From patchwork Thu Jun 28 05:15:43 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Darrell Ball X-Patchwork-Id: 935938 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="hO4kF2AB"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 41GSg84NBhz9ryt for ; Thu, 28 Jun 2018 15:16:19 +1000 (AEST) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 9924BC50; Thu, 28 Jun 2018 05:16:16 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 318BBC19 for ; Thu, 28 Jun 2018 05:16:15 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.7.6 Received: from mail-it0-f66.google.com (mail-it0-f66.google.com [209.85.214.66]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 3C10917E for ; Thu, 28 Jun 2018 05:16:13 +0000 (UTC) Received: by mail-it0-f66.google.com with SMTP id l16-v6so9929083ita.0 for ; Wed, 27 Jun 2018 22:16:13 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=3tw3TOA5EXSegVCK8kR2WW8jcFoU3mny16LaPti9oug=; b=hO4kF2AB0JN2gHHwCuu0W23XH6+gf2AQhOb8d1hto9B48B5sA1nmapkJwD/rGYl4l9 8fS/ReEkrIdyrvRwAd1DmiuKcjrgLV5w3aQdFFiRwdzvy5kM/9p7/BrfVDvz/aVZuRjR SexVvYocojG7Aki+/T8Qf0F3PsEET36BP98E16x68toRyNUhIGlYYRvu7PCGT6bhPtgq pefiOW349b4YyOaPQOhj1gwvY4AnNhKwXtF15PcYXd6B9QDvhSr5b7O+VLVtSAL+hOIi 4/HcwfVnf3th1swH22XwOf6enOw9d5vQVDNfdeH1FMK0k+IFbvzW1PM5KzaQ/XFnrwBN rTdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=3tw3TOA5EXSegVCK8kR2WW8jcFoU3mny16LaPti9oug=; b=QOZQQ7V+87nxoxBJAkUxlFR8R0Kc6cRQivt55N/C0coRichzwvmKzf68xsynrXrR0P iA0Ch90mBXoPXalmH7kfkoceFZbO22v03k356N7liBVRZa9/ww4yGsIlZOYLpfxW43ty CbDR4r3CCeaGWUNBYSGTxNcpl+j054XnM/Hr6PU+G2t/0/b7Fv8Jjqem1gUK4iIdl0Rb ISGnTRaAoFGIySQljOAjV1XeXs/xD8bWoIvOr5BuexePXVJTfoffHxZ2zTuARhzH5yCt iLwFt6nBoiYshROe7twCiDYP/Y4nbfHsegg5mHJwE31Knt9Cm/flC4lZAd1rli7oPy+F hm4w== X-Gm-Message-State: APt69E0w4+tqP53I06V7bw47yZUI2WBAc5/gykiJjpaBdwY4a9mP4+3r AMQfuk/hwp9dm0TnqNn6K8Y= X-Google-Smtp-Source: ADUXVKLMDCsaseB8FhxCZ/8IS5zjl1sdU3og/8TsGqjQPD0LebN6B+yeR8zmZqHc7bojpofMPwDvRw== X-Received: by 2002:a24:c0c5:: with SMTP id u188-v6mr7130378itf.149.1530162972545; Wed, 27 Jun 2018 22:16:12 -0700 (PDT) Received: from ubuntu.localdomain (c-73-162-236-45.hsd1.ca.comcast.net. [73.162.236.45]) by smtp.gmail.com with ESMTPSA id b100-v6sm3252586itd.16.2018.06.27.22.16.10 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Wed, 27 Jun 2018 22:16:11 -0700 (PDT) From: Darrell Ball To: dlu998@gmail.com, dev@openvswitch.org Date: Wed, 27 Jun 2018 22:15:43 -0700 Message-Id: <1530162943-58952-1-git-send-email-dlu998@gmail.com> X-Mailer: git-send-email 1.9.1 X-Spam-Status: No, score=-1.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE autolearn=no version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Subject: [ovs-dev] [patch v2] ovn: Fix gateway load balancing. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Non-distributed and distributed gateway load balancing is broken. Recent changes for port unreachable handling broke the associated unsnat functionality. The fix approach is check for gateway contexts and accept packets directed to gateway router IPs. Fixes: 86558ac2e476 ("OVN: add UDP port unreachable support to OVN logical router.") Fixes: 159932c9e4ea ("OVN: add TCP port unreachable support to OVN logical router.") Fixes: 0e858e05f76b ("OVN: add protocol unreachable support to OVN router ports.") CC: Lorenzo Bianconi Signed-off-by: Darrell Ball --- ovn/northd/ovn-northd.8.xml | 17 ++++--- ovn/northd/ovn-northd.c | 106 ++++++++++++++++++++++---------------------- 2 files changed, 64 insertions(+), 59 deletions(-) diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index cfd3511..280efd0 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -1310,8 +1310,9 @@ nd_na {

UDP port unreachable. Priority-80 flows generate ICMP port unreachable messages in reply to UDP datagrams directed to the - router's IP address. The logical router doesn't accept any UDP - traffic so it always generates such a reply. + router's IP address, except in the special case of gateways, + which accept traffic directed to a router IP for load balancing + purposes.

