| Message ID | 20200109121756.1002736-1-numans@ovn.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev,ovn,v2] Restrict ARP/IPv6 ND replies for LB VIP only on chassis redirect port | expand |
On Thu, Jan 9, 2020 at 1:18 PM <numans@ovn.org> wrote: > > From: Numan Siddique <numans@ovn.org> > > Presently when ARP/ND request for the load balance VIP is received > from the provider network, all the ovn-controllers' reply to the ARP/ND > request which have ovn-bridge-mappings configured. > > This patch restricts these ARP/ND replies only on the chassis where the > chassis redirect port of the distributed router port is resident. > > Signed-off-by: Numan Siddique <numans@ovn.org> Acked-by: Dumitru Ceara <dceara@redhat.com> Thanks, Dumitru > --- > v1 -> v2 > ----- > * Added the lflow for IPv6 LB VIPs. > > northd/ovn-northd.8.xml | 14 ++++++++++++++ > northd/ovn-northd.c | 8 ++++++++ > 2 files changed, 22 insertions(+) > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > index c6d5d96b9..4b227ca71 100644 > --- a/northd/ovn-northd.8.xml > +++ b/northd/ovn-northd.8.xml > @@ -1680,6 +1680,13 @@ flags.loopback = 1; > output; > </pre> > > + <p> > + If the router port <var>P</var> is a distributed gateway router > + port, then the <code>is_chassis_resident(<var>P</var>)</code> is > + also added in the match condition for the load balancer IPv4 > + VIP <var>A</var>. > + </p> > + > <p> > IPv6: For a configured DNAT IP address or a load balancer > IPv6 VIP <var>A</var>, solicited node address <var>S</var>, > @@ -1704,6 +1711,13 @@ nd_na { > } > </pre> > > + <p> > + If the router port <var>P</var> is a distributed gateway router > + port, then the <code>is_chassis_resident(<var>P</var>)</code> > + is also added in the match condition for the load balancer IPv6 > + VIP <var>A</var>. > + </p> > + > <p> > For the gateway port on a distributed logical router with NAT > (where one of the logical router ports specifies a > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > index d91a008b7..b6dc809d7 100644 > --- a/northd/ovn-northd.c > +++ b/northd/ovn-northd.c > @@ -7511,6 +7511,10 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, > "inport == %s && arp.tpa == %s && arp.op == 1", > op->json_key, ip_address); > > + if (op == op->od->l3dgw_port) { > + ds_put_format(&match, " && is_chassis_resident(%s)", > + op->od->l3redirect_port->json_key); > + } > ds_clear(&actions); > ds_put_format(&actions, > "eth.dst = eth.src; " > @@ -7538,6 +7542,10 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, > "inport == %s && nd_ns && nd.target == %s", > op->json_key, ip_address); > > + if (op == op->od->l3dgw_port) { > + ds_put_format(&match, " && is_chassis_resident(%s)", > + op->od->l3redirect_port->json_key); > + } > ds_clear(&actions); > ds_put_format(&actions, > "nd_na { " > -- > 2.24.1 > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
On Thu, Jan 9, 2020 at 7:35 PM Dumitru Ceara <dceara@redhat.com> wrote: > > On Thu, Jan 9, 2020 at 1:18 PM <numans@ovn.org> wrote: > > > > From: Numan Siddique <numans@ovn.org> > > > > Presently when ARP/ND request for the load balance VIP is received > > from the provider network, all the ovn-controllers' reply to the ARP/ND > > request which have ovn-bridge-mappings configured. > > > > This patch restricts these ARP/ND replies only on the chassis where the > > chassis redirect port of the distributed router port is resident. > > > > Signed-off-by: Numan Siddique <numans@ovn.org> > > Acked-by: Dumitru Ceara <dceara@redhat.com> Thanks Dumitru. I applied this patch to master. Numan > > Thanks, > Dumitru > > > --- > > v1 -> v2 > > ----- > > * Added the lflow for IPv6 LB VIPs. > > > > northd/ovn-northd.8.xml | 14 ++++++++++++++ > > northd/ovn-northd.c | 8 ++++++++ > > 2 files changed, 22 insertions(+) > > > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > > index c6d5d96b9..4b227ca71 100644 > > --- a/northd/ovn-northd.8.xml > > +++ b/northd/ovn-northd.8.xml > > @@ -1680,6 +1680,13 @@ flags.loopback = 1; > > output; > > </pre> > > > > + <p> > > + If the router port <var>P</var> is a distributed gateway router > > + port, then the <code>is_chassis_resident(<var>P</var>)</code> is > > + also added in the match condition for the load balancer IPv4 > > + VIP <var>A</var>. > > + </p> > > + > > <p> > > IPv6: For a configured DNAT IP address or a load balancer > > IPv6 VIP <var>A</var>, solicited node address <var>S</var>, > > @@ -1704,6 +1711,13 @@ nd_na { > > } > > </pre> > > > > + <p> > > + If the router port <var>P</var> is a distributed gateway router > > + port, then the <code>is_chassis_resident(<var>P</var>)</code> > > + is also added in the match condition for the load balancer IPv6 > > + VIP <var>A</var>. > > + </p> > > + > > <p> > > For the gateway port on a distributed logical router with NAT > > (where one of the logical router ports specifies a > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > > index d91a008b7..b6dc809d7 100644 > > --- a/northd/ovn-northd.c > > +++ b/northd/ovn-northd.c > > @@ -7511,6 +7511,10 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, > > "inport == %s && arp.tpa == %s && arp.op == 1", > > op->json_key, ip_address); > > > > + if (op == op->od->l3dgw_port) { > > + ds_put_format(&match, " && is_chassis_resident(%s)", > > + op->od->l3redirect_port->json_key); > > + } > > ds_clear(&actions); > > ds_put_format(&actions, > > "eth.dst = eth.src; " > > @@ -7538,6 +7542,10 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, > > "inport == %s && nd_ns && nd.target == %s", > > op->json_key, ip_address); > > > > + if (op == op->od->l3dgw_port) { > > + ds_put_format(&match, " && is_chassis_resident(%s)", > > + op->od->l3redirect_port->json_key); > > + } > > ds_clear(&actions); > > ds_put_format(&actions, > > "nd_na { " > > -- > > 2.24.1 > > > > _______________________________________________ > > dev mailing list > > dev@openvswitch.org > > https://mail.openvswitch.org/mailman/listinfo/ovs-dev > > > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index c6d5d96b9..4b227ca71 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -1680,6 +1680,13 @@ flags.loopback = 1; output; </pre> + <p> + If the router port <var>P</var> is a distributed gateway router + port, then the <code>is_chassis_resident(<var>P</var>)</code> is + also added in the match condition for the load balancer IPv4 + VIP <var>A</var>. + </p> + <p> IPv6: For a configured DNAT IP address or a load balancer IPv6 VIP <var>A</var>, solicited node address <var>S</var>, @@ -1704,6 +1711,13 @@ nd_na { } </pre> + <p> + If the router port <var>P</var> is a distributed gateway router + port, then the <code>is_chassis_resident(<var>P</var>)</code> + is also added in the match condition for the load balancer IPv6 + VIP <var>A</var>. + </p> + <p> For the gateway port on a distributed logical router with NAT (where one of the logical router ports specifies a diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index d91a008b7..b6dc809d7 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -7511,6 +7511,10 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, "inport == %s && arp.tpa == %s && arp.op == 1", op->json_key, ip_address); + if (op == op->od->l3dgw_port) { + ds_put_format(&match, " && is_chassis_resident(%s)", + op->od->l3redirect_port->json_key); + } ds_clear(&actions); ds_put_format(&actions, "eth.dst = eth.src; " @@ -7538,6 +7542,10 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, "inport == %s && nd_ns && nd.target == %s", op->json_key, ip_address); + if (op == op->od->l3dgw_port) { + ds_put_format(&match, " && is_chassis_resident(%s)", + op->od->l3redirect_port->json_key); + } ds_clear(&actions); ds_put_format(&actions, "nd_na { "