From patchwork Mon Nov 12 06:27:47 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Mary Manohar X-Patchwork-Id: 996276 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="dj23YYKy"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42tgmW69d8z9s7h for ; Mon, 12 Nov 2018 17:27:55 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 9C4BA86F; Mon, 12 Nov 2018 06:27:53 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 0973B7F9 for ; Mon, 12 Nov 2018 06:27:52 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 54D4F7FC for ; Mon, 12 Nov 2018 06:27:49 +0000 (UTC) Received: from pps.filterd (m0127844.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id wAC6KWv2015680 for ; Sun, 11 Nov 2018 22:27:49 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : content-type : content-id : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=i3GW5Br3Twsd1pmShuqMAE5Hhk1BmU/Dy3wTxntLRfc=; b=dj23YYKyIUDq4uXrLFfizGALJG9ZI3htJ+jIyr9M9ok/kZxw1NSxDRCLngr8pseRIiEk OR6zlfCkzrnoLL8fgs5FJzv9R+Hbfz8Gvqt6dSBvlZGNlyYLHpt0V93RhWQUTIsYD+vQ mn8XeUrFrz2PBmV0mirXLO9nRxdsx6jezjW1UE6+HeFFYUXd7VYXJzRcOqZML0mgQZn+ yybiGIlOht1djunMAvmVnwg9KRB/ZjhSNJvNEdVOX25bzC4lviDB+dgyM/QStlPItbFU l2My1eGSw7fsof/hjBBtAMTpGVHeBqMO5B7UcjyCMg/5QRvxouO1hOnVZnhgyYivA/I8 Lg== Received: from nam05-co1-obe.outbound.protection.outlook.com (mail-co1nam05lp0085.outbound.protection.outlook.com [216.32.181.85]) by mx0b-002c1b01.pphosted.com with ESMTP id 2nnyr32mhu-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Sun, 11 Nov 2018 22:27:48 -0800 Received: from SN6PR02MB3933.namprd02.prod.outlook.com (52.135.69.14) by SN6PR02MB5710.namprd02.prod.outlook.com (20.177.252.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.38; Mon, 12 Nov 2018 06:27:47 +0000 Received: from SN6PR02MB3933.namprd02.prod.outlook.com ([fe80::8915:9e5a:ea49:f4b3]) by SN6PR02MB3933.namprd02.prod.outlook.com ([fe80::8915:9e5a:ea49:f4b3%4]) with mapi id 15.20.1294.044; Mon, 12 Nov 2018 06:27:47 +0000 From: Mary Manohar To: "ovs-dev@openvswitch.org" Thread-Topic: [PATCH v2 1/3] Routing policies, add routing-policy commands in ovn-nbctl Thread-Index: AQHUelDTSVaxPkU2lUuNPMgF+mKnbA== Date: Mon, 12 Nov 2018 06:27:47 +0000 Message-ID: <1542004180-202310-1-git-send-email-mary.manohar@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR07CA0031.namprd07.prod.outlook.com (2603:10b6:a02:bc::44) To SN6PR02MB3933.namprd02.prod.outlook.com (2603:10b6:805:2b::14) x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [205.209.132.11] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; SN6PR02MB5710; 6:+1Aldt+t0k6mcd+NUAyAs+5n3FPd4jeCEuoHoGGtfRGWCacyifwE16+Pjo1trLU5pviUa6vpWRWSHm/iEuBbPmtxLbx8kl2+exSMaAClXHhCjgUNjEv3FM3MRtFBcDFI+bBJAC9BUTZ5NdpPLTzpAm+JJFQQFHwooOJ3rvpfZAOL5J6kkx9Z0P0pOlPdRBL5l6X7FHyE+F+0lwBB8bxeSXY94/TlCTDrq2F3xVK9C1JtBPrR/kWk/UQwXPKPMQwdtto62fFXsTZtsDaDOFsL0anzqsNX5T6jF6BAfg98PSVSgfSg0DyhGVLZIDuswrKXLCzy5hAFCLdkRLL7R+jRFwIm9fHLAsEMBrfXbGYxotcpZXXCsbiob3J4g+EHjkxHYDXydeHc2Hbwe8bwrCCvLnTbzm1iZR4BAqX3alyMDefJdfZh3eD2588plnUduclrDM7wA3V+D5RaUpoC3KxwyA==; 5:FI8eZGqZ3TMT7TPalmRzdkRbQMxWp4MJ2SDXP3W4tx8+X9l5OZEFcXyrFeMxr3OWzkk1HzJhkrPWdEqurKql+rB174O+orEKJFWVHaf2VOvOxuwhkGTnWs8fAS1QhncitsLZv1TlsA+1QBFf7RhehCfofAvbzRl629Tw2Nmr0vs=; 7:sjVVfh+HqOiPh61Rg95iHN4DmXL6e+4pKR8i0/x0rIHNDt4HIXu/3P0QIOT+XDLaq8RoDqd0X+mbE6NhK6+siqYcHwBCYQ9weozEFh0UxQd1QPjp63s4Q6Ukc7mJks4QDUT+ykxu4RFm7nlFARn6lw== x-ms-office365-filtering-correlation-id: b278d03b-c396-4948-b4e0-08d64867f617 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390040)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7167020)(7153060)(7193020); SRVR:SN6PR02MB5710; x-ms-traffictypediagnostic: SN6PR02MB5710: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(52384705835673)(228109839391802); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231402)(944501410)(52105112)(93006095)(93001095)(3002001)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123560045)(20161123564045)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:SN6PR02MB5710; BCL:0; PCL:0; RULEID:; SRVR:SN6PR02MB5710; x-forefront-prvs: 0854128AF0 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(39850400004)(136003)(346002)(376002)(189003)(199004)(2501003)(8936002)(81156014)(6436002)(256004)(2906002)(7736002)(14444005)(5660300001)(6116002)(97736004)(3846002)(6486002)(25786009)(81166006)(316002)(478600001)(6916009)(68736007)(66066001)(305945005)(8676002)(2900100001)(26005)(53936002)(107886003)(102836004)(44832011)(186003)(106356001)(36756003)(55236004)(99286004)(386003)(486006)(6506007)(476003)(2351001)(52116002)(86362001)(6512007)(105586002)(14454004)(71190400001)(5640700003)(2616005)(71200400001)(4326008)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR02MB5710; H:SN6PR02MB3933.