From patchwork Fri Dec 23 10:31:26 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Mickey Spiegel X-Patchwork-Id: 708411 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3tlPrf53n3z9snk for ; Fri, 23 Dec 2016 21:34:10 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="FTqhgPFf"; dkim-atps=neutral Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id D7120B8B; Fri, 23 Dec 2016 10:31:51 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id E1FCA9FA for ; Fri, 23 Dec 2016 10:31:49 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-pf0-f195.google.com (mail-pf0-f195.google.com [209.85.192.195]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 688B8F0 for ; Fri, 23 Dec 2016 10:31:49 +0000 (UTC) Received: by mail-pf0-f195.google.com with SMTP id c4so13805178pfb.3 for ; Fri, 23 Dec 2016 02:31:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=NacE0rqbVA049cZahMWd2Rbk5uL28DN9lh8BTDbT9k8=; b=FTqhgPFfLdXug9Ej6/JjRxPTzPi47lIXiB1/8N8Hv4F479/OTeuF3ZosmOE9nwdW8r 7beOez5wNsgXX5fZX+IufvlKCnxOVmeHch7fCDynJMKGhQ9GAMJ9lgUnjqfYDVTzFt/Z xl/mj4nR14/urMqcSisgDYyjV3aSVqzADiw2LPAe38gQj1KF7Mj2y+K1ZTUArhlGuXag KMuTcpIyDGmmHRCU3WcxAbgfrcawPYP3nptetnlnT5Su4q6hf09ZDouN8Nw+o23JDvFc mna6e3ctLHEOSBdkZ2yfa7Bady/fMoOiz698+nYBgJi4A//85i4vEOxvyZsZ52ZaDqEq 5uAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=NacE0rqbVA049cZahMWd2Rbk5uL28DN9lh8BTDbT9k8=; b=FEjBQ8vJ/thoV1y4mf3ayh8s1cJ0Dwnsy8EuffDMjzk0x049QegXuQgFMHuh8mDv36 Gn76xVmr9JYqhMr1Ur44a/YkMNFZ4AwcdmXrejQkDQ64RZqWrJPWH+OqxidlqAjgSZZe J3Oc2uLW7Pamqr/2CdpqdamQtFLTFvgkOMn7cOvbL/V8bpshzKxIWRzvJV34HCKc3XeP zgAtl488ke79Q6pfK9ykbiBoUj+ZYA4E+4drjiCMF8EMi9EaIS/mYOPvZoozEo/eZN6v GsM8Ty08ImbsL1tyCQcEy20wz3vqNdKxZHB8aDNjQMdWdwq0WBdg8trJKS+VQDnjI8ef UFmA== X-Gm-Message-State: AIkVDXItkSvPc3uqaG0Yx+RdNNj32vLaDtuTGNjoKrCq7CTElWnaQS38W7axdvEYRpfgzA== X-Received: by 10.84.194.195 with SMTP id h61mr27792486pld.95.1482489108751; Fri, 23 Dec 2016 02:31:48 -0800 (PST) Received: from localhost.localdomain (c-73-202-53-195.hsd1.ca.comcast.net. [73.202.53.195]) by smtp.gmail.com with ESMTPSA id s3sm28905935pfg.14.2016.12.23.02.31.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 23 Dec 2016 02:31:48 -0800 (PST) From: Mickey Spiegel To: dev@openvswitch.org Date: Fri, 23 Dec 2016 02:31:26 -0800 Message-Id: <1482489088-13043-5-git-send-email-mickeys.dev@gmail.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1482489088-13043-1-git-send-email-mickeys.dev@gmail.com> References: <1482489088-13043-1-git-send-email-mickeys.dev@gmail.com> X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [PATCH 4/6] ovn: move load balancing flows after NAT flows X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org This will make it easy for distributed NAT to reuse some of the existing code for NAT flows, while leaving load balancing and defrag as functionality specific to gateway routers. There is no intent to change any functionality in this patch. Signed-off-by: Mickey Spiegel --- ovn/northd/ovn-northd.c | 140 ++++++++++++++++++++++++------------------------ 1 file changed, 70 insertions(+), 70 deletions(-) diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 6779d46..a333d1c 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -4068,76 +4068,6 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, const char *lb_force_snat_ip = get_force_snat_ip(od, "lb", &snat_ip); - /* A set to hold all ips that need defragmentation and tracking. */ - struct sset all_ips = SSET_INITIALIZER(&all_ips); - - for (int i = 0; i < od->nbr->n_load_balancer; i++) { - struct nbrec_load_balancer *lb = od->nbr->load_balancer[i]; - struct smap *vips = &lb->vips; - struct smap_node *node; - - SMAP_FOR_EACH (node, vips) { - uint16_t port = 0; - - /* node->key contains IP:port or just IP. */ - char *ip_address = NULL; - ip_address_and_port_from_lb_key(node->key, &ip_address, &port); - if (!ip_address) { - continue; - } - - if (!sset_contains(&all_ips, ip_address)) { - sset_add(&all_ips, ip_address); - } - - /* Higher