From patchwork Sat Sep 18 12:51:21 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladislav Odintsov X-Patchwork-Id: 1529667 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=Iu3fdrcG; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=smtp2.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp2.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4HBW0j3d7Gz9sRN for ; Sat, 18 Sep 2021 22:51:33 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 449D840281; Sat, 18 Sep 2021 12:51:31 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IexLjK8KXh8t; Sat, 18 Sep 2021 12:51:30 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp2.osuosl.org (Postfix) with ESMTPS id F13C6400FC; Sat, 18 Sep 2021 12:51:28 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id D193CC000F; Sat, 18 Sep 2021 12:51:28 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6F69EC000D for ; Sat, 18 Sep 2021 12:51:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp2.osuosl.org (Postfix) with ESMTP id 505AD4024B for ; Sat, 18 Sep 2021 12:51:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp2.osuosl.org ([127.0.0.1]) by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Am9EJXpDnXLH for ; Sat, 18 Sep 2021 12:51:26 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-lf1-x135.google.com (mail-lf1-x135.google.com [IPv6:2a00:1450:4864:20::135]) by smtp2.osuosl.org (Postfix) with ESMTPS id B526E400FC for ; Sat, 18 Sep 2021 12:51:25 +0000 (UTC) Received: by mail-lf1-x135.google.com with SMTP id g41so11634709lfv.1 for ; Sat, 18 Sep 2021 05:51:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=pUj47uzUjZZfB+is2lNWaRNupgfZZ94qoO6QwFbZz6M=; b=Iu3fdrcGcdwtexzHZnQU1q2/jh8SRzfRcnHNHSFwF0BaomTb/OckMyTKnzwHn3mSs7 tsLKp5o1IW0YP18Bk0+h8QiCh3PrTQqHzQ8US/+LZ+dgX9N0g24GIn4MlDxa72gTEWRx A5imTVKE2ZcA9TeRkuL6zsSMBLHC1pUmmijL4xToi/Hefq8PHX3iTDnQWnOVByFDXPdR xfO8eYIumY8vFBiV3Li7DZBY6h1P92At6va6L6rN8BnwpbM54WO0a87eK+THEG/qtu0t 0NBEmTGicqUxwg9p6RQzZl5/JxuMiBbSxKgi+JnN3dk9KzzaB9w9PCleAwGR/UDWmgqp zpxA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=pUj47uzUjZZfB+is2lNWaRNupgfZZ94qoO6QwFbZz6M=; b=wgJSgSwl2JQZTxOCxtRZsUUCpDa+FThenKe2ndM8691bi9ZY4swr9UUp13V7WC9EHm OqrUQRMsBPFX8jhfodwrX/qZKf1bKMXmtPqhTa62M1ZXjD+pS5DktvwvdRrfDRlaHXmm 5RSsjS1VDnkERN3WMaILHMGM2JGL6iNinHS5q3O8Rw3G1zX2jfoAPlSXQcHnuA3OODNr 1gTqL2Y1XMHMmTn1gkbUqBvS0j8xvHhUAykQfH1/H7A50iqOJ4Qw5+HziJJA8CaF3rmL 3Fgwy3oIxuQMlB/FUdglOEALNs96MM0mcvsFdKtR8wgzOWMZQ0YPuV8AGFTRgqpKaf/h rlZA== X-Gm-Message-State: AOAM533p3DIwADPkoOBpubRvOejpzHE4TRZgxV+X+YmmI5367+RPydry kaNEkNJv+utUYuiQVcSNK4Xx7teMNhczJA== X-Google-Smtp-Source: ABdhPJw2CJsF6afKSYdd/Dj8nZgRpRBgZ/OHNUydkFxN7yZ2op1l+6D9Zt7rttJV6Dcrwwogm4vdJA== X-Received: by 2002:a05:6512:3f03:: with SMTP id y3mr11980669lfa.5.1631969483199; Sat, 18 Sep 2021 05:51:23 -0700 (PDT) Received: from localhost.localdomain (109-252-131-59.dynamic.spd-mgts.ru. [109.252.131.59]) by smtp.gmail.com with ESMTPSA id y13sm750561lfs.17.2021.09.18.05.51.22 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Sat, 18 Sep 2021 05:51:22 -0700 (PDT) From: Vladislav Odintsov To: dev@openvswitch.org Date: Sat, 18 Sep 2021 15:51:21 +0300 Message-Id: <20210918125121.8257-1-odivlad@gmail.com> X-Mailer: git-send-email 2.30.0 MIME-Version: 1.0 Cc: Vladislav Odintsov Subject: [ovs-dev] [PATCH ovn branch-21.06] northd: support HW VTEP with stateful datapath X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" A packet going from HW VTEP device to VIF port when arrives to hypervisor chassis should go through LS ingress pipeline to l2_lkp stage without any match. In l2_lkp stage an output port is determined and then packet passed to LS egress pipeline for futher processing and to VIF port delivery. Prior to this commit a packet, which was received from HW VTEP device was dropped in an LS ingress datapath, where stateful services were defined (ACLs, LBs). To fix this issue we add a special flag-bit which can be used in LS pipelines, to check whether the packet came from HW VTEP devices. In ls_in_pre_acl and ls_in_pre_lb we add new flow with priority 110 to skip such packets. Signed-off-by: Vladislav Odintsov Signed-off-by: Numan Siddique (cherry picked from commit 62ca8b9620cc1168ace6905575b7d36438363aed) --- northd/ovn-northd.8.xml | 28 ++++++++++++++++++++++++++++ northd/ovn-northd.c | 14 ++++++++++++++ northd/ovn_northd.dl | 33 +++++++++++++++++++++++++++++++-- ovs | 2 +- tests/ovn-northd.at | 2 ++ 5 files changed, 76 insertions(+), 3 deletions(-) diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 890775797..29eaf1864 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -262,6 +262,16 @@ logical ports on which port security is not enabled, these advance all packets that match the inport. +
  • + For logical ports of type vtep, the above logical flow + will also apply the action REGBIT_FROM_RAMP = 1; to + indicate that the packet is coming from a RAMP (controller-vtep) + device. Later pipelines will use this information to skip + sending the packet to the conntrack. Packets from vtep + logical ports should go though ingress pipeline only to determine + the output port and they should not be subjected to any ACL checks. + Egress pipeline will do the ACL checks. +

    • @@ -453,6 +463,15 @@ processing.

    +

    + This table has a priority-110 flow with the match + REGBIT_FROM_RAMP == 1 for all logical switch datapaths to + resubmit traffic to the next table. REGBIT_FROM_RAMP + indicates that packet was received from vtep logical ports + and it can be skipped from the stateful ACL processing in the ingress + pipeline. +

    +

    This table also has a priority-110 flow with the match eth.dst == E for all logical switch @@ -512,6 +531,15 @@ configured. We can now add a lflow to drop ct.inv packets.

    +

    + This table has a priority-110 flow with the match + REGBIT_FROM_RAMP == 1 for all logical switch datapaths to + resubmit traffic to the next table. REGBIT_FROM_RAMP + indicates that packet was received from vtep logical ports + and it can be skipped from the load balancer processing in the ingress + pipeline. +

    +

    This table also has a priority-110 flow with the match eth.dst == E for all logical switch diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index a7f6fdf6b..c2cc9b930 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -236,6 +236,7 @@ enum ovn_stage { #define REGBIT_ACL_HINT_BLOCK "reg0[10]" #define REGBIT_LKUP_FDB "reg0[11]" #define REGBIT_HAIRPIN_REPLY "reg0[12]" +#define REGBIT_FROM_RAMP "reg0[14]" #define REG_ORIG_DIP_IPV4 "reg1" #define REG_ORIG_DIP_IPV6 "xxreg1" @@ -4823,10 +4824,15 @@ build_lswitch_input_port_sec_op( build_port_security_l2("eth.src", op->ps_addrs, op->n_ps_addrs, match); + if (!strcmp(op->nbsp->type, "vtep")) { + ds_put_format(actions, REGBIT_FROM_RAMP" = 1; "); + } + const char *queue_id = smap_get(&op->sb->options, "qdisc_queue_id"); if (queue_id) { ds_put_format(actions, "set_queue(%s); ", queue_id); } + ds_put_cstr(actions, "next;"); ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, ds_cstr(match), ds_cstr(actions), @@ -5070,6 +5076,10 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *port_groups, "nd || nd_rs || nd_ra || mldv1 || mldv2 || " "(udp && udp.src == 546 && udp.dst == 547)", "next;"); + /* Do not send coming from RAMP switch packets to conntrack. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, + REGBIT_FROM_RAMP" == 1", "next;"); + /* Ingress and Egress Pre-ACL Table (Priority 100). * * Regardless of whether the ACL is "from-lport" or "to-lport", @@ -5180,6 +5190,10 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows, ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110, "eth.src == $svc_monitor_mac", "next;"); + /* Do not send coming from RAMP switch packets to conntrack. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110, + REGBIT_FROM_RAMP" == 1", "next;"); + /* Allow all packets to go to next tables by default. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;"); diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl index 46da9a3a4..cca1c11be 100644 --- a/northd/ovn_northd.dl +++ b/northd/ovn_northd.dl @@ -1561,6 +1561,7 @@ function rEGBIT_ACL_HINT_DROP() : string = "reg0[9]" function rEGBIT_ACL_HINT_BLOCK() : string = "reg0[10]" function rEGBIT_LKUP_FDB() : string = "reg0[11]" function rEGBIT_HAIRPIN_REPLY() : string = "reg0[12]" +function rEGBIT_FROM_RAMP() : string = "reg0[14]" function rEG_ORIG_DIP_IPV4() : string = "reg1" function rEG_ORIG_DIP_IPV6() : string = "xxreg1" @@ -1934,6 +1935,16 @@ for (&Switch(._uuid = ls_uuid, .has_stateful_acl = true)) { .actions = "next;", .external_ids = map_empty()); + /* Do not send coming from RAMP switch packets to conntrack. */ + Flow(.logical_datapath = ls_uuid, + .stage = s_SWITCH_IN_PRE_ACL(), + .priority = 110, + .__match = "${rEGBIT_FROM_RAMP()} == 1", + .actions = "next;", + .stage_hint = 0, + .io_port = None, + .controller_meter = None); + /* Ingress and Egress Pre-ACL Table (Priority 100). * * Regardless of whether the ACL is "from-lport" or "to-lport", @@ -1988,6 +1999,16 @@ for (&Switch(._uuid = ls_uuid)) { .actions = "next;", .external_ids = map_empty()); + /* Do not send coming from RAMP switch packets to conntrack. */ + Flow(.logical_datapath = ls_uuid, + .stage = s_SWITCH_IN_PRE_LB(), + .priority = 110, + .__match = "${rEGBIT_FROM_RAMP()} == 1", + .actions = "next;", + .stage_hint = 0, + .io_port = None, + .controller_meter = None); + /* Allow all packets to go to next tables by default. */ Flow(.logical_datapath = ls_uuid, .stage = s_SWITCH_IN_PRE_LB(), @@ -3061,10 +3082,18 @@ for (&SwitchPort(.lsp = lsp, .sw = sw, .json_name = json_name, .ps_eth_addresses } else { "inport == ${json_name} && eth.src == {${ps_eth_addresses.join(\" \")}}" } in - var actions = match (pbinding.options.get("qdisc_queue_id")) { + var actions = { + var ramp = if (lsp.__type == "vtep") { + "${rEGBIT_FROM_RAMP()} = 1; " + } else { + "" + }; + var queue = match (pbinding.options.get("qdisc_queue_id")) { None -> "next;", Some{id} -> "set_queue(${id}); next;" - } in + }; + "${ramp}${queue}" + } in Flow(.logical_datapath = sw._uuid, .stage = s_SWITCH_IN_PORT_SEC_L2(), .priority = 50, diff --git a/ovs b/ovs index a4b04276a..daf627f45 160000 --- a/ovs +++ b/ovs @@ -1 +1 @@ -Subproject commit a4b04276ab5934d087669ff2d191a23931335c87 +Subproject commit daf627f459ffbc7171d42a2c01f80754bfd54edc diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 55cf0ffd4..9523de377 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -3429,6 +3429,7 @@ check_stateful_flows() { table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) + table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1), action=(next;) ]) AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl @@ -3490,6 +3491,7 @@ AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort], [0], [dnl table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) + table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1), action=(next;) ]) AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl