From patchwork Mon Nov 12 06:27:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Mary Manohar X-Patchwork-Id: 996276 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="dj23YYKy"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42tgmW69d8z9s7h for ; Mon, 12 Nov 2018 17:27:55 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 9C4BA86F; Mon, 12 Nov 2018 06:27:53 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0973B7F9 for ; Mon, 12 Nov 2018 06:27:52 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 54D4F7FC for ; Mon, 12 Nov 2018 06:27:49 +0000 (UTC) Received: from pps.filterd (m0127844.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id wAC6KWv2015680 for ; Sun, 11 Nov 2018 22:27:49 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=i3GW5Br3Twsd1pmShuqMAE5Hhk1BmU/Dy3wTxntLRfc=; b=dj23YYKyIUDq4uXrLFfizGALJG9ZI3htJ+jIyr9M9ok/kZxw1NSxDRCLngr8pseRIiEk OR6zlfCkzrnoLL8fgs5FJzv9R+Hbfz8Gvqt6dSBvlZGNlyYLHpt0V93RhWQUTIsYD+vQ mn8XeUrFrz2PBmV0mirXLO9nRxdsx6jezjW1UE6+HeFFYUXd7VYXJzRcOqZML0mgQZn+ yybiGIlOht1djunMAvmVnwg9KRB/ZjhSNJvNEdVOX25bzC4lviDB+dgyM/QStlPItbFU l2My1eGSw7fsof/hjBBtAMTpGVHeBqMO5B7UcjyCMg/5QRvxouO1hOnVZnhgyYivA/I8 Lg== Received: from nam05-co1-obe.outbound.protection.outlook.com (mail-co1nam05lp0085.outbound.protection.outlook.com [216.32.181.85]) by mx0b-002c1b01.pphosted.com with ESMTP id 2nnyr32mhu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Sun, 11 Nov 2018 22:27:48 -0800 Received: from SN6PR02MB3933.namprd02.prod.outlook.com (52.135.69.14) by SN6PR02MB5710.namprd02.prod.outlook.com (20.177.252.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.38; Mon, 12 Nov 2018 06:27:47 +0000 Received: from SN6PR02MB3933.namprd02.prod.outlook.com ([fe80::8915:9e5a:ea49:f4b3]) by SN6PR02MB3933.namprd02.prod.outlook.com ([fe80::8915:9e5a:ea49:f4b3%4]) with mapi id 15.20.1294.044; Mon, 12 Nov 2018 06:27:47 +0000 From: Mary Manohar To: "ovs-dev@openvswitch.org" Thread-Topic: [PATCH v2 1/3] Routing policies, add routing-policy commands in ovn-nbctl Thread-Index: AQHUelDTSVaxPkU2lUuNPMgF+mKnbA== Date: Mon, 12 Nov 2018 06:27:47 +0000 Message-ID: <1542004180-202310-1-git-send-email-mary.manohar@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR07CA0031.namprd07.prod.outlook.com (2603:10b6:a02:bc::44) To SN6PR02MB3933.namprd02.prod.outlook.com (2603:10b6:805:2b::14) x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [205.209.132.11] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; SN6PR02MB5710; 6:+1Aldt+t0k6mcd+NUAyAs+5n3FPd4jeCEuoHoGGtfRGWCacyifwE16+Pjo1trLU5pviUa6vpWRWSHm/iEuBbPmtxLbx8kl2+exSMaAClXHhCjgUNjEv3FM3MRtFBcDFI+bBJAC9BUTZ5NdpPLTzpAm+JJFQQFHwooOJ3rvpfZAOL5J6kkx9Z0P0pOlPdRBL5l6X7FHyE+F+0lwBB8bxeSXY94/TlCTDrq2F3xVK9C1JtBPrR/kWk/UQwXPKPMQwdtto62fFXsTZtsDaDOFsL0anzqsNX5T6jF6BAfg98PSVSgfSg0DyhGVLZIDuswrKXLCzy5hAFCLdkRLL7R+jRFwIm9fHLAsEMBrfXbGYxotcpZXXCsbiob3J4g+EHjkxHYDXydeHc2Hbwe8bwrCCvLnTbzm1iZR4BAqX3alyMDefJdfZh3eD2588plnUduclrDM7wA3V+D5RaUpoC3KxwyA==; 5:FI8eZGqZ3TMT7TPalmRzdkRbQMxWp4MJ2SDXP3W4tx8+X9l5OZEFcXyrFeMxr3OWzkk1HzJhkrPWdEqurKql+rB174O+orEKJFWVHaf2VOvOxuwhkGTnWs8fAS1QhncitsLZv1TlsA+1QBFf7RhehCfofAvbzRl629Tw2Nmr0vs=; 7:sjVVfh+HqOiPh61Rg95iHN4DmXL6e+4pKR8i0/x0rIHNDt4HIXu/3P0QIOT+XDLaq8RoDqd0X+mbE6NhK6+siqYcHwBCYQ9weozEFh0UxQd1QPjp63s4Q6Ukc7mJks4QDUT+ykxu4RFm7nlFARn6lw== x-ms-office365-filtering-correlation-id: b278d03b-c396-4948-b4e0-08d64867f617 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390040)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7167020)(7153060)(7193020); SRVR:SN6PR02MB5710; x-ms-traffictypediagnostic: SN6PR02MB5710: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(52384705835673)(228109839391802); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231402)(944501410)(52105112)(93006095)(93001095)(3002001)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123560045)(20161123564045)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:SN6PR02MB5710; BCL:0; PCL:0; RULEID:; SRVR:SN6PR02MB5710; x-forefront-prvs: 0854128AF0 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(39850400004)(136003)(346002)(376002)(189003)(199004)(2501003)(8936002)(81156014)(6436002)(256004)(2906002)(7736002)(14444005)(5660300001)(6116002)(97736004)(3846002)(6486002)(25786009)(81166006)(316002)(478600001)(6916009)(68736007)(66066001)(305945005)(8676002)(2900100001)(26005)(53936002)(107886003)(102836004)(44832011)(186003)(106356001)(36756003)(55236004)(99286004)(386003)(486006)(6506007)(476003)(2351001)(52116002)(86362001)(6512007)(105586002)(14454004)(71190400001)(5640700003)(2616005)(71200400001)(4326008)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR02MB5710; H:SN6PR02MB3933.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: nI6VQ3VnlvZzuyZv5YcZS7pwLZbifCRejr83mCUZ1f2XHuLCavjA5Xg1k9iSMgZ7IRW95q1tT2gBeUm5oyDC69w3Og3Usf+CLBrMeG/8/1qVXyyjiicYp4kbv0mjnQWTRVqaLyJJC7QCKAPe4Xoiq9YuKlOu7AnONySEdNOJTLDzxd1Mi8njskwlLc8PBEHkYhNhxvrBSG7zOyft/rTGYNQeBXZXSV3fT4LMb6gDEkHalDr4aDvrgrmhRozEB7IbaRfdoZKdCAYyHHw8XLzey9luqhAxgruoZ11k4xXiQmu94qN4VMLXaJsbM9phUgKfH3exMF2xw33oRkssXvNbFNeA8fwCUvVQ73oZGHwBkU8= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-ID: MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: b278d03b-c396-4948-b4e0-08d64867f617 X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2018 06:27:47.0677 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR02MB5710 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-11-12_04:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1811120059 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Mary Manohar Subject: [ovs-dev] [PATCH v2 1/3] Routing policies, add routing-policy commands in ovn-nbctl X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Policy-based routing (PBR) provides a mechanism to configure permit/deny and reroute policies on the router. Permit/deny policies are similar to OVN ACLs, but exist on the logical-router. Reroute policies are needed for service-insertion and service-chaining. Currently, we support only stateless policies. To achieve this, a new table is introduced in the ingress pipeline of the Logical-router. The new table is between the ‘IP Routing’ and the ‘ARP/ND resolution’ table. This way, PBR can override routing decisions and provide a different next-hop. This Series: a. Changes in OVN NB Schema to introduce a new table in the Logical router. b. Add commands to ovn-nbctl to add/delete/list routing policies. c. Changes in ovn-northd to process routing-policy configurations. This Patch: Add a new table 'Logical_Router_Policy' in the northbound schema. The table has the following columns: * priority: Rules with numerically higher priority take precedence over those with lower. * match: Uses the same expression language as the 'match' column of 'Logical_Flow' table in the OVN Southbound database. * action: allow/drop/reroute * nexthop: Nexthop IP address. Each row in this table represents one routing policy for a logical router. The 'action' column for the highest priority matching row in this table determines a packet's treatment. If no row matches, packets are allowed by default. Signed-off-by: Mary Manohar --- ovn/ovn-nb.ovsschema | 19 ++++++++++++++-- ovn/ovn-nb.