From patchwork Tue Feb 23 13:19:55 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Dumitru Ceara X-Patchwork-Id: 1443481 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (1024-bit key; unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256 header.s=mimecast20190719 header.b=X16LCDkM; dkim-atps=neutral Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4DlKRG5lMJz9sVV for ; Wed, 24 Feb 2021 00:20:10 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id A0FB083AB0; Tue, 23 Feb 2021 13:20:08 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lbCIPzUDfsw8; Tue, 23 Feb 2021 13:20:07 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by smtp1.osuosl.org (Postfix) with ESMTP id 6815F83AB2; Tue, 23 Feb 2021 13:20:06 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3BB8FC0001; Tue, 23 Feb 2021 13:20:06 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 4639EC0001 for ; Tue, 23 Feb 2021 13:20:05 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 15F4960618 for ; Tue, 23 Feb 2021 13:20:05 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KG3x8mX7dgin for ; Tue, 23 Feb 2021 13:20:03 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.8.0 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [63.128.21.124]) by smtp3.osuosl.org (Postfix) with ESMTPS id A364060612 for ; Tue, 23 Feb 2021 13:20:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1614086401; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=bKLJvtTY5qxIZ7VGEI3u5HzeAm9FL2YDx1XzVJrOitA=; b=X16LCDkM5x8gXDiJBbRdLuOptlnCk0CkIl0RfVzdLHaf11FbWk+fdxDlig6iuMamQoO1sr l3PXvvSEwD98fRGW5GgV8C+60U6DRYBbLQgWIdc/UMaOLCzJzrrdrf2ul58N8GtzsJUZ5J 5XjKy+NonXsavAV1W+3XpxUif9lDYs8= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-358-Nk7zaqR3ObO5ynga9iahSw-1; Tue, 23 Feb 2021 08:19:59 -0500 X-MC-Unique: Nk7zaqR3ObO5ynga9iahSw-1 Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 7F02C801977; Tue, 23 Feb 2021 13:19:58 +0000 (UTC) Received: from dceara.remote.csb (ovpn-112-12.ams2.redhat.com [10.36.112.12]) by smtp.corp.redhat.com (Postfix) with ESMTP id 996205D6AB; Tue, 23 Feb 2021 13:19:57 +0000 (UTC) From: Dumitru Ceara To: ovs-dev@openvswitch.org Date: Tue, 23 Feb 2021 14:19:55 +0100 Message-Id: <20210223131953.20993.44943.stgit@dceara.remote.csb> In-Reply-To: <20210223131920.20993.37441.stgit@dceara.remote.csb> References: <20210223131920.20993.37441.stgit@dceara.remote.csb> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dceara@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Cc: trozet@redhat.com Subject: [ovs-dev] [PATCH ovn 3/3] northd: Avoid matching on ct.dnat flags for load balancers. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" Matching on ct.dnat creates openflows that often are not offloadable to hardware. ovn-northd uses ct.dnat only for load balancer hairpin traffic handling and it turns out we don't really need to match on ct.dnat. Signed-off-by: Dumitru Ceara Acked-by: Numan Siddique --- northd/ovn-northd.8.xml | 32 +++++++++++++++-------------- northd/ovn-northd.c | 52 +++++++++++++++++++++++++++++------------------ 2 files changed, 49 insertions(+), 35 deletions(-) diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index deffe8c..a16937a 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -813,19 +813,12 @@
  • If the logical switch has load balancer(s) configured, then a priority-100 flow is added with the match - ip && ct.trk&& ct.dnat to check if the + ip && ct.trk to check if the packet needs to be hairpinned (if after load balancing the destination - IP matches the source IP) or not by executing the action - reg0[6] = chk_lb_hairpin(); and advances the packet to - the next table. -
    • - -
  • - If the logical switch has load balancer(s) configured, then a - priority-90 flow is added with the match ip to check if - the packet is a reply for a hairpinned connection or not by executing - the action reg0[6] = chk_lb_hairpin_reply(); and advances - the packet to the next table. + IP matches the source IP) or not by executing the actions + reg0[6] = chk_lb_hairpin(); and + reg0[12] = chk_lb_hairpin_reply(); and advances the packet + to the next table.
  • @@ -838,16 +831,25 @@
  • If the logical switch has load balancer(s) configured, then a priority-100 flow is added with the match - ip && (ct.new || ct.est) && ct.trk && - ct.dnat && reg0[6] == 1 which hairpins the traffic by + ip && ct.new && ct.trk && + reg0[6] == 1 which hairpins the traffic by NATting source IP to the load balancer VIP by executing the action ct_snat_to_vip and advances the packet to the next table.
  • If the logical switch has load balancer(s) configured, then a + priority-100 flow is added with the match + ip && ct.est && ct.trk && + reg0[6] == 1 which hairpins the traffic by + NATting source IP to the load balancer VIP by executing the action + ct_snat and advances the packet to the next table. +
    • + +
  • + If the logical switch has load balancer(s) configured, then a priority-90 flow is added with the match - ip && reg0[6] == 1 which matches on the replies + ip && reg0[12] == 1 which matches on the replies of hairpinned traffic (i.e., destination IP is VIP, source IP is the backend IP and source L4 port is backend port for L4 load balancers) and executes ct_snat and advances the diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 18e4cac..f66bdea 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -227,6 +227,7 @@ enum ovn_stage { #define REGBIT_ACL_HINT_DROP "reg0[9]" #define REGBIT_ACL_HINT_BLOCK "reg0[10]" #define REGBIT_LKUP_FDB "reg0[11]" +#define REGBIT_HAIRPIN_REPLY "reg0[12]" #define REG_ORIG_DIP_IPV4 "reg1" #define REG_ORIG_DIP_IPV6 "xxreg1" @@ -266,7 +267,8 @@ enum ovn_stage { * * Logical Switch pipeline: * +----+----------------------------------------------+---+------------------+ - * | R0 | REGBIT_{CONNTRACK/DHCP/DNS/HAIRPIN} | | | + * | R0 | REGBIT_{CONNTRACK/DHCP/DNS} | | | + * | | REGBIT_{HAIRPIN/HAIRPIN_REPLY} | X | | * | | REGBIT_ACL_HINT_{ALLOW_NEW/ALLOW/DROP/BLOCK} | X | | * +----+----------------------------------------------+ X | | * | R1 | ORIG_DIP_IPV4 (>= IN_STATEFUL) | R | | @@ -6036,39 +6038,49 @@ build_lb_hairpin(struct ovn_datapath *od, struct hmap *lflows) ovn_lflow_add(lflows, od, S_SWITCH_IN_HAIRPIN, 0, "1", "next;"); if (od->has_lb_vip) { - /* Check if the packet needs to be hairpinned. */ - ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_HAIRPIN, 100, - "ip && ct.trk && ct.dnat", - REGBIT_HAIRPIN " = chk_lb_hairpin(); next;", + /* Check if the packet needs to be hairpinned. + * Set REGBIT_HAIRPIN in the original direction and + * REGBIT_HAIRPIN_REPLY in the reply direction. + */ + ovn_lflow_add_with_hint( + lflows, od, S_SWITCH_IN_PRE_HAIRPIN, 100, "ip && ct.trk", + REGBIT_HAIRPIN " = chk_lb_hairpin(); " + REGBIT_HAIRPIN_REPLY " = chk_lb_hairpin_reply(); " + "next;", + &od->nbs->header_); + + /* If packet needs to be hairpinned, snat the src ip with the VIP + * for new sessions. */ + ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_NAT_HAIRPIN, 100, + "ip && ct.new && ct.trk" + " && "REGBIT_HAIRPIN " == 1", + "ct_snat_to_vip; next;", &od->nbs->header_); - /* Check if the packet is a reply of hairpinned traffic. */ - ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_HAIRPIN, 90, "ip", - REGBIT_HAIRPIN " = chk_lb_hairpin_reply(); " - "next;", &od->nbs->header_); - - /* If packet needs to be hairpinned, snat the src ip with the VIP. */ + /* If packet needs to be hairpinned, for established sessions there + * should already be an SNAT conntrack entry. + */ ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_NAT_HAIRPIN, 100, - "ip && (ct.new || ct.est) && ct.trk && ct.dnat" + "ip && ct.est && ct.trk" " && "REGBIT_HAIRPIN " == 1", - "ct_snat_to_vip; next;", + "ct_snat;", &od->nbs->header_); /* For the reply of hairpinned traffic, snat the src ip to the VIP. */ ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_NAT_HAIRPIN, 90, - "ip && "REGBIT_HAIRPIN " == 1", "ct_snat;", + "ip && "REGBIT_HAIRPIN_REPLY " == 1", + "ct_snat;", &od->nbs->header_); /* Ingress Hairpin table. * - Priority 1: Packets that were SNAT-ed for hairpinning should be * looped back (i.e., swap ETH addresses and send back on inport). */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_HAIRPIN, 1, - REGBIT_HAIRPIN " == 1", - "eth.dst <-> eth.src;" - "outport = inport;" - "flags.loopback = 1;" - "output;"); + ovn_lflow_add( + lflows, od, S_SWITCH_IN_HAIRPIN, 1, + "("REGBIT_HAIRPIN " == 1 || " REGBIT_HAIRPIN_REPLY " == 1)", + "eth.dst <-> eth.src; outport = inport; flags.loopback = 1; " + "output;"); } }