;\",\n+ .stage_hint = 0,\n+ .io_port = None,\n+ .controller_meter = None);\n+\n /* Ingress and Egress Pre-ACL Table (Priority 100).\n *\n * Regardless of whether the ACL is \"from-lport\" or \"to-lport\",\n@@ -2136,6 +2147,16 @@ for (&Switch(._uuid = ls_uuid)) {\n .io_port = None,\n .controller_meter = None);\n \n+ /* Do not send coming from RAMP switch packets to conntrack. */\n+ Flow(.logical_datapath = ls_uuid,\n+ .stage = s_SWITCH_IN_PRE_LB(),\n+ .priority = 110,\n+ .__match = i\"${rEGBIT_FROM_RAMP()} == 1\",\n+ .actions = i\"next;\",\n+ .stage_hint = 0,\n+ .io_port = None,\n+ .controller_meter = None);\n+\n /* Allow all packets to go to next tables by default. */\n Flow(.logical_datapath = ls_uuid,\n .stage = s_SWITCH_IN_PRE_LB(),\n@@ -3361,10 +3382,18 @@ for (&SwitchPort(.lsp = lsp, .sw = sw, .json_name = json_name, .ps_eth_addresses\n } else {\n i\"inport == ${json_name} && eth.src == {${ps_eth_addresses.join(\\\" \\\")}}\"\n } in\n- var actions = match (pbinding.options.get(i\"qdisc_queue_id\")) {\n+ var actions = {\n+ var ramp = if (lsp.__type == i\"vtep\") {\n+ i\"${rEGBIT_FROM_RAMP()} = 1; \"\n+ } else {\n+ i\"\"\n+ };\n+ var queue = match (pbinding.options.get(i\"qdisc_queue_id\")) {\n None -> i\"next;\",\n Some{id} -> i\"set_queue(${id}); next;\"\n- } in\n+ };\n+ i\"${ramp}${queue}\"\n+ } in\n Flow(.logical_datapath = sw._uuid,\n .stage = s_SWITCH_IN_PORT_SEC_L2(),\n .priority = 50,\ndiff --git a/tests/ovn-northd.at b/tests/ovn-northd.at\nindex 2af3f2096..5de554455 100644\n--- a/tests/ovn-northd.at\n+++ b/tests/ovn-northd.at\n@@ -3597,6 +3597,7 @@ check_stateful_flows() {\n table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;)\n table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == \"sw0-lr0\"), action=(next;)\n table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;)\n+ table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1), action=(next;)\n ])\n \n AT_CHECK([grep \"ls_in_pre_stateful\" sw0flows | sort], [0], [dnl\n@@ -3660,6 +3661,7 @@ AT_CHECK([grep \"ls_in_pre_lb\" sw0flows | sort], [0], [dnl\n table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;)\n table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == \"sw0-lr0\"), action=(next;)\n table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;)\n+ table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1), action=(next;)\n ])\n \n AT_CHECK([grep \"ls_in_pre_stateful\" sw0flows | sort], [0], [dnl\n", "prefixes": [ "ovs-dev" ] }