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 2 deletions(-) diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema index f3683df..ff16985 100644 --- a/ovn/ovn-nb.ovsschema +++ b/ovn/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "5.14.0", - "cksum": "3600467067 20513", + "version": "5.15.0", + "cksum": "3545233945 21390", "tables": { "NB_Global": { "columns": { @@ -242,6 +242,11 @@ "refType": "strong"}, "min": 0, "max": "unlimited"}}, + "policies": {"type": {"key": {"type": "uuid", + "refTable": "Logical_Router_Policy", + "refType": "strong"}, + "min": 0, + "max": "unlimited"}}, "enabled": {"type": {"key": "boolean", "min": 0, "max": 1}}, "nat": {"type": {"key": {"type": "uuid", "refTable": "NAT", @@ -303,6 +308,16 @@ "type": {"key": "string", "value": "string", "min": 0, "max": "unlimited"}}}, "isRoot": false}, + "Logical_Router_Policy": { + "columns": { + "priority": {"type": {"key": {"type": "integer", + "minInteger": 0, + "maxInteger": 32767}}}, + "match": {"type": "string"}, + "action": {"type": {"key": {"type": "string", + "enum": ["set", ["allow", "drop", "reroute"]]}}}, + "nexthop": {"type": {"key": "string", "min": 0, "max": 1}}}, + "isRoot": false}, "NAT": { "columns": { "external_ip": {"type": "string"}, diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index 474b4f9..0675d39 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -1236,6 +1236,10 @@ One or more static routes for the router. + + One or more routing policies for the router. + + This column is used to administratively set router state. If this column is empty or is set to true, the router is enabled. If this @@ -1793,6 +1797,65 @@ + +

+ Each row in this table represents one routing policy for a logical router + that points to it through its column. The column for the highest- + matching row in this table determines a packet's treatment. If no row + matches, packets are allowed by default. (Default-deny treatment is + possible: add a rule with 0, 0 as + , and drop as .) +

+ + +

+ The routing policy's priority. Rules with numerically higher priority + take precedence over those with lower. A rule is uniquely identified + by the priority and match string. +

+ + + +

+ The packets that the routing policy should match, in the same expression + language used for the column in the OVN Southbound database's + table. +

+ +

+ By default all traffic is allowed. When writing a more + restrictive policy, it is important to remember to allow flows + such as ARP and IPv6 neighbor discovery packets. +

+ + + +

The action to take when the routing policy matches:

+
    +
  • + allow: Forward the packet. +
    • + +
  • + drop: Silently drop the packet. +
    • + +
  • + reroute: Reroute packet to nexthop +
    • +
+ + + +

+ Nexthop IP address for this route. Nexthop IP address should be the IP + address of a connected router port or the IP address of a logical port. +

+ +
+

Each record represents a NAT rule.