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: nI6VQ3VnlvZzuyZv5YcZS7pwLZbifCRejr83mCUZ1f2XHuLCavjA5Xg1k9iSMgZ7IRW95q1tT2gBeUm5oyDC69w3Og3Usf+CLBrMeG/8/1qVXyyjiicYp4kbv0mjnQWTRVqaLyJJC7QCKAPe4Xoiq9YuKlOu7AnONySEdNOJTLDzxd1Mi8njskwlLc8PBEHkYhNhxvrBSG7zOyft/rTGYNQeBXZXSV3fT4LMb6gDEkHalDr4aDvrgrmhRozEB7IbaRfdoZKdCAYyHHw8XLzey9luqhAxgruoZ11k4xXiQmu94qN4VMLXaJsbM9phUgKfH3exMF2xw33oRkssXvNbFNeA8fwCUvVQ73oZGHwBkU8= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-ID: MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: b278d03b-c396-4948-b4e0-08d64867f617 X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2018 06:27:47.0677 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR02MB5710 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-11-12_04:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1811120059 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Mary Manohar Subject: [ovs-dev] [PATCH v2 1/3] Routing policies, add routing-policy commands in ovn-nbctl X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Policy-based routing (PBR) provides a mechanism to configure permit/deny and reroute policies on the router. Permit/deny policies are similar to OVN ACLs, but exist on the logical-router. Reroute policies are needed for service-insertion and service-chaining. Currently, we support only stateless policies. To achieve this, a new table is introduced in the ingress pipeline of the Logical-router. The new table is between the ‘IP Routing’ and the ‘ARP/ND resolution’ table. This way, PBR can override routing decisions and provide a different next-hop. This Series: a. Changes in OVN NB Schema to introduce a new table in the Logical router. b. Add commands to ovn-nbctl to add/delete/list routing policies. c. Changes in ovn-northd to process routing-policy configurations. This Patch: Add a new table 'Logical_Router_Policy' in the northbound schema. The table has the following columns: * priority: Rules with numerically higher priority take precedence over those with lower. * match: Uses the same expression language as the 'match' column of 'Logical_Flow' table in the OVN Southbound database. * action: allow/drop/reroute * nexthop: Nexthop IP address. Each row in this table represents one routing policy for a logical router. The 'action' column for the highest priority matching row in this table determines a packet's treatment. If no row matches, packets are allowed by default. Signed-off-by: Mary Manohar --- ovn/ovn-nb.ovsschema | 19 ++++++++++++++-- ovn/ovn-nb.xml | 63 ++++++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 80 insertions(+), 2 deletions(-) diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema index f3683df..ff16985 100644 --- a/ovn/ovn-nb.ovsschema +++ b/ovn/ovn-nb.ovsschema @@ -1,7 +1,7 @@ { "name": "OVN_Northbound", - "version": "5.14.0", - "cksum": "3600467067 20513", + "version": "5.15.0", + "cksum": "3545233945 21390", "tables": { "NB_Global": { "columns": { @@ -242,6 +242,11 @@ "refType": "strong"}, "min": 0, "max": "unlimited"}}, + "policies": {"type": {"key": {"type": "uuid", + "refTable": "Logical_Router_Policy", + "refType": "strong"}, + "min": 0, + "max": "unlimited"}}, "enabled": {"type": {"key": "boolean", "min": 0, "max": 1}}, "nat": {"type": {"key": {"type": "uuid", "refTable": "NAT", @@ -303,6 +308,16 @@ "type": {"key": "string", "value": "string", "min": 0, "max": "unlimited"}}}, "isRoot": false}, + "Logical_Router_Policy": { + "columns": { + "priority": {"type": {"key": {"type": "integer", + "minInteger": 0, + "maxInteger": 32767}}}, + "match": {"type": "string"}, + "action": {"type": {"key": {"type": "string", + "enum": ["set", ["allow", "drop", "reroute"]]}}}, + "nexthop": {"type": {"key": "string", "min": 0, "max": 1}}}, + "isRoot": false}, "NAT": { "columns": { "external_ip": {"type": "string"}, diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index 474b4f9..0675d39 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -1236,6 +1236,10 @@ One or more static routes for the router. + + One or more routing policies for the router. + + This column is used to administratively set router state. If this column is empty or is set to true, the router is enabled. If this @@ -1793,6 +1797,65 @@ + +

+ Each row in this table represents one routing policy for a logical router + that points to it through its column. The column for the highest- + matching row in this table determines a packet's treatment. If no row + matches, packets are allowed by default. (Default-deny treatment is + possible: add a rule with 0, 0 as + , and drop as .) +

+ + +

+ The routing policy's priority. Rules with numerically higher priority + take precedence over those with lower. A rule is uniquely identified + by the priority and match string. +

+ + + +

+ The packets that the routing policy should match, in the same expression + language used for the column in the OVN Southbound database's + table. +

+ +

+ By default all traffic is allowed. When writing a more + restrictive policy, it is important to remember to allow flows + such as ARP and IPv6 neighbor discovery packets. +

+ + + +

The action to take when the routing policy matches:

+
    +
  • + allow: Forward the packet. +
    • + +
  • + drop: Silently drop the packet. +
    • + +
  • + reroute: Reroute packet to nexthop +
    • +
+ + + +

+ Nexthop IP address for this route. Nexthop IP address should be the IP + address of a connected router port or the IP address of a logical port. +

+ +
+

Each record represents a NAT rule. From patchwork Mon Nov 12 06:27:48 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Mary Manohar X-Patchwork-Id: 996277 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="EoqGw1RO"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42tgnH6S7Tz9s7h for ; Mon, 12 Nov 2018 17:28:35 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 8B1F98CC; Mon, 12 Nov 2018 06:27:56 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 327B87F9 for ; Mon, 12 Nov 2018 06:27:53 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 2A8AD7FC for ; Mon, 12 Nov 2018 06:27:52 +0000 (UTC) Received: from pps.filterd (m0127842.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id wAC6KbLs001468 for ; Sun, 11 Nov 2018 22:27:51 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=QGCfNSZgf+XksUcMTvlKByXNsCnWdVk/BPaYyJzcpvs=; b=EoqGw1ROwhpGNK4CI5/mjJ8zVRCgpaCrRxtF5EXJNC1lEx3Fj8qpJgDHCktL1sb2+EtC G7pAAcve7CZjLj+Z1GShP/KYIRPRIpQCb0vrIbD1QGoT2BBLUVPljaOrW9b1Ugh7ugCR pMXWfO3vqulKs5gD6dOl+821L4cdGXA7oUWiG3rGCxvH0XWsUhnjWOhY6OjZAmsZLIYz gPV1L73uRV2xuuiFEbL/5A+F3+BhttIKrihXiJioyVdAvyAkKGAagLNa3Eyfo1g3vCIS ivv9MNu6PM6tbfd7GKECncVRlMXmFsM5SoA2/D+WXm2Kjx1J/vsRL3XIREog0Mq4djvr +A== Received: from nam05-co1-obe.outbound.protection.outlook.com (mail-co1nam05lp0088.outbound.protection.outlook.com [216.32.181.88]) by mx0b-002c1b01.pphosted.com with ESMTP id 2nnyhhjnb4-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Sun, 11 Nov 2018 22:27:51 -0800 Received: from SN6PR02MB3933.namprd02.prod.outlook.com (52.135.69.14) by SN6PR02MB5710.namprd02.prod.outlook.com (20.177.252.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.38; Mon, 12 Nov 2018 06:27:49 +0000 Received: from SN6PR02MB3933.namprd02.prod.outlook.com ([fe80::8915:9e5a:ea49:f4b3]) by SN6PR02MB3933.namprd02.prod.outlook.com ([fe80::8915:9e5a:ea49:f4b3%4]) with mapi id 15.20.1294.044; Mon, 12 Nov 2018 06:27:49 +0000 From: Mary Manohar To: "ovs-dev@openvswitch.org" Thread-Topic: [PATCH v2 2/3] Routing policies, add routing-policy commands in ovn-nbctl Thread-Index: AQHUelDU14r9E1Lf8UG+mj0qvmFx4w== Date: Mon, 12 Nov 2018 06:27:48 +0000 Message-ID: <1542004180-202310-2-git-send-email-mary.manohar@nutanix.com> References: <1542004180-202310-1-git-send-email-mary.manohar@nutanix.com> In-Reply-To: <1542004180-202310-1-git-send-email-mary.manohar@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR07CA0031.namprd07.prod.outlook.com (2603:10b6:a02:bc::44) To SN6PR02MB3933.namprd02.prod.outlook.com (2603:10b6:805:2b::14) x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [205.209.132.11] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; SN6PR02MB5710; 6:XPewDuVwsdLdB2Kd8G0QhTTTL+3pZdbDnHQVAAWsug4N5fa1qLAvzToe9kRub/i78G5Mo9gI2KKR0StAoYc9OVUjn9v94MiRgwhtobC8HWLZL4I9/Ijoo5aJe1Hb0RvgW1YAlJzEeOcz60c/U2jDBMpWPDKK0OnoAdJ0XKKrWpbhGa+QSAQ7LJxMmWGpB19mazPsSqaYvRZCPEwXhB85UQWnFdtQB0l37NC57jrP7OZ5zpAhjq4qZV/dETJBP3BzvIJI474f45smOcyM0Cg5SCnRRaGpw6zt0QpJuhITcKLRtLs9oXaku0pIcpektXeOEgHv7d6qIERyl6nJPfpQIdz0Pf8T33YmVkai9j8ZCpkYwspMC53+XcguSXrLSAUoYvRjtEsb7e/oixj2HI3i60HMxPaTZXhfTWyUoLOoVFYyX7Xnf3St+86q7FaQ1pTWaQ5awG89b8K91eWpoxDeaQ==; 5:ZGvEGXsgU9BWGNrvVOoimR0qnS5F712VJTcscLlRqmQMg9bXYEGlFAWlOMpnG5ztihVxcJBBD9o2eZjBiDs11544O56C1L4PZ0CV6oLh9B3zUa/45AZNNu/RXYfS+B4zwA/MNxmo5amlMydPpivQoBt68LDvx8p+S7ilssVz5tc=; 7:hV9uGenLIrNTcx4PXuscARg/XhdefXiUK/9pvBuDemV+mW88i5TmCC+YYATciY4sggSFVrwgXQ9H37UogKGTlXHxiGUKNew88gkymR0NazzGByoT1zPGpQw5qZoM0Y06884ls6PJc7wrz4OHKvzg8g== x-ms-office365-filtering-correlation-id: b965ea48-e260-4352-18fd-08d64867f744 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390040)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7167020)(7153060)(7193020); SRVR:SN6PR02MB5710; x-ms-traffictypediagnostic: SN6PR02MB5710: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(52384705835673)(228109839391802); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231402)(944501410)(52105112)(93006095)(93001095)(3002001)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123560045)(20161123564045)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:SN6PR02MB5710; BCL:0; PCL:0; RULEID:; SRVR:SN6PR02MB5710; x-forefront-prvs: 0854128AF0 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(39850400004)(136003)(346002)(376002)(189003)(199004)(2501003)(8936002)(81156014)(6436002)(256004)(2906002)(7736002)(14444005)(5660300001)(6116002)(97736004)(3846002)(6486002)(25786009)(81166006)(316002)(478600001)(6916009)(68736007)(66066001)(305945005)(8676002)(2900100001)(26005)(53936002)(107886003)(102836004)(44832011)(186003)(106356001)(36756003)(55236004)(99286004)(446003)(386003)(486006)(6506007)(476003)(11346002)(2351001)(52116002)(86362001)(6512007)(105586002)(14454004)(4744004)(71190400001)(5640700003)(76176011)(2616005)(71200400001)(4326008)(64030200001); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR02MB5710; H:SN6PR02MB3933.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: LMghZDYCeCe6HgHdBEATd222q70tP3/bsAuHpkcKi0Qx7ZUo4mTUtcarhheO1nPAb3gQ1OmOkHj4jeMdSYuzs7YNrKIAaxTHuqFwOuI8U70KOT6Vxnrr6Tyjv0nQP/8r04pCxPOYXbsJZV2j06ANZTAy4owY/WPX3CDsu8Du0mJSb4Ry11lu8yijm2R1xWuYNKL3dopBNru6Cojt+xq5+4M6b02qaMdPMKEkc4KhsR2NNjiSF8J4g1YgVceE+D3DBmbpf6HZBH2s0e0laGnMZPcjx2cfV75AoqN5boLQ9RLiXhnMtgo/yq79C0B45Y0jdvwbHM0/BQinw86ms8lIkt/apv4sWOE6MujwXcIJDfw= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-ID: <102E9182E2BAD44C8A42BDAE3203FB55@namprd02.prod.outlook.com> MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: b965ea48-e260-4352-18fd-08d64867f744 X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2018 06:27:48.9426 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR02MB5710 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-11-12_04:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1811120059 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Mary Manohar Subject: [ovs-dev] [PATCH v2 2/3] Routing policies, add routing-policy commands in ovn-nbctl X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Policy-based routing (PBR) provides a mechanism to