priority rules are added for load-balancing in DNAT - * table. For every match (on a VIP[:port]), we add two flows - * via add_router_lb_flow(). One flow is for specific matching - * on ct.new with an action of "ct_lb($targets);". The other - * flow is for ct.est with an action of "ct_dnat;". */ - ds_clear(&actions); - ds_put_format(&actions, "ct_lb(%s);", node->value); - - ds_clear(&match); - ds_put_format(&match, "ip && ip4.dst == %s", - ip_address); - free(ip_address); - - if (port) { - if (lb->protocol && !strcmp(lb->protocol, "udp")) { - ds_put_format(&match, " && udp && udp.dst == %d", - port); - } else { - ds_put_format(&match, " && tcp && tcp.dst == %d", - port); - } - add_router_lb_flow(lflows, od, &match, &actions, 120, - lb_force_snat_ip); - } else { - add_router_lb_flow(lflows, od, &match, &actions, 110, - lb_force_snat_ip); - } - } - } - - /* If there are any load balancing rules, we should send the - * packet to conntrack for defragmentation and tracking. This helps - * with two things. - * - * 1. With tracking, we can send only new connections to pick a - * DNAT ip address from a group. - * 2. If there are L4 ports in load balancing rules, we need the - * defragmentation to match on L4 ports. */ - const char *ip_address; - SSET_FOR_EACH(ip_address, &all_ips) { - ds_clear(&match); - ds_put_format(&match, "ip && ip4.dst == %s", ip_address); - ovn_lflow_add(lflows, od, S_ROUTER_IN_DEFRAG, - 100, ds_cstr(&match), "ct_next;"); - } - - sset_destroy(&all_ips); - for (int i = 0; i < od->nbr->n_nat; i++) { const struct nbrec_nat *nat; @@ -4292,6 +4222,76 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, * routing in the openflow pipeline. */ ovn_lflow_add(lflows, od, S_ROUTER_IN_DNAT, 50, "ip", "flags.loopback = 1; ct_dnat;"); + + /* A set to hold all ips that need defragmentation and tracking. */ + struct sset all_ips = SSET_INITIALIZER(&all_ips); + + for (int i = 0; i < od->nbr->n_load_balancer; i++) { + struct nbrec_load_balancer *lb = od->nbr->load_balancer[i]; + struct smap *vips = &lb->vips; + struct smap_node *node; + + SMAP_FOR_EACH (node, vips) { + uint16_t port = 0; + + /* node->key contains IP:port or just IP. */ + char *ip_address = NULL; + ip_address_and_port_from_lb_key(node->key, &ip_address, &port); + if (!ip_address) { + continue; + } + + if (!sset_contains(&all_ips, ip_address)) { + sset_add(&all_ips, ip_address); + } + + /* Higher priority rules are added for load-balancing in DNAT + * table. For every match (on a VIP[:port]), we add two flows + * via add_router_lb_flow(). One flow is for specific matching + * on ct.new with an action of "ct_lb($targets);". The other + * flow is for ct.est with an action of "ct_dnat;". */ + ds_clear(&actions); + ds_put_format(&actions, "ct_lb(%s);", node->value); + + ds_clear(&match); + ds_put_format(&match, "ip && ip4.dst == %s", + ip_address); + free(ip_address); + + if (port) { + if (lb->protocol && !strcmp(lb->protocol, "udp")) { + ds_put_format(&match, " && udp && udp.dst == %d", + port); + } else { + ds_put_format(&match, " && tcp && tcp.dst == %d", + port); + } + add_router_lb_flow(lflows, od, &match, &actions, 120, + lb_force_snat_ip); + } else { + add_router_lb_flow(lflows, od, &match, &actions, 110, + lb_force_snat_ip); + } + } + } + + /* If there are any load balancing rules, we should send the + * packet to conntrack for defragmentation and tracking. This helps + * with two things. + * + * 1. With tracking, we can send only new connections to pick a + * DNAT ip address from a group. + * 2. If there are L4 ports in load balancing rules, we need the + * defragmentation to match on L4 ports. */ + const char *ip_address; + SSET_FOR_EACH(ip_address, &all_ips) { + ds_clear(&match); + ds_put_format(&match, "ip && ip4.dst == %s", ip_address); + ovn_lflow_add(lflows, od, S_ROUTER_IN_DEFRAG, + 100, ds_cstr(&match), "ct_next;"); + } + + sset_destroy(&all_ips); } /* Logical router ingress table 5: IP Routing.