From patchwork Sat Jan 21 16:46:07 2023
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vladislav Odintsov <odivlad@gmail.com>
X-Patchwork-Id: 1729997
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::137; helo=smtp4.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20210112 header.b=jbOFXZ34;
	dkim-atps=neutral
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4Nzj1W59Xhz23gL
	for <incoming@patchwork.ozlabs.org>; Sun, 22 Jan 2023 03:46:23 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
	by smtp4.osuosl.org (Postfix) with ESMTP id E172641C2D;
	Sat, 21 Jan 2023 16:46:20 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org E172641C2D
Authentication-Results: smtp4.osuosl.org;
	dkim=fail reason="signature verification failed" (2048-bit key)
 header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112
 header.b=jbOFXZ34
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
	by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id Gf3dRwuUx9OH; Sat, 21 Jan 2023 16:46:19 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp4.osuosl.org (Postfix) with ESMTPS id 7773F4163E;
	Sat, 21 Jan 2023 16:46:18 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 7773F4163E
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id E9DE7C0032;
	Sat, 21 Jan 2023 16:46:17 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp4.osuosl.org (smtp4.osuosl.org [IPv6:2605:bc80:3010::137])
 by lists.linuxfoundation.org (Postfix) with ESMTP id E82E3C002D
 for <dev@openvswitch.org>; Sat, 21 Jan 2023 16:46:16 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp4.osuosl.org (Postfix) with ESMTP id C2480419A8
 for <dev@openvswitch.org>; Sat, 21 Jan 2023 16:46:16 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org C2480419A8
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
 by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id WuQ9gTdLWagh for <dev@openvswitch.org>;
 Sat, 21 Jan 2023 16:46:14 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 606AC4163E
Received: from mail-ej1-x62d.google.com (mail-ej1-x62d.google.com
 [IPv6:2a00:1450:4864:20::62d])
 by smtp4.osuosl.org (Postfix) with ESMTPS id 606AC4163E
 for <dev@openvswitch.org>; Sat, 21 Jan 2023 16:46:14 +0000 (UTC)
Received: by mail-ej1-x62d.google.com with SMTP id ud5so21124535ejc.4
 for <dev@openvswitch.org>; Sat, 21 Jan 2023 08:46:14 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date:message-id:reply-to;
 bh=5vxUrBvIRf1OubzmauyHMtQuDP0g1WkbUAMfwOTq08g=;
 b=jbOFXZ34oru87e3mwPC1W3g6W280cjR6oAllN/+N1mFXdzd06P6w/5KVTQokvq4GV/
 CohSHcQQbiqO0AaS+kLUsiczRLJ1Eb13JMdO6KLhRJiNvuJjPhBT32tsMlovp2OxhALm
 EB0W47AkWkG3jnXTSwalxImLWteLIGO5V3q6EZsNlRTMMPwTGv0vGKF90Ze8n3RNw8s6
 tLFXTscxOmugdhPb25zd6KEU+zBF0pjku2BH2+EGybbZc07/C1WACGD25nZ9pmPYWjbx
 lyk7/iKMyyRf/Sard4X2U0G7LoOEFtu7faCPHt0GQSW9I3qA6yjsLSDqfs7zELMNqBM8
 Cl7A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date:message-id
 :reply-to;
 bh=5vxUrBvIRf1OubzmauyHMtQuDP0g1WkbUAMfwOTq08g=;
 b=gL1ocBCPaU81xbCKqB9dNn2N6ErqykzIjeqXJz2oMiTmqweeIloLIuiE1PDUML8xkf
 F+VFO/3qi23c5WTLmCvmNYV9jk5xb7h1brksIJjXTPzglitSuwc5Up1asqp09yUwj/f5
 qI+duibxToXF5CFcyw83UpUWPN1Q99HFY5JL+AO0qr5GH+sHZByAZYyqQXarqWKaiN6l
 UlCevt+U8ixlEilJCKUNSdaSUolGrKq49ravulr3gluD+ppIl97GrtmkuNN6AGGt1sop
 CVPf8c2uc1H6KCvS2Np7Sc92h5N27C3i+meY+Df4U45fzF7iIB426GKtbXC75GgAYkzp
 7u4A==
X-Gm-Message-State: AFqh2koH13AaRPgTdCoeIha/WBx6emeszaNNHDOcWRJXv2XhTkOBqPFy
 aJUjbEJuM052qM9lPIDR9AgYDzw+fg1uHV4c
X-Google-Smtp-Source: 
 AMrXdXtkj8RkAnVqZJh8xDLVqS0qJL9uySqfynwdVJtwqCXkbeNSeheKO8bR9Wb565DpJrqpkwkLXg==
X-Received: by 2002:a17:907:b68a:b0:86f:724b:726c with SMTP id
 vm10-20020a170907b68a00b0086f724b726cmr21456288ejc.59.1674319572089;
 Sat, 21 Jan 2023 08:46:12 -0800 (PST)
Received: from ip-10-70-112-12.vpc-1e810be1.internal
 (c2-178-216-98-9.elastic.cloud.croc.ru. [178.216.98.9])
 by smtp.gmail.com with ESMTPSA id
 11-20020a170906318b00b0078d3f96d293sm19614438ejy.30.2023.01.21.08.46.11
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Sat, 21 Jan 2023 08:46:11 -0800 (PST)
From: Vladislav Odintsov <odivlad@gmail.com>
To: dev@openvswitch.org
Date: Sat, 21 Jan 2023 19:46:07 +0300
Message-Id: <20230121164609.3625347-1-odivlad@gmail.com>
X-Mailer: git-send-email 2.36.1
MIME-Version: 1.0
Cc: Vladislav Odintsov <odivlad@gmail.com>
Subject: [ovs-dev] [PATCH ovn v2 1/2] northd: make traffic routed to vtep
	lport distributed
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

There were two issues prior to this patch:
1. It was unable to have connectivity to networks over a router in
   physical network connected through VTEP (ramp) gateway.
   Consider next topology:

     ovn-nbctl lr-add lr1
     ovn-nbctl lrp-add lr1 lrp1 00:00:00:00:00:01 10.0.0.1/24
     ovn-nbctl ls-add ls1
     ovn-nbctl lrp-add ls1 lsp1 -- \
               lsp-set-addresses lsp1 router -- \
               lsp-set-type lsp1 router -- \
               lsp-set-options lsp1 router-port=lrp1
     ovn-nbctl lsp-add ls1 lsp-vtep -- \
               lsp-set-type lsp-vtep vtep -- \
               lsp-set-addresses lsp-vtep unknown -- \
               lsp-set-options lsp-vtep vtep-physical-switch=<..> vtep-logical-switch=<..>
     ovn-nbctl lr-route-add lr1 192.168.0.0/24 10.0.0.100

   If one issues ping from lsp1 to some address from 192.168.0.0/24 (via
   vtep lsp), to enable routing support with vtep it is required to set
   redirect chassis or ha chassis group on lrp1.  This topology didn't
   provide connectivity.  Now such traffic flow will work properly.

2. Traffic from lport in one subnet to vtep lport in another subnet of
   same LR previously traversed via l3gw chassis, now in 'to vtep lport'
   direction goes directly from hypervisor handling lport to VTEP (RAMP)
   switch.  In the opposite direction traffic still goes from VTEP (RAMP)
   switch through l3gw chassis and then to hypervisor.

The described functionality changes achieved by skipping to add
gateway redirect logical flow for l3dgw ports which peers have datapath
with logical switch ports of 'vtep' type.
In this case traffic from hypervisor to VTEP (ramp) switch should go in
distributed manner.  Only returning routed traffic must go through
centralized gateway or ha-chassis-group.

This patch also updates relevant testcases to check the changed flows
generation and port_binding:options:always-redirect logic.

Signed-off-by: Vladislav Odintsov <odivlad@gmail.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
---
 northd/northd.c     | 26 ++++++++++++++++++++++++--
 tests/ovn-northd.at | 26 +++++++++++++++++++++++++-
 2 files changed, 49 insertions(+), 3 deletions(-)

diff --git a/northd/northd.c b/northd/northd.c
index 40a302579..46ed39850 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -3302,6 +3302,14 @@ sbrec_port_binding_update_mirror_rules(struct northd_input *input_data,
     check_and_do_sb_mirror_addition(input_data, op);
 }
 
+/* Return true if given ovn_port has peer and this peer's ovn_datapath
+ * has_vtep_lports set to true. False otherwise. */
+static bool
+l3dgw_port_has_associated_vtep_lports(const struct ovn_port *op)
+{
+    return op->peer && op->peer->od->has_vtep_lports;
+}
+
 static void
 ovn_port_update_sbrec(struct northd_input *input_data,
                       struct ovsdb_idl_txn *ovnsb_txn,
@@ -3371,7 +3379,10 @@ ovn_port_update_sbrec(struct northd_input *input_data,
             }
             smap_add(&new, "distributed-port", op->nbrp->name);
 