configure permit/deny and reroute policies on the router. Permit/deny policies are similar to OVN ACLs, but exist on the logical-router. Reroute policies are needed for service-insertion and service-chaining. Currently, we support only stateless policies. To achieve this, a new table is introduced in the ingress pipeline of the Logical-router. The new table is between the ‘IP Routing’ and the ‘ARP/ND resolution’ table. This way, PBR can override routing decisions and provide a different next-hop. This Series: a. Changes in OVN NB Schema to introduce a new table in the Logical router. b. Add commands to ovn-nbctl to add/delete/list routing policies. c. Changes in ovn-northd to process routing-policy configurations. This Patch: Add commands to ovn-nbctl to add/delete/list routing policies. Routing-policy commands: a. Add a new ovn-nbctl command to add a routing policy. lr-policy-add ROUTER PRIORITY MATCH ACTION [NEXTHOP] Nexthop is an optional parameter. It needs to be provided only when 'action' is 'reroute' A policy is uniquely identified by priority and match. Multiple policies can have the same priority. b. Add a new ovn-nbctl command to delete a routing policy. lr-policy-del ROUTER [PRIORITY [MATCH]] Takes priority and match as optional parameters. If priority and match are specified, the policy with the given priority and match is deleted. If priority is specified and match is not specified, all rules with that priority are deleted. If priority is not specified, all the rules would be deleted. c. Add a new ovn-nbctl command to list routing-policies in the logical router. lr-policy-list ROUTER d. Sample CLI: ovn-nbctl lr-policy-add lr1 10 "ip4.src == 1.1.1.0/24" drop ovn-nbctl lr-policy-del lr1 10 ovn-nbctl lr-policy-list lr1 Sample output of the list command: 611 ip4.dst==12.2.1.0/24 && ip4.src==11.2.1.0/24 && inport=="lrp-ac44a00b-26c9-45e2-851c-62463750c3a2" allow 610 ip4.dst==12.2.1.0/24 && ip4.src==11.2.1.0/24 reroute 13.2.1.12 600 ip4.dst==0.0.0.0/0 && ip4.src==0.0.0.0/0 drop e. Unit tests to validate these commands Signed-off-by: Mary Manohar --- ovn/utilities/ovn-nbctl.c | 198 ++++++++++++++++++++++++++++++++++++++++++++++ tests/ovn-nbctl.at | 47 +++++++++++ 2 files changed, 245 insertions(+) diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c index 9d1b220..5f4cb2e 100644 --- a/ovn/utilities/ovn-nbctl.c +++ b/ovn/utilities/ovn-nbctl.c @@ -640,6 +640,13 @@ Route commands:\n\ remove routes from ROUTER\n\ lr-route-list ROUTER print routes for ROUTER\n\ \n\ +Policy commands:\n\ + lr-policy-add ROUTER PRIORITY MATCH ACTION [NEXTHOP]\n\ + add a policy to router\n\ + lr-policy-del ROUTER [PRIORITY [MATCH]]\n\ + remove policies from ROUTER\n\ + lr-policy-list ROUTER print policies for ROUTER\n\ +\n\ NAT commands:\n\ lr-nat-add ROUTER TYPE EXTERNAL_IP LOGICAL_IP [LOGICAL_PORT EXTERNAL_MAC]\n\ add a NAT to ROUTER\n\ @@ -3393,6 +3400,189 @@ normalize_prefix_str(const char *orig_prefix) return normalize_ipv6_prefix(ipv6, plen); } } + +static void +nbctl_lr_policy_add(struct ctl_context *ctx) +{ + const struct nbrec_logical_router *lr; + int64_t priority = 0; + char *error = lr_by_name_or_uuid(ctx, ctx->argv[1], true, &lr); + if (error) { + ctx->error = error; + return; + } + error = parse_priority(ctx->argv[2], &priority); + if (error) { + ctx->error = error; + return; + } + const char *action = ctx->argv[4]; + char *next_hop = NULL; + /* Validate action. */ + if (strcmp(action, "allow") && strcmp(action, "drop") + && strcmp(action, "reroute")) { + ctl_error(ctx, "%s: action must be one of \"allow\", \"drop\", " + "and \"reroute\"", action); + } + if (!strcmp(action, "reroute")) { + if (ctx->argc < 6) { + ctl_error(ctx, "Nexthop is not specified when action is reroute."); + } + } + /* Check if same routing policy already exists. + * A policy is uniquely identified by priority and match */ + for (int i = 0; i < lr->n_policies; i++) { + const struct nbrec_logical_router_policy *policy = lr->policies[i]; + if ((policy->priority == priority) && + (!strcmp(policy->match, ctx->argv[3]))) { + ctl_error(ctx, "Same routing policy already existed on the " + "logical router %s.", ctx->argv[1]); + } + } + if (ctx->argc == 6) { + next_hop = normalize_prefix_str(ctx->argv[5]); + if (!next_hop) { + ctl_error(ctx, "bad next hop argument: %s", ctx->argv[5]); + } + } + struct nbrec_logical_router_policy *policy; + policy = nbrec_logical_router_policy_insert(ctx->txn); + nbrec_logical_router_policy_set_priority(policy, priority); + nbrec_logical_router_policy_set_match(policy, ctx->argv[3]); + nbrec_logical_router_policy_set_action(policy, action); + if (ctx->argc == 6) { + nbrec_logical_router_policy_set_nexthop(policy, next_hop); + } + nbrec_logical_router_verify_policies(lr); + struct nbrec_logical_router_policy **new_policies + = xmalloc(sizeof *new_policies * (lr->n_policies + 1)); + memcpy(new_policies, lr->policies, + sizeof *new_policies * lr->n_policies); + new_policies[lr->n_policies] = policy; + nbrec_logical_router_set_policies(lr, new_policies, + lr->n_policies + 1); + free(new_policies); + if (next_hop != NULL) + free(next_hop); +} + +static void +nbctl_lr_policy_del(struct ctl_context *ctx) +{ + const struct nbrec_logical_router *lr; + int64_t priority = 0; + char *error = lr_by_name_or_uuid(ctx, ctx->argv[1], true, &lr); + if (error) { + ctx->error = error; + return; + } + if (ctx->argc == 2) { + /* If a priority is not specified, delete all policies. */ + nbrec_logical_router_set_policies(lr, NULL, 0); + return; + } + error = parse_priority(ctx->argv[2], &priority); + if (error) { + ctx->error = error; + return; + } + /* If match is not specified, delete all routing policies with the + * specified priority. */ + if (ctx->argc == 3) { + struct nbrec_logical_router_policy **new_policies + = xmemdup(lr->policies, + sizeof *new_policies * lr->n_policies); + int n_policies = 0; + for (int i = 0; i < lr->n_policies; i++) { + if (priority != lr->policies[i]->priority) { + new_policies[n_policies++] = lr->policies[i]; + } + } + nbrec_logical_router_verify_policies(lr); + nbrec_logical_router_set_policies(lr, new_policies, n_policies); + free(new_policies); + return; + } + /* Delete policy that has the same priority and match string */ + for (int i = 0; i < lr->n_policies; i++) { + struct nbrec_logical_router_policy *routing_policy = lr->policies[i]; + if (priority == routing_policy->priority && + !strcmp(ctx->argv[3], routing_policy->match)) { + struct nbrec_logical_router_policy **new_policies + = xmemdup(lr->policies, + sizeof *new_policies * lr->n_policies); + new_policies[i] = lr->policies[lr->n_policies - 1]; + nbrec_logical_router_verify_policies(lr); + nbrec_logical_router_set_policies(lr, new_policies, + lr->n_policies - 1); + free(new_policies); + return; + } + } +} + + struct routing_policy { + int priority; + char *match; + const struct nbrec_logical_router_policy *policy; +}; + +static int +routing_policy_cmp(const void *policy1_, const void *policy2_) +{ + const struct routing_policy *policy1p = policy1_; + const struct routing_policy *policy2p = policy2_; + if (policy1p->priority != policy2p->priority) { + return policy1p->priority > policy2p->priority ? -1 : 1; + } else { + return strcmp(policy1p->match, policy2p->match); + } +} + +static void +print_routing_policy(const struct nbrec_logical_router_policy *policy, + struct ds *s) +{ + if (policy->nexthop != NULL) { + char *next_hop = normalize_prefix_str(policy->nexthop); + ds_put_format(s, "%10ld %50s %15s %25s", policy->priority, + policy->match, policy->action, next_hop); + free(next_hop); + } else + ds_put_format(s, "%10ld %50s %15s", policy->priority, + policy->match, policy->action); + ds_put_char(s, '\n'); +} + +static void +nbctl_lr_policy_list(struct ctl_context *ctx) +{ + const struct nbrec_logical_router *lr; + struct routing_policy *policies; + size_t n_policies = 0; + char *error = lr_by_name_or_uuid(ctx, ctx->argv[1], true, &lr); + if (error) { + ctx->error = error; + return; + } + policies = xmalloc(sizeof *policies * lr->n_policies); + for (int i = 0; i < lr->n_policies; i++) { + const struct nbrec_logical_router_policy *policy + = lr->policies[i]; + policies[n_policies].priority = policy->priority; + policies[n_policies].match = policy->match; + policies[n_policies].policy = policy; + n_policies++; + } + qsort(policies, n_policies, sizeof *policies, routing_policy_cmp); + if (n_policies) { + ds_put_cstr(&ctx->output, "Routing Policies\n"); + } + for (int i = 0; i < n_policies; i++) { + print_routing_policy(policies[i].policy, &ctx->output); + } + free(policies); +} static void nbctl_lr_route_add(struct ctl_context *ctx) @@ -5141,6 +5331,14 @@ static const struct ctl_command_syntax nbctl_commands[] = { { "lr-route-list", 1, 1, "ROUTER", NULL, nbctl_lr_route_list, NULL, "", RO }, + /* Policy commands */ + { "lr-policy-add", 4, 5, "ROUTER PRIORITY MATCH ACTION [NEXTHOP]", NULL, + nbctl_lr_policy_add, NULL, "", RW }, + { "lr-policy-del", 1, 3, "ROUTER [PRIORITY [MATCH]]", NULL, + nbctl_lr_policy_del, NULL, "", RW }, + { "lr-policy-list", 1, 1, "ROUTER", NULL, nbctl_lr_policy_list, NULL, + "", RO }, + /* NAT commands. */ { "lr-nat-add", 4, 6, "ROUTER TYPE EXTERNAL_IP LOGICAL_IP [LOGICAL_PORT EXTERNAL_MAC]", NULL, diff --git a/tests/ovn-nbctl.at b/tests/ovn-nbctl.at index 25414b8..70aaf81 100644 --- a/tests/ovn-nbctl.at +++ b/tests/ovn-nbctl.at @@ -1331,6 +1331,53 @@ IPv6 Routes dnl --------------------------------------------------------------------- +OVN_NBCTL_TEST([ovn_nbctl_policies], [policies], [ +AT_CHECK([ovn-nbctl lr-add lr0]) + +dnl Add policies with allow and drop actions +AT_CHECK([ovn-nbctl lr-policy-add lr0 100 "ip4.src == 1.1.1.0/24" drop]) +AT_CHECK([ovn-nbctl lr-policy-add lr0 100 "ip4.src == 1.1.2.0/24" allow]) +AT_CHECK([ovn-nbctl lr-policy-add lr0 101 "ip4.src == 2.1.1.0/24" allow]) +AT_CHECK([ovn-nbctl lr-policy-add lr0 101 "ip4.src == 2.1.2.0/24" drop]) + +dnl Add duplicated policy +AT_CHECK([ovn-nbctl lr-policy-add lr0 100 "ip4.src == 1.1.1.0/24" drop], [1], [], + [ovn-nbctl: Same routing policy already existed on the logical router lr0. +]) + +dnl Add duplicated policy +AT_CHECK([ovn-nbctl lr-policy-add lr0 103 "ip4.src == 1.1.1.0/24" deny], [1], [], + [ovn-nbctl: deny: action must be one of "allow", "drop", and "reroute" +]) + +dnl Delete by priority and match string +AT_CHECK([ovn-nbctl lr-policy-del lr0 100 "ip4.src == 1.1.1.0/24"]) +AT_CHECK([ovn-nbctl lr-policy-list lr0], [0], [dnl +Routing Policies + 101 ip4.src == 2.1.1.0/24 allow + 101 ip4.src == 2.1.2.0/24 drop + 100 ip4.src == 1.1.2.0/24 allow +]) + +dnl Delete all policies for given priority +AT_CHECK([ovn-nbctl lr-policy-del lr0 101]) +AT_CHECK([ovn-nbctl lr-policy-list lr0], [0], [dnl +Routing Policies + 100 ip4.src == 1.1.2.0/24 allow +]) + +dnl Add policy with reroute action +AT_CHECK([ovn-nbctl lr-policy-add lr0 102 "ip4.src == 3.1.2.0/24" reroute 3.3.3.3]) + +dnl Add policy with invalid reroute ip +AT_CHECK([ovn-nbctl lr-policy-add lr0 103 "ip4.src == 3.1.2.0/24" reroute 3.3.3.x], [1], [], + [ovn-nbctl: bad next hop argument: 3.3.3.x +]) + +]) + +dnl --------------------------------------------------------------------- + OVN_NBCTL_TEST([ovn_nbctl_lsp_types], [lsp types], [ AT_CHECK([ovn-nbctl ls-add ls0]) AT_CHECK([ovn-nbctl lsp-add ls0 lp0]) From patchwork Mon Nov 12 06:27:50 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Mary Manohar X-Patchwork-Id: 996278 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (mailfrom) smtp.mailfrom=openvswitch.org (client-ip=140.211.169.12; helo=mail.linuxfoundation.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=nutanix.com Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=nutanix.com header.i=@nutanix.com header.b="0x9oG/eY"; dkim-atps=neutral Received: from mail.linuxfoundation.org (mail.linuxfoundation.org [140.211.169.12]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 42tgnv43zDz9s7h for ; Mon, 12 Nov 2018 17:29:07 +1100 (AEDT) Received: from mail.linux-foundation.org (localhost [127.0.0.1]) by mail.linuxfoundation.org (Postfix) with ESMTP id 3D17D89C; Mon, 12 Nov 2018 06:27:57 +0000 (UTC) X-Original-To: ovs-dev@openvswitch.org Delivered-To: ovs-dev@mail.linuxfoundation.org Received: from smtp1.linuxfoundation.org (smtp1.linux-foundation.org [172.17.192.35]) by mail.linuxfoundation.org (Postfix) with ESMTPS id 8FB4A87A for ; Mon, 12 Nov 2018 06:27:54 +0000 (UTC) X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6 Received: from mx0b-002c1b01.pphosted.com (mx0b-002c1b01.pphosted.com [148.163.155.12]) by smtp1.linuxfoundation.org (Postfix) with ESMTPS id 9DE7A7FC for ; Mon, 12 Nov 2018 06:27:53 +0000 (UTC) Received: from pps.filterd (m0127841.ppops.net [127.0.0.1]) by mx0b-002c1b01.pphosted.com (8.16.0.27/8.16.0.27) with SMTP id wAC6KeAh002997 for ; Sun, 11 Nov 2018 22:27:52 -0800 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=nutanix.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-id : content-transfer-encoding : mime-version; s=proofpoint20171006; bh=UfX341H3jQrEgMH0fltqJGJF1xn6BcBIyo1OLds+64E=; b=0x9oG/eYqqqSDHQCW7DGjnOh0w8Xzw5+v4LqTQX8kt5rLJ2waj6LvdWd2PfRmWfyKsR7 H3EhKBxuSlBD5koSksLHiZ4kR7E8mIfCruXCpnBwr9/byt7CkIFXFm0GodDxFMDYVXFf +90t7nbnvewVZzT7VVrIH25ISdZNG+joflKwR71e/Ixpp0rXuoYZShUBoRNnJ05+NxwT 6+WLVG+bzu3G9VV9C8tL9NVUPI0JgG3tO6/qGvInNeKD0wF33fWvqYfQnrqKSqvSXvxb 52WTPRT4nef1YtVIv1Mfbub46x6sfO8gWyvM+BznGrJZEgn20zUpQv495KlXrtVWhfBH kg== Received: from nam05-co1-obe.outbound.protection.outlook.com (mail-co1nam05lp0087.outbound.protection.outlook.com [216.32.181.87]) by mx0b-002c1b01.pphosted.com with ESMTP id 2nnwrbjtmk-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-SHA384 bits=256 verify=NOT) for ; Sun, 11 Nov 2018 22:27:52 -0800 Received: from SN6PR02MB3933.namprd02.prod.outlook.com (52.135.69.14) by SN6PR02MB5710.namprd02.prod.outlook.com (20.177.252.22) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1294.38; Mon, 12 Nov 2018 06:27:50 +0000 Received: from SN6PR02MB3933.namprd02.prod.outlook.com ([fe80::8915:9e5a:ea49:f4b3]) by SN6PR02MB3933.namprd02.prod.outlook.com ([fe80::8915:9e5a:ea49:f4b3%4]) with mapi id 15.20.1294.044; Mon, 12 Nov 2018 06:27:50 +0000 From: Mary Manohar To: "ovs-dev@openvswitch.org" Thread-Topic: [PATCH v2 3/3] Routing policies, ovn-northd changes to handle routing policy commands. Thread-Index: AQHUelDWiETZC1ApUESEV2fIWBfAqw== Date: Mon, 12 Nov 2018 06:27:50 +0000 Message-ID: <1542004180-202310-3-git-send-email-mary.manohar@nutanix.com> References: <1542004180-202310-1-git-send-email-mary.manohar@nutanix.com> In-Reply-To: <1542004180-202310-1-git-send-email-mary.manohar@nutanix.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: BYAPR07CA0031.namprd07.prod.outlook.com (2603:10b6:a02:bc::44) To SN6PR02MB3933.namprd02.prod.outlook.com (2603:10b6:805:2b::14) x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [205.209.132.11] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1; SN6PR02MB5710; 6:4v4YUhYT2xXsu8zfCvAP0T1Q1bqI+va/jAYejyielOF6O6ZlE5fUz5juSmqIdodyGNRwOuniyeoMUHYziu17+km/G8OB5QuDV7GicqY4o5AjaDzt6/NkNZrLOR+e0tYtcxgLG81MUSeIjpQpymrkWBv2NN0z4KL+TnfPgPdeDIH7nzhZmlKTxaQh/bMkq8CEBD0vSHJ36bP6DUfBLcfO9oZyebh2/Slp/eWEIHuBQ50JR6ZbYDyz8cZYogsIfyQiN7Q+StgS/hkOSWXPCbrxKqn3GpsbJPUQvY0YdsnaI2Pk3fZakBCMnss+lvnLojEgFQH15oxuByo/EG9lYuP8Qse7GWAu7b4RKjHvaM44xDUTevq1mT9o4cUbIPATbXVokTc1KDHTOfdB9Bw1N6dTI+cVhIef0XmwKM8N4Gsofz90x2grJnpucmfaD47Hd8VtakglL8Gkx6rxguSurcVOog==; 5:ZJAajhU2Ixr/FTByFiPAns6A1gIetMctRooHACJCSKd0J72rAGdxQa9bvHSthJV6bO6mUMUHC6Me3vqr2c/4hJk6Pe6dc9x/FGz6FvDA3ELTkgsloKhqozuwbRQshB/iQ3pSB3WdlXBoV73m2MjP/QH+6w2xGoxzsIc2ff7XLlE=; 7:2jZXMvsGd4ziLJxl+505OpJLTLbtAkCMFJhuWy5cQsGgQO6qtSmbPi6E3jmOw5uyw5+ERAYKlW8FIpV9mluBzNC1RdG0bevRfa61vsByB4BfZI37F3W23vWQmfCikW/u3mjv1I92SoAV9hsHnXRFKg== x-ms-office365-filtering-correlation-id: a99bb803-79b6-45ed-e14f-08d64867f853 x-microsoft-antispam: BCL:0; PCL:0; RULEID:(2390040)(7020095)(4652040)(8989299)(4534185)(7168020)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7167020)(7153060)(7193020); SRVR:SN6PR02MB5710; x-ms-traffictypediagnostic: SN6PR02MB5710: x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(52384705835673)(228109839391802); x-ms-exchange-senderadcheck: 1 x-exchange-antispam-report-cfa-test: BCL:0; PCL:0; RULEID:(6040522)(2401047)(8121501046)(5005006)(10201501046)(3231402)(944501410)(52105112)(93006095)(93001095)(3002001)(148016)(149066)(150057)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123560045)(20161123564045)(20161123562045)(201708071742011)(7699051)(76991095); SRVR:SN6PR02MB5710; BCL:0; PCL:0; RULEID:; SRVR:SN6PR02MB5710; x-forefront-prvs: 0854128AF0 x-forefront-antispam-report: SFV:NSPM; SFS:(10019020)(396003)(366004)(39850400004)(136003)(346002)(376002)(189003)(199004)(2501003)(8936002)(81156014)(6436002)(256004)(2906002)(7736002)(14444005)(5660300001)(6116002)(97736004)(3846002)(6486002)(25786009)(81166006)(316002)(478600001)(6916009)(68736007)(66066001)(305945005)(8676002)(2900100001)(26005)(53936002)(107886003)(102836004)(44832011)(186003)(106356001)(36756003)(55236004)(99286004)(446003)(386003)(486006)(6506007)(476003)(11346002)(2351001)(52116002)(86362001)(6512007)(105586002)(14454004)(71190400001)(5640700003)(76176011)(2616005)(71200400001)(4326008)(64030200001)(21314003); DIR:OUT; SFP:1102; SCL:1; SRVR:SN6PR02MB5710; H:SN6PR02MB3933.namprd02.prod.outlook.com; FPR:; SPF:None; LANG:en; PTR:InfoNoRecords; MX:1; A:1; received-spf: None (protection.outlook.com: nutanix.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: xHlbO4HZu2m8kh8PkeBdFQ0eEeFeU62kFGkLj1ZtItXpdyY1HgfNNAMv2N0gmb5R0zsAEd7Z3KodQVRHBmkPU69fnd9z9FlintCLdkE5KZj0pCiH/PGwdg+CUDbjMqn2CiVEFjByjrSNlCb2fh1siypW/JQig3N37thhitbp730lGMzUMgI1YrhMa7fJi/vXVWywXebYyeqoBU77tt6qszkO4M2afZhHbEKbERpjTF6/+X2YTf7mteiR3/dAPoDe7S45ymYjD3iahWPVh4jC5KeLtzOM3X8hE7Q7FGwrHpm5bh/FTZ73YJ6xaaI8w3Cp2jvd4wtMcxGE8ubIpVsChImKrpF8PxQdyUzntS36nwc= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-ID: MIME-Version: 1.0 X-OriginatorOrg: nutanix.com X-MS-Exchange-CrossTenant-Network-Message-Id: a99bb803-79b6-45ed-e14f-08d64867f853 X-MS-Exchange-CrossTenant-originalarrivaltime: 12 Nov 2018 06:27:50.7394 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: bb047546-786f-4de1-bd75-24e5b6f79043 X-MS-Exchange-Transport-CrossTenantHeadersStamped: SN6PR02MB5710 X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10434:, , definitions=2018-11-12_04:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=0 phishscore=0 bulkscore=0 spamscore=0 clxscore=1015 lowpriorityscore=0 mlxscore=0 impostorscore=0 mlxlogscore=999 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1807170000 definitions=main-1811120059 X-Spam-Status: No, score=-2.7 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, RCVD_IN_DNSWL_LOW autolearn=ham version=3.3.1 X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on smtp1.linux-foundation.org Cc: Mary Manohar Subject: [ovs-dev] [PATCH v2 3/3] Routing policies, ovn-northd changes to handle routing policy commands. X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.12 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: ovs-dev-bounces@openvswitch.org Errors-To: ovs-dev-bounces@openvswitch.org Policy-based routing (PBR) provides a mechanism to configure permit/deny and reroute policies on the router. Permit/deny policies are similar to OVN ACLs, but exist on the logical-router. Reroute policies are needed for service-insertion and service-chaining. Currently, we support only stateless policies. To achieve this, a new table is introduced in the ingress pipeline of the Logical-router. The new table is between the ‘IP Routing’ and the ‘ARP/ND resolution’ table. This way, PBR can override routing decisions and provide a different next-hop. This Series: a. Changes in OVN NB Schema to introduce a new table in the Logical router. b. Add commands to ovn-nbctl to add/delete/list routing policies. c. Changes in ovn-northd to process routing-policy configurations. This Patch: ovn-northd changes to get routing-policies from northbound database and populate the same as logical flows in the southbound database. A new table called 'POLICY' is introduced in the Logical router's ingress pipeline. Each routing-policy configured in the northbound database translates into a single logical flow in the new table. The columns from the Logical_Router_Policy table are used as follows: The priority column is used as priority in the logical-flow. The match column is used as the 'match' string in the logical-flow. The action column is used to determine the action of the logical-flow. When the 'action' is reroute, if the nexthop ip-address is a connected router port or the IP address of a logical port, the logical-flow is constructed to route the packet to the nexthop ip-address. Signed-off-by: Mary Manohar --- ovn/northd/ovn-northd.c | 144 ++++++++++++++++++++++++++++++++++++++++++++++-- 1 file changed, 138 insertions(+), 6 deletions(-) diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 58bef7d..5cc9256 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -142,9 +142,10 @@ enum ovn_stage { PIPELINE_STAGE(ROUTER, IN, ND_RA_OPTIONS, 5, "lr_in_nd_ra_options") \ PIPELINE_STAGE(ROUTER, IN, ND_RA_RESPONSE, 6, "lr_in_nd_ra_response") \ PIPELINE_STAGE(ROUTER, IN, IP_ROUTING, 7, "lr_in_ip_routing") \ - PIPELINE_STAGE(ROUTER, IN, ARP_RESOLVE, 8, "lr_in_arp_resolve") \ - PIPELINE_STAGE(ROUTER, IN, GW_REDIRECT, 9, "lr_in_gw_redirect") \ - PIPELINE_STAGE(ROUTER, IN, ARP_REQUEST, 10, "lr_in_arp_request") \ + PIPELINE_STAGE(ROUTER, IN, POLICY, 8, "lr_in_policy") \ + PIPELINE_STAGE(ROUTER, IN, ARP_RESOLVE, 9, "lr_in_arp_resolve") \ + PIPELINE_STAGE(ROUTER, IN, GW_REDIRECT, 10, "lr_in_gw_redirect") \ + PIPELINE_STAGE(ROUTER, IN, ARP_REQUEST, 11, "lr_in_arp_request") \ \ /* Logical router egress stages. */ \ PIPELINE_STAGE(ROUTER, OUT, UNDNAT, 0, "lr_out_undnat") \ @@ -4633,6 +4634,111 @@ find_lrp_member_ip(const struct ovn_port *op, const char *ip_s) return NULL; } +static struct ovn_port* +get_outport_for_routing_policy_nexthop(struct ovn_datapath *od, + struct hmap *ports, + int priority, const char *nexthop) +{ + if (nexthop == NULL) + return NULL; + + unsigned int plen = 0; + ovs_be32 nexthop_be32; + /* Verify that the next hop is an IP address with an all-ones mask. */ + char *error = ip_parse_cidr(nexthop, &nexthop_be32, &plen); + if (!error) { + if (plen != 32) { + static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); + VLOG_WARN_RL(&rl, "bad next hop ip %s for routing policy " + "with priority %d, error: %s ", + nexthop, priority, error); + return NULL; + } + } else { + static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); + VLOG_WARN_RL(&rl, "Failed to parse cidr %s for routing policy " + "with priority %d ", + nexthop, priority); + free(error); + return NULL; + } + + /* find the router port matching the next hop. */ + int i; + struct ovn_port *out_port = NULL; + const char *lrp_addr_s = NULL; + for (i = 0; i < od->nbr->n_ports; i++) { + struct nbrec_logical_router_port *lrp = od->nbr->ports[i]; + out_port = ovn_port_find(ports, lrp->name); + if (!out_port) { + /* This should not happen. */ + continue; + } + lrp_addr_s = find_lrp_member_ip(out_port, nexthop); + if (lrp_addr_s) { + break; + } else { + out_port = NULL; + } + } + if (!out_port) { + /* There is no matched out port. */ + static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); + VLOG_WARN_RL(&rl, "No path for routing policy priority %d; next hop %s", + priority, nexthop); + return NULL; + } + return out_port; +} + +static void +build_routing_policy_flow(struct hmap *lflows, struct ovn_datapath *od, + struct hmap *ports, + const struct nbrec_logical_router_policy *rule) +{ + struct ds match = DS_EMPTY_INITIALIZER; + struct ds actions = DS_EMPTY_INITIALIZER; + + if (!strcmp(rule->action, "reroute")) { + struct ovn_port *out_port = NULL; + const char *lrp_addr_s = NULL; + out_port = get_outport_for_routing_policy_nexthop( + od, ports, rule->priority, rule->nexthop); + if (out_port == NULL) { + return; + } else { + lrp_addr_s = find_lrp_member_ip(out_port, rule->nexthop); + if (!lrp_addr_s) { + static struct vlog_rate_limit rl = VLOG_RATE_LIMIT_INIT(5, 1); + VLOG_WARN_RL(&rl, "lrp_addr not found for routing policy " + " priority %d nexthop %s", + rule->priority, rule->nexthop); + return; + } else { + ds_put_format(&actions, "reg0 = %s; " + "reg1 = %s; " + "eth.src = %s; " + "outport = %s; " + "flags.loopback = 1; " + "next;", + rule->nexthop, + lrp_addr_s, + out_port->lrp_networks.ea_s, + out_port->json_key); + } + } + } else if (!strcmp(rule->action, "drop")) { + ds_put_cstr(&actions, "drop;"); + } else if (!strcmp(rule->action, "allow")) { + ds_put_cstr(&actions, "next;"); + } + ds_put_format(&match, "%s", rule->match); + ovn_lflow_add(lflows, od, S_ROUTER_IN_POLICY, rule->priority, + ds_cstr(&match), ds_cstr(&actions)); + ds_destroy(&match); + ds_destroy(&actions); +} + static void add_route(struct hmap *lflows, const struct ovn_port *op, const char *lrp_addr_s, const char *network_s, int plen, @@ -6332,9 +6438,35 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, } } + /* Logical router ingress table 8: Policy. + * + * A packet that arrives at this table is an IP packet that should be + * permitted/denied/rerouted to the address in the rule's nexthop. + * This table sets outport to the correct out_port, + * eth.src to the output port's MAC address, + * and '[xx]reg0' to the next-hop IP address (leaving + * 'ip[46].dst', the packet’s final destination, unchanged), and + * advances to the next table for ARP/ND resolution. */ + HMAP_FOR_EACH (od, key_node, datapaths) { + if (!od->nbr) { + continue; + } + /* This is a catch-all rule. It has the lowest priority (0) + * does a match-all("1") and pass-through (next) */ + ovn_lflow_add(lflows, od, S_ROUTER_IN_POLICY, 0, "1", "next;"); + + /* Convert routing policies to flows. */ + for (int i = 0; i < od->nbr->n_policies; i++) { + const struct nbrec_logical_router_policy *rule; + rule = od->nbr->policies[i]; + build_routing_policy_flow(lflows, od, ports, rule); + } + } + + /* XXX destination unreachable */ - /* Local router ingress table 8: ARP Resolution. + /* Local router ingress table 9: ARP Resolution. * * Any packet that reaches this table is an IP packet whose next-hop IP * address is in reg0. (ip4.dst is the final destination.) This table @@ -6533,7 +6665,7 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, "get_nd(outport, xxreg0); next;"); } - /* Logical router ingress table 9: Gateway redirect. + /* Logical router ingress table 10: Gateway redirect. * * For traffic with outport equal to the l3dgw_port * on a distributed router, this table redirects a subset @@ -6573,7 +6705,7 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, ovn_lflow_add(lflows, od, S_ROUTER_IN_GW_REDIRECT, 0, "1", "next;"); } - /* Local router ingress table 10: ARP request. + /* Local router ingress table 11: ARP request. * * In the common case where the Ethernet destination has been resolved, * this table outputs the packet (priority 0). Otherwise, it composes