@@ -1321,10 +1322,10 @@ nd_na {

  • - TCP reset. Priority-80 flows generate TCP reset messages in reply to - TCP datagrams directed to the router's IP address. The logical - router doesn't accept any TCP traffic so it always generates such a - reply. + TCP reset. Priority-80 flows generate TCP reset messages in reply + to TCP datagrams directed to the router's IP address, except in + the special case of gateways, which accept traffic directed to a + router IP for load balancing purposes.

    @@ -1336,7 +1337,9 @@ nd_na {

    Protocol unreachable. Priority-70 flows generate ICMP protocol unreachable messages in reply to packets directed to the router's IP - address on IP protocols other than UDP, TCP, and ICMP. + address on IP protocols other than UDP, TCP, and ICMP, except in the + special case of gateways, which accept traffic directed to a router + IP for load balancing purposes.

    diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 72fe4e7..7648bce 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -5141,48 +5141,49 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, ds_cstr(&match), ds_cstr(&actions)); } - /* UDP/TCP port unreachable */ - for (int i = 0; i < op->lrp_networks.n_ipv4_addrs; i++) { - const char *action; - - ds_clear(&match); - ds_put_format(&match, - "ip4 && ip4.dst == %s && !ip.later_frag && udp", - op->lrp_networks.ipv4_addrs[i].addr_s); - action = "icmp4 {" - "eth.dst <-> eth.src; " - "ip4.dst <-> ip4.src; " - "ip.ttl = 255; " - "icmp4.type = 3; " - "icmp4.code = 3; " - "next; };"; - ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 80, - ds_cstr(&match), action); + if (!smap_get(&op->od->nbr->options, "chassis") + && !op->od->l3dgw_port) { + /* UDP/TCP port unreachable. */ + for (int i = 0; i < op->lrp_networks.n_ipv4_addrs; i++) { + ds_clear(&match); + ds_put_format(&match, + "ip4 && ip4.dst == %s && !ip.later_frag && udp", + op->lrp_networks.ipv4_addrs[i].addr_s); + const char *action = "icmp4 {" + "eth.dst <-> eth.src; " + "ip4.dst <-> ip4.src; " + "ip.ttl = 255; " + "icmp4.type = 3; " + "icmp4.code = 3; " + "next; };"; + ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 80, + ds_cstr(&match), action); - ds_clear(&match); - ds_put_format(&match, - "ip4 && ip4.dst == %s && !ip.later_frag && tcp", - op->lrp_networks.ipv4_addrs[i].addr_s); - action = "tcp_reset {" - "eth.dst <-> eth.src; " - "ip4.dst <-> ip4.src; " - "next; };"; - ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 80, - ds_cstr(&match), action); + ds_clear(&match); + ds_put_format(&match, + "ip4 && ip4.dst == %s && !ip.later_frag && tcp", + op->lrp_networks.ipv4_addrs[i].addr_s); + action = "tcp_reset {" + "eth.dst <-> eth.src; " + "ip4.dst <-> ip4.src; " + "next; };"; + ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 80, + ds_cstr(&match), action); - ds_clear(&match); - ds_put_format(&match, - "ip4 && ip4.dst == %s && !ip.later_frag", - op->lrp_networks.ipv4_addrs[i].addr_s); - action = "icmp4 {" - "eth.dst <-> eth.src; " - "ip4.dst <-> ip4.src; " - "ip.ttl = 255; " - "icmp4.type = 3; " - "icmp4.code = 2; " - "next; };"; - ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 70, - ds_cstr(&match), action); + ds_clear(&match); + ds_put_format(&match, + "ip4 && ip4.dst == %s && !ip.later_frag", + op->lrp_networks.ipv4_addrs[i].addr_s); + action = "icmp4 {" + "eth.dst <-> eth.src; " + "ip4.dst <-> ip4.src; " + "ip.ttl = 255; " + "icmp4.type = 3; " + "icmp4.code = 2; " + "next; };"; + ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 70, + ds_cstr(&match), action); + } } ds_clear(&match); @@ -5306,19 +5307,20 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, } /* TCP port unreachable */ - for (int i = 0; i < op->lrp_networks.n_ipv6_addrs; i++) { - const char *action; - - ds_clear(&match); - ds_put_format(&match, - "ip6 && ip6.dst == %s && !ip.later_frag && tcp", - op->lrp_networks.ipv6_addrs[i].addr_s); - action = "tcp_reset {" - "eth.dst <-> eth.src; " - "ip6.dst <-> ip6.src; " - "next; };"; - ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 80, + if (!smap_get(&op->od->nbr->options, "chassis") + && !op->od->l3dgw_port) { + for (int i = 0; i < op->lrp_networks.n_ipv6_addrs; i++) { + ds_clear(&match); + ds_put_format(&match, + "ip6 && ip6.dst == %s && !ip.later_frag && tcp", + op->lrp_networks.ipv6_addrs[i].addr_s); + const char *action = "tcp_reset {" + "eth.dst <-> eth.src; " + "ip6.dst <-> ip6.src; " + "next; };"; + ovn_lflow_add(lflows, op->od, S_ROUTER_IN_IP_INPUT, 80, ds_cstr(&match), action); + } } }