-            bool always_redirect = !op->od->has_distributed_nat;
+            bool always_redirect =
+                !op->od->has_distributed_nat &&
+                !l3dgw_port_has_associated_vtep_lports(op->l3dgw_port);
+
             if (redirect_type) {
                 smap_add(&new, "redirect-type", redirect_type);
                 /* XXX Why can't we enable always-redirect when redirect-type
@@ -11627,7 +11638,7 @@ build_gateway_mtu_flow(struct hmap *lflows, struct ovn_port *op,
 static bool
 consider_l3dwg_port_is_centralized(struct ovn_port *op)
 {
-    if (op->peer && op->peer->od->has_vtep_lports) {
+    if (l3dgw_port_has_associated_vtep_lports(op)) {
         return false;
     }
 
@@ -12833,6 +12844,17 @@ build_gateway_redirect_flows_for_lrouter(
         return;
     }
     for (size_t i = 0; i < od->n_l3dgw_ports; i++) {
+        if (l3dgw_port_has_associated_vtep_lports(od->l3dgw_ports[i])) {
+            /* Skip adding redirect lflow for vtep-enabled l3dgw ports.
+             * Traffic from hypervisor to VTEP (ramp) switch should go in
+             * distributed manner. Only returning routed traffic must go
+             * through centralized gateway (or ha-chassis-group).
+             * This assumes that attached logical switch with vtep lport(s) has
+             * no localnet port(s) for NAT. Otherwise centralized NAT will not
+             * work. */
+            continue;
+        }
+
         const struct ovsdb_idl_row *stage_hint = NULL;
         bool add_def_flow = true;
 
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 35f186ad6..941460d5b 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -6075,7 +6075,7 @@ AT_CLEANUP
 ])
 
 OVN_FOR_EACH_NORTHD_NO_HV([
-AT_SETUP([ovn-northd -- lr admission with vtep lports])
+AT_SETUP([ovn-northd -- lrp with chassis-redirect and ls with vtep lport])
 AT_KEYWORDS([multiple-l3dgw-ports])
 ovn_start NORTHD_TYPE
 check ovn-sbctl chassis-add ch1 geneve 127.0.0.2
@@ -6099,6 +6099,11 @@ AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed 's/table=../table=??/'
   table=??(lr_in_admission    ), priority=50   , match=(eth.mcast && inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;)
 ])
 
+# Check the flows in lr_in_gw_redirect stage
+AT_CHECK([grep lr_in_gw_redirect lrflows | grep lrp1 | sed 's/table=../table=??/' | sort], [0], [])
+
+wait_row_count Port_Binding 0 logical_port=cr-lrp1 options:always-redirect="true"
+
 # make lrp a cr-port and check its flows
 check ovn-nbctl lrp-set-gateway-chassis lrp1 ch1
 
@@ -6112,6 +6117,13 @@ AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed 's/table=../table=??/'
   table=??(lr_in_admission    ), priority=50   , match=(eth.mcast && inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;)
 ])
 
+# Check the flows in lr_in_gw_redirect stage
+AT_CHECK([grep lr_in_gw_redirect lrflows | grep lrp1 | sed 's/table=../table=??/' | sort], [0], [dnl
+  table=??(lr_in_gw_redirect  ), priority=50   , match=(outport == "lrp1"), action=(outport = "cr-lrp1"; next;)
+])
+
+wait_row_count Port_Binding 1 logical_port=cr-lrp1 options:always-redirect="true"
+
 # attach vtep logical port to logical switch and check flows.
 # there should not be is_chassis_resident part.
 check ovn-nbctl lsp-add ls1 lsp-vtep -- lsp-set-type lsp-vtep vtep
@@ -6126,6 +6138,11 @@ AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed 's/table=../table=??/'
   table=??(lr_in_admission    ), priority=50   , match=(eth.mcast && inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;)
 ])
 
+# Check the flows in lr_in_gw_redirect stage
+AT_CHECK([grep lr_in_gw_redirect lrflows | grep lrp1 | sed 's/table=../table=??/' | sort], [0], [])
+
+wait_row_count Port_Binding 0 logical_port=cr-lrp1 options:always-redirect="true"
+
 # delete vtep lport and check lrp has is_chassis_resident match part again.
 check ovn-nbctl lsp-del lsp-vtep
 
@@ -6139,6 +6156,13 @@ AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed 's/table=../table=??/'
   table=??(lr_in_admission    ), priority=50   , match=(eth.mcast && inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;)
 ])
 
+# Check the flows in lr_in_gw_redirect stage
+AT_CHECK([grep lr_in_gw_redirect lrflows | grep lrp1 | sed 's/table=../table=??/' | sort], [0], [dnl
+  table=??(lr_in_gw_redirect  ), priority=50   , match=(outport == "lrp1"), action=(outport = "cr-lrp1"; next;)
+])
+
+wait_row_count Port_Binding 1 logical_port=cr-lrp1 options:always-redirect="true"
+
 AT_CLEANUP
 ])