From patchwork Fri Sep 17 15:01:04 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladislav Odintsov X-Patchwork-Id: 1529446 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=LvhqyS+E; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4H9xxH3YdYz9sX3 for ; Sat, 18 Sep 2021 01:01:39 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 1D16A840C2; Fri, 17 Sep 2021 15:01:37 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 081FB4vX6eYK; Fri, 17 Sep 2021 15:01:36 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id 288508407A; Fri, 17 Sep 2021 15:01:35 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id D1055C0011; Fri, 17 Sep 2021 15:01:34 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 31C94C000D for ; Fri, 17 Sep 2021 15:01:33 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 13A4A8407C for ; Fri, 17 Sep 2021 15:01:33 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UZtuNLVjFSrt for ; Fri, 17 Sep 2021 15:01:32 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-lf1-x12b.google.com (mail-lf1-x12b.google.com [IPv6:2a00:1450:4864:20::12b]) by smtp1.osuosl.org (Postfix) with ESMTPS id C80CA84071 for ; Fri, 17 Sep 2021 15:01:31 +0000 (UTC) Received: by mail-lf1-x12b.google.com with SMTP id x27so34196542lfu.5 for ; Fri, 17 Sep 2021 08:01:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=X+HZo3Sn6pg/SHmbun2uLv+mKFLpRcITEa1FlPMW7Mc=; b=LvhqyS+EMx+xOejN/7ZhzYJJfeBD/XzSHHQgAv45+cNmcm7Y6G8fJl89d7mnUWnPAD WSR9aGz8Zs6KnMbiRC575pC3SblXELBcyLx2xGIPcmUf9/JcbigQMT5AWxKeUgvebRq7 oor9uZZqMeL0O3YYkKOJXySM11GK0YUxfl9LlSvPrRIGqVugL8b2KdRFq++gGyFnPu2n WKl/jXewhto5JrqE6crsTBBgvXaIgElksMR+sRbhmIsN/srBDuCGQgM2XaR3BnwHwdwL TlPAtVLq2HEb97CFCqMLkQ3bX3+ApBRxRUWZU4oeYENnT8ST2rVlm3gcs/ajzU3lnXjL fs7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=X+HZo3Sn6pg/SHmbun2uLv+mKFLpRcITEa1FlPMW7Mc=; b=fKlXRD690au/w0IAz6rkb4MPja5QCm9+dIr4Z4SKLCQCLoQAEkO2Ne3IEMvZG4V3/U SsGZa6RB+Cy9esxdbQ/2F/J1kFox/CNlTyv6P07Bkv26fSZ9HOvI4xDuktjYfEuwgMla u2na1FG8OdqRdbIpiW2ZIM1fVTwdbsEByqjFKMcpa80CZ1ZTS/V02lW48N+ovvxjXkKy KFbepON9eP8/TR+5hipexcoa25NAu1Dugesh/c2dsyD3A8zS+6snejOxuRSGr+pgwcPA BKlcVKQ9Pk3IXs6vpB28l1sZKztq9yyGQfRn27g6BhnIOiYAsV6GKaj8GwbePadN6qom kJhw== X-Gm-Message-State: AOAM530DVFZKAfEWlb2dlkqqQL0hFAxtfQohJ4C5yTkknCyCwBi1H5qh NhTfAl9U07/6JBsh29WAoLTStIFibk4= X-Google-Smtp-Source: ABdhPJzgnvkOLjH+g4xp87MwSrPGb9CNMP7rGZvxscjvvYHMgCIwc//i3LNhsVy+UkiS08DarPmjCg== X-Received: by 2002:a2e:390c:: with SMTP id g12mr9156982lja.366.1631890868011; Fri, 17 Sep 2021 08:01:08 -0700 (PDT) Received: from localhost.localdomain (109-252-131-59.dynamic.spd-mgts.ru. [109.252.131.59]) by smtp.gmail.com with ESMTPSA id 6sm178478lfy.282.2021.09.17.08.01.06 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 17 Sep 2021 08:01:06 -0700 (PDT) From: Vladislav Odintsov To: dev@openvswitch.org Date: Fri, 17 Sep 2021 18:01:04 +0300 Message-Id: <20210917150104.6143-1-odivlad@gmail.com> X-Mailer: git-send-email 2.30.0 MIME-Version: 1.0 Cc: Vladislav Odintsov Subject: [ovs-dev] [PATCH ovn v2] northd: support HW VTEP with stateful datapath X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" A packet going from HW VTEP device to VIF port when arrives to hypervisor chassis should go through LS ingress pipeline to l2_lkp stage without any match. In l2_lkp stage an output port is determined and then packet passed to LS egress pipeline for futher processing and to VIF port delivery. Prior to this commit a packet, which was received from HW VTEP device was dropped in an LS ingress datapath, where stateful services were defined (ACLs, LBs). To fix this issue we add a special flag-bit which can be used in LS pipelines, to check whether the packet came from HW VTEP devices. In ls_in_pre_acl and ls_in_pre_lb we add new flow with priority 110 to skip such packets. Signed-off-by: Vladislav Odintsov --- v1 -> v2: - Patch rebased on upstream changes. Please note: I've got no experience in DDLog and have no ability to extensively test these changes. Just local ./configure --with-ddlog=...; make; make check was run It seems, that only irrelevant to these changes tests were failed. --- northd/northd.c | 14 ++++++++++++++ northd/ovn_northd.dl | 33 +++++++++++++++++++++++++++++++-- tests/ovn-northd.at | 2 ++ 3 files changed, 47 insertions(+), 2 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 688a6e4ef..1b84874a7 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -196,6 +196,7 @@ enum ovn_stage { #define REGBIT_LKUP_FDB "reg0[11]" #define REGBIT_HAIRPIN_REPLY "reg0[12]" #define REGBIT_ACL_LABEL "reg0[13]" +#define REGBIT_FROM_RAMP "reg0[14]" #define REG_ORIG_DIP_IPV4 "reg1" #define REG_ORIG_DIP_IPV6 "xxreg1" @@ -5112,6 +5113,11 @@ build_lswitch_input_port_sec_op( if (queue_id) { ds_put_format(actions, "set_queue(%s); ", queue_id); } + + if (!strcmp(op->nbsp->type, "vtep")) { + ds_put_format(actions, REGBIT_FROM_RAMP" = 1; "); + } + ds_put_cstr(actions, "next;"); ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, ds_cstr(match), ds_cstr(actions), @@ -5359,6 +5365,10 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *port_groups, "nd || nd_rs || nd_ra || mldv1 || mldv2 || " "(udp && udp.src == 546 && udp.dst == 547)", "next;"); + /* Do not send coming from RAMP switch packets to conntrack. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, + REGBIT_FROM_RAMP" == 1", "next;"); + /* Ingress and Egress Pre-ACL Table (Priority 100). * * Regardless of whether the ACL is "from-lport" or "to-lport", @@ -5463,6 +5473,10 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows, ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110, "eth.src == $svc_monitor_mac", "next;"); + /* Do not send coming from RAMP switch packets to conntrack. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110, + REGBIT_FROM_RAMP" == 1", "next;"); + /* Allow all packets to go to next tables by default. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;"); diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl index 669728497..0202af5dc 100644 --- a/northd/ovn_northd.dl +++ b/northd/ovn_northd.dl @@ -1631,6 +1631,7 @@ function rEGBIT_ACL_HINT_BLOCK() : istring = i"reg0[10]" function rEGBIT_LKUP_FDB() : istring = i"reg0[11]" function rEGBIT_HAIRPIN_REPLY() : istring = i"reg0[12]" function rEGBIT_ACL_LABEL() : istring = i"reg0[13]" +function rEGBIT_FROM_RAMP() : istring = i"reg0[14]" function rEG_ORIG_DIP_IPV4() : istring = i"reg1" function rEG_ORIG_DIP_IPV6() : istring = i"xxreg1" @@ -2070,6 +2071,16 @@ for (&Switch(._uuid = ls_uuid, .has_stateful_acl = true)) { .io_port = None, .controller_meter = None); + /* Do not send coming from RAMP switch packets to conntrack. */ + Flow(.logical_datapath = ls_uuid, + .stage = s_SWITCH_IN_PRE_ACL(), + .priority = 110, + .__match = i"${rEGBIT_FROM_RAMP()} == 1", + .actions = i"next;", + .stage_hint = 0, + .io_port = None, + .controller_meter = None); + /* Ingress and Egress Pre-ACL Table (Priority 100). * * Regardless of whether the ACL is "from-lport" or "to-lport", @@ -2136,6 +2147,16 @@ for (&Switch(._uuid = ls_uuid)) { .io_port = None, .controller_meter = None); + /* Do not send coming from RAMP switch packets to conntrack. */ + Flow(.logical_datapath = ls_uuid, + .stage = s_SWITCH_IN_PRE_LB(), + .priority = 110, + .__match = i"${rEGBIT_FROM_RAMP()} == 1", + .actions = i"next;", + .stage_hint = 0, + .io_port = None, + .controller_meter = None); + /* Allow all packets to go to next tables by default. */ Flow(.logical_datapath = ls_uuid, .stage = s_SWITCH_IN_PRE_LB(), @@ -3361,10 +3382,18 @@ for (&SwitchPort(.lsp = lsp, .sw = sw, .json_name = json_name, .ps_eth_addresses } else { i"inport == ${json_name} && eth.src == {${ps_eth_addresses.join(\" \")}}" } in - var actions = match (pbinding.options.get(i"qdisc_queue_id")) { + var actions = { + var ramp = if (lsp.__type == i"vtep") { + i"${rEGBIT_FROM_RAMP()} = 1; " + } else { + i"" + }; + var queue = match (pbinding.options.get(i"qdisc_queue_id")) { None -> i"next;", Some{id} -> i"set_queue(${id}); next;" - } in + }; + i"${ramp}${queue}" + } in Flow(.logical_datapath = sw._uuid, .stage = s_SWITCH_IN_PORT_SEC_L2(), .priority = 50, diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 2af3f2096..5de554455 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -3597,6 +3597,7 @@ check_stateful_flows() { table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) + table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1), action=(next;) ]) AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl @@ -3660,6 +3661,7 @@ AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort], [0], [dnl table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) + table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1), action=(next;) ]) AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl