Message ID | 20201211191048.2530949-1-numans@ovn.org |
---|---|
State | Accepted |
Headers | show |
Series | [ovs-dev,v3,1/2] Add missing documentation for router policy and ecmp sym reply stage. | expand |
For the series, Acked-by: Mark Michelson <mmichels@redhat.com> I think patch 1 should go into the 20.12 branch in addition to going into master. On 12/11/20 2:10 PM, numans@ovn.org wrote: > From: Numan Siddique <numans@ovn.org> > > Fixes: df4f37ea7f82("Policy-based routing (PBR) in OVN.) > Fixes: a123ef0fb8fd("Support packet metadata marking for logical router policies.") > Fixes: 4fdca656857d("Add ECMP symmetric replies.") > > Signed-off-by: Numan Siddique <numans@ovn.org> > --- > > v1 -> v2 -> v3 > -------------- > * No changes. > > northd/ovn-northd.8.xml | 86 ++++++++++++++++++++++++++++++++++++----- > 1 file changed, 77 insertions(+), 9 deletions(-) > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > index 8bbe577b69..d86f36ea63 100644 > --- a/northd/ovn-northd.8.xml > +++ b/northd/ovn-northd.8.xml > @@ -2714,7 +2714,25 @@ icmp6 { > </li> > </ul> > > - <h3>Ingress Table 7: IPv6 ND RA option processing</h3> > + <h3>Ingress Table 7: ECMP symmetric reply processing</h3> > + <ul> > + <li> > + If ECMP routes with symmetric reply are configured in the > + <code>OVN_Northbound</code> database for a gateway router, a > + priority-100 flow is added for each router port on which symmetric > + replies are configured. The matching logic for these ports essentially > + reverses the configured logic of the ECMP route. So for instance, a > + route with a destination routing policy will instead match if the > + source IP address matches the static route's prefix. The flow uses > + the action <code>ct_commit { ct_label.ecmp_reply_eth = eth.src;" > + " ct_label.ecmp_reply_port = <var>K</var>;}; next; </code> to commit > + the connection and storing <code>eth.src</code> and the ECMP > + reply port binding tunnel key <var>K</var> in the > + <code>ct_label</code>. > + </li> > + </ul> > + > + <h3>Ingress Table 8: IPv6 ND RA option processing</h3> > > <ul> > <li> > @@ -2744,7 +2762,7 @@ reg0[5] = put_nd_ra_opts(<var>options</var>);next; > </li> > </ul> > > - <h3>Ingress Table 8: IPv6 ND RA responder</h3> > + <h3>Ingress Table 9: IPv6 ND RA responder</h3> > > <p> > This table implements IPv6 ND RA responder for the IPv6 ND RA replies > @@ -2789,7 +2807,7 @@ output; > </li> > </ul> > > - <h3>Ingress Table 9: IP Routing</h3> > + <h3>Ingress Table 10: IP Routing</h3> > > <p> > A packet that arrives at this table is an IP packet that should be > @@ -2952,7 +2970,7 @@ select(reg8[16..31], <var>MID1</var>, <var>MID2</var>, ...); > </li> > </ul> > > - <h3>Ingress Table 10: IP_ROUTING_ECMP</h3> > + <h3>Ingress Table 11: IP_ROUTING_ECMP</h3> > > <p> > This table implements the second part of IP routing for ECMP routes > @@ -3004,7 +3022,57 @@ outport = <var>P</var>; > </li> > </ul> > > - <h3>Ingress Table 12: ARP/ND Resolution</h3> > + <h3>Ingress Table 12: Router policies</h3> > + <p> > + This table adds flows for the logical router policies configured > + on the logical router. Please see the > + <code>OVN_Northbound</code> database <code>Logical_Router_Policy</code> > + table documentation in <code>ovn-nb</code> for supported actions. > + </p> > + > + <ul> > + <li> > + <p> > + For each router policy configured on the logical router, a > + logical flow is added with specified priority, match and > + actions. > + </p> > + </li> > + > + <li> > + <p> > + If the policy action is <code>reroute</code>, then the logical > + flow is added with the following actions: > + </p> > + > + <pre> > +[xx]reg0 = <var>H</var>; > +eth.src = <var>E</var>; > +outport = <var>P</var>; > +flags.loopback = 1; > +next; > + </pre> > + > + <p> > + where <var>H</var> is the <code>nexthop </code> defined in the > + router policy, <var>E</var> is the ethernet address of the > + logical router port from which the <code>nexthop</code> is > + reachable and <var>P</var> is the logical router port from > + which the <code>nexthop</code> is reachable. > + </p> > + </li> > + > + <li> > + <p> > + If a router policy has the option <code>pkt_mark=<var>m</var></code> > + set and if the action is <code>not</code> drop, then the action also > + includes <code>pkt.mark = <var>m</var></code> to mark the packet > + with the marker <var>m</var>. > + </p> > + </li> > + </ul> > + > + <h3>Ingress Table 13: ARP/ND Resolution</h3> > > <p> > Any packet that reaches this table is an IP packet whose next-hop > @@ -3190,7 +3258,7 @@ outport = <var>P</var>; > > </ul> > > - <h3>Ingress Table 13: Check packet length</h3> > + <h3>Ingress Table 14: Check packet length</h3> > > <p> > For distributed logical routers with distributed gateway port configured > @@ -3220,7 +3288,7 @@ REGBIT_PKT_LARGER = check_pkt_larger(<var>L</var>); next; > and advances to the next table. > </p> > > - <h3>Ingress Table 14: Handle larger packets</h3> > + <h3>Ingress Table 15: Handle larger packets</h3> > > <p> > For distributed logical routers with distributed gateway port configured > @@ -3281,7 +3349,7 @@ icmp6 { > and advances to the next table. > </p> > > - <h3>Ingress Table 15: Gateway Redirect</h3> > + <h3>Ingress Table 16: Gateway Redirect</h3> > > <p> > For distributed logical routers where one of the logical router > @@ -3321,7 +3389,7 @@ icmp6 { > </li> > </ul> > > - <h3>Ingress Table 16: ARP Request</h3> > + <h3>Ingress Table 17: ARP Request</h3> > > <p> > In the common case where the Ethernet destination has been resolved, this >
On Mon, Dec 14, 2020 at 11:35 PM Mark Michelson <mmichels@redhat.com> wrote: > > For the series, > > Acked-by: Mark Michelson <mmichels@redhat.com> > > I think patch 1 should go into the 20.12 branch in addition to going > into master. > Thanks for the reviews. I applied the series to master and the 1st patch to branch-20.12. I also added a NEWS entry for this which I missed while submitting the patches. Thanks Numan > On 12/11/20 2:10 PM, numans@ovn.org wrote: > > From: Numan Siddique <numans@ovn.org> > > > > Fixes: df4f37ea7f82("Policy-based routing (PBR) in OVN.) > > Fixes: a123ef0fb8fd("Support packet metadata marking for logical router policies.") > > Fixes: 4fdca656857d("Add ECMP symmetric replies.") > > > > Signed-off-by: Numan Siddique <numans@ovn.org> > > --- > > > > v1 -> v2 -> v3 > > -------------- > > * No changes. > > > > northd/ovn-northd.8.xml | 86 ++++++++++++++++++++++++++++++++++++----- > > 1 file changed, 77 insertions(+), 9 deletions(-) > > > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > > index 8bbe577b69..d86f36ea63 100644 > > --- a/northd/ovn-northd.8.xml > > +++ b/northd/ovn-northd.8.xml > > @@ -2714,7 +2714,25 @@ icmp6 { > > </li> > > </ul> > > > > - <h3>Ingress Table 7: IPv6 ND RA option processing</h3> > > + <h3>Ingress Table 7: ECMP symmetric reply processing</h3> > > + <ul> > > + <li> > > + If ECMP routes with symmetric reply are configured in the > > + <code>OVN_Northbound</code> database for a gateway router, a > > + priority-100 flow is added for each router port on which symmetric > > + replies are configured. The matching logic for these ports essentially > > + reverses the configured logic of the ECMP route. So for instance, a > > + route with a destination routing policy will instead match if the > > + source IP address matches the static route's prefix. The flow uses > > + the action <code>ct_commit { ct_label.ecmp_reply_eth = eth.src;" > > + " ct_label.ecmp_reply_port = <var>K</var>;}; next; </code> to commit > > + the connection and storing <code>eth.src</code> and the ECMP > > + reply port binding tunnel key <var>K</var> in the > > + <code>ct_label</code>. > > + </li> > > + </ul> > > + > > + <h3>Ingress Table 8: IPv6 ND RA option processing</h3> > > > > <ul> > > <li> > > @@ -2744,7 +2762,7 @@ reg0[5] = put_nd_ra_opts(<var>options</var>);next; > > </li> > > </ul> > > > > - <h3>Ingress Table 8: IPv6 ND RA responder</h3> > > + <h3>Ingress Table 9: IPv6 ND RA responder</h3> > > > > <p> > > This table implements IPv6 ND RA responder for the IPv6 ND RA replies > > @@ -2789,7 +2807,7 @@ output; > > </li> > > </ul> > > > > - <h3>Ingress Table 9: IP Routing</h3> > > + <h3>Ingress Table 10: IP Routing</h3> > > > > <p> > > A packet that arrives at this table is an IP packet that should be > > @@ -2952,7 +2970,7 @@ select(reg8[16..31], <var>MID1</var>, <var>MID2</var>, ...); > > </li> > > </ul> > > > > - <h3>Ingress Table 10: IP_ROUTING_ECMP</h3> > > + <h3>Ingress Table 11: IP_ROUTING_ECMP</h3> > > > > <p> > > This table implements the second part of IP routing for ECMP routes > > @@ -3004,7 +3022,57 @@ outport = <var>P</var>; > > </li> > > </ul> > > > > - <h3>Ingress Table 12: ARP/ND Resolution</h3> > > + <h3>Ingress Table 12: Router policies</h3> > > + <p> > > + This table adds flows for the logical router policies configured > > + on the logical router. Please see the > > + <code>OVN_Northbound</code> database <code>Logical_Router_Policy</code> > > + table documentation in <code>ovn-nb</code> for supported actions. > > + </p> > > + > > + <ul> > > + <li> > > + <p> > > + For each router policy configured on the logical router, a > > + logical flow is added with specified priority, match and > > + actions. > > + </p> > > + </li> > > + > > + <li> > > + <p> > > + If the policy action is <code>reroute</code>, then the logical > > + flow is added with the following actions: > > + </p> > > + > > + <pre> > > +[xx]reg0 = <var>H</var>; > > +eth.src = <var>E</var>; > > +outport = <var>P</var>; > > +flags.loopback = 1; > > +next; > > + </pre> > > + > > + <p> > > + where <var>H</var> is the <code>nexthop </code> defined in the > > + router policy, <var>E</var> is the ethernet address of the > > + logical router port from which the <code>nexthop</code> is > > + reachable and <var>P</var> is the logical router port from > > + which the <code>nexthop</code> is reachable. > > + </p> > > + </li> > > + > > + <li> > > + <p> > > + If a router policy has the option <code>pkt_mark=<var>m</var></code> > > + set and if the action is <code>not</code> drop, then the action also > > + includes <code>pkt.mark = <var>m</var></code> to mark the packet > > + with the marker <var>m</var>. > > + </p> > > + </li> > > + </ul> > > + > > + <h3>Ingress Table 13: ARP/ND Resolution</h3> > > > > <p> > > Any packet that reaches this table is an IP packet whose next-hop > > @@ -3190,7 +3258,7 @@ outport = <var>P</var>; > > > > </ul> > > > > - <h3>Ingress Table 13: Check packet length</h3> > > + <h3>Ingress Table 14: Check packet length</h3> > > > > <p> > > For distributed logical routers with distributed gateway port configured > > @@ -3220,7 +3288,7 @@ REGBIT_PKT_LARGER = check_pkt_larger(<var>L</var>); next; > > and advances to the next table. > > </p> > > > > - <h3>Ingress Table 14: Handle larger packets</h3> > > + <h3>Ingress Table 15: Handle larger packets</h3> > > > > <p> > > For distributed logical routers with distributed gateway port configured > > @@ -3281,7 +3349,7 @@ icmp6 { > > and advances to the next table. > > </p> > > > > - <h3>Ingress Table 15: Gateway Redirect</h3> > > + <h3>Ingress Table 16: Gateway Redirect</h3> > > > > <p> > > For distributed logical routers where one of the logical router > > @@ -3321,7 +3389,7 @@ icmp6 { > > </li> > > </ul> > > > > - <h3>Ingress Table 16: ARP Request</h3> > > + <h3>Ingress Table 17: ARP Request</h3> > > > > <p> > > In the common case where the Ethernet destination has been resolved, this > > > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 8bbe577b69..d86f36ea63 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -2714,7 +2714,25 @@ icmp6 { </li> </ul> - <h3>Ingress Table 7: IPv6 ND RA option processing</h3> + <h3>Ingress Table 7: ECMP symmetric reply processing</h3> + <ul> + <li> + If ECMP routes with symmetric reply are configured in the + <code>OVN_Northbound</code> database for a gateway router, a + priority-100 flow is added for each router port on which symmetric + replies are configured. The matching logic for these ports essentially + reverses the configured logic of the ECMP route. So for instance, a + route with a destination routing policy will instead match if the + source IP address matches the static route's prefix. The flow uses + the action <code>ct_commit { ct_label.ecmp_reply_eth = eth.src;" + " ct_label.ecmp_reply_port = <var>K</var>;}; next; </code> to commit + the connection and storing <code>eth.src</code> and the ECMP + reply port binding tunnel key <var>K</var> in the + <code>ct_label</code>. + </li> + </ul> + + <h3>Ingress Table 8: IPv6 ND RA option processing</h3> <ul> <li> @@ -2744,7 +2762,7 @@ reg0[5] = put_nd_ra_opts(<var>options</var>);next; </li> </ul> - <h3>Ingress Table 8: IPv6 ND RA responder</h3> + <h3>Ingress Table 9: IPv6 ND RA responder</h3> <p> This table implements IPv6 ND RA responder for the IPv6 ND RA replies @@ -2789,7 +2807,7 @@ output; </li> </ul> - <h3>Ingress Table 9: IP Routing</h3> + <h3>Ingress Table 10: IP Routing</h3> <p> A packet that arrives at this table is an IP packet that should be @@ -2952,7 +2970,7 @@ select(reg8[16..31], <var>MID1</var>, <var>MID2</var>, ...); </li> </ul> - <h3>Ingress Table 10: IP_ROUTING_ECMP</h3> + <h3>Ingress Table 11: IP_ROUTING_ECMP</h3> <p> This table implements the second part of IP routing for ECMP routes @@ -3004,7 +3022,57 @@ outport = <var>P</var>; </li> </ul> - <h3>Ingress Table 12: ARP/ND Resolution</h3> + <h3>Ingress Table 12: Router policies</h3> + <p> + This table adds flows for the logical router policies configured + on the logical router. Please see the + <code>OVN_Northbound</code> database <code>Logical_Router_Policy</code> + table documentation in <code>ovn-nb</code> for supported actions. + </p> + + <ul> + <li> + <p> + For each router policy configured on the logical router, a + logical flow is added with specified priority, match and + actions. + </p> + </li> + + <li> + <p> + If the policy action is <code>reroute</code>, then the logical + flow is added with the following actions: + </p> + + <pre> +[xx]reg0 = <var>H</var>; +eth.src = <var>E</var>; +outport = <var>P</var>; +flags.loopback = 1; +next; + </pre> + + <p> + where <var>H</var> is the <code>nexthop </code> defined in the + router policy, <var>E</var> is the ethernet address of the + logical router port from which the <code>nexthop</code> is + reachable and <var>P</var> is the logical router port from + which the <code>nexthop</code> is reachable. + </p> + </li> + + <li> + <p> + If a router policy has the option <code>pkt_mark=<var>m</var></code> + set and if the action is <code>not</code> drop, then the action also + includes <code>pkt.mark = <var>m</var></code> to mark the packet + with the marker <var>m</var>. + </p> + </li> + </ul> + + <h3>Ingress Table 13: ARP/ND Resolution</h3> <p> Any packet that reaches this table is an IP packet whose next-hop @@ -3190,7 +3258,7 @@ outport = <var>P</var>; </ul> - <h3>Ingress Table 13: Check packet length</h3> + <h3>Ingress Table 14: Check packet length</h3> <p> For distributed logical routers with distributed gateway port configured @@ -3220,7 +3288,7 @@ REGBIT_PKT_LARGER = check_pkt_larger(<var>L</var>); next; and advances to the next table. </p> - <h3>Ingress Table 14: Handle larger packets</h3> + <h3>Ingress Table 15: Handle larger packets</h3> <p> For distributed logical routers with distributed gateway port configured @@ -3281,7 +3349,7 @@ icmp6 { and advances to the next table. </p> - <h3>Ingress Table 15: Gateway Redirect</h3> + <h3>Ingress Table 16: Gateway Redirect</h3> <p> For distributed logical routers where one of the logical router @@ -3321,7 +3389,7 @@ icmp6 { </li> </ul> - <h3>Ingress Table 16: ARP Request</h3> + <h3>Ingress Table 17: ARP Request</h3> <p> In the common case where the Ethernet destination has been resolved, this