{"id":1508829,"url":"http://patchwork.ozlabs.org/api/patches/1508829/","web_url":"http://patchwork.ozlabs.org/project/ovn/patch/2b20d506ad0bc5582f52a2ae1924456cbf201bec.1626976781.git.lorenzo.bianconi@redhat.com/","project":{"id":68,"url":"http://patchwork.ozlabs.org/api/projects/68/","name":"Open Virtual Network development","link_name":"ovn","list_id":"ovs-dev.openvswitch.org","list_email":"ovs-dev@openvswitch.org","web_url":"http://openvswitch.org/","scm_url":"","webscm_url":"","list_archive_url":"","list_archive_url_format":"","commit_url_format":""},"msgid":"<2b20d506ad0bc5582f52a2ae1924456cbf201bec.1626976781.git.lorenzo.bianconi@redhat.com>","list_archive_url":null,"date":"2021-07-22T18:08:35","name":"[ovs-dev,v3] northd: do not centralized traffic for unclaimed virtual ports","commit_ref":null,"pull_url":null,"state":"accepted","archived":false,"hash":"3ec7765cad0ef94e21247ef910e866a684186724","submitter":{"id":73083,"url":"http://patchwork.ozlabs.org/api/people/73083/","name":"Lorenzo Bianconi","email":"lorenzo.bianconi@redhat.com"},"delegate":{"id":72078,"url":"http://patchwork.ozlabs.org/api/users/72078/","username":"mmichelson","first_name":"Mark","last_name":"Michelson","email":"mmichels@redhat.com"},"mbox":"http://patchwork.ozlabs.org/project/ovn/patch/2b20d506ad0bc5582f52a2ae1924456cbf201bec.1626976781.git.lorenzo.bianconi@redhat.com/mbox/","series":[{"id":254779,"url":"http://patchwork.ozlabs.org/api/series/254779/","web_url":"http://patchwork.ozlabs.org/project/ovn/list/?series=254779","date":"2021-07-22T18:08:35","name":"[ovs-dev,v3] northd: do not centralized traffic for unclaimed virtual ports","version":3,"mbox":"http://patchwork.ozlabs.org/series/254779/mbox/"}],"comments":"http://patchwork.ozlabs.org/api/patches/1508829/comments/","check":"success","checks":"http://patchwork.ozlabs.org/api/patches/1508829/checks/","tags":{},"related":[],"headers":{"Return-Path":"<ovs-dev-bounces@openvswitch.org>","X-Original-To":["incoming@patchwork.ozlabs.org","dev@openvswitch.org"],"Delivered-To":["patchwork-incoming@bilbo.ozlabs.org","ovs-dev@lists.linuxfoundation.org"],"Authentication-Results":["ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org\n (client-ip=140.211.166.138; helo=smtp1.osuosl.org;\n envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)","ozlabs.org;\n\tdkim=fail reason=\"signature verification failed\" (1024-bit key;\n unprotected) header.d=redhat.com header.i=@redhat.com header.a=rsa-sha256\n header.s=mimecast20190719 header.b=DWHYTgO+;\n\tdkim-atps=neutral","smtp3.osuosl.org (amavisd-new);\n dkim=pass (1024-bit key) header.d=redhat.com","relay.mimecast.com;\n auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=lorenzo.bianconi@redhat.com"],"Received":["from smtp1.osuosl.org (smtp1.osuosl.org [140.211.166.138])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest\n SHA256)\n\t(No client certificate requested)\n\tby ozlabs.org (Postfix) with ESMTPS id 4GW0nh4F24z9sX5\n\tfor <incoming@patchwork.ozlabs.org>; Fri, 23 Jul 2021 04:08:56 +1000 (AEST)","from localhost (localhost [127.0.0.1])\n\tby smtp1.osuosl.org (Postfix) with ESMTP id D503182C4D;\n\tThu, 22 Jul 2021 18:08:53 +0000 (UTC)","from smtp1.osuosl.org ([127.0.0.1])\n\tby localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id AI1vYzKPgi4U; Thu, 22 Jul 2021 18:08:52 +0000 (UTC)","from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])\n\tby smtp1.osuosl.org (Postfix) with ESMTPS id F2BA0826C1;\n\tThu, 22 Jul 2021 18:08:51 +0000 (UTC)","from lf-lists.osuosl.org (localhost [127.0.0.1])\n\tby lists.linuxfoundation.org (Postfix) with ESMTP id B1883C0010;\n\tThu, 22 Jul 2021 18:08:51 +0000 (UTC)","from smtp3.osuosl.org (smtp3.osuosl.org [140.211.166.136])\n by lists.linuxfoundation.org (Postfix) with ESMTP id B8B1DC000E\n for <dev@openvswitch.org>; Thu, 22 Jul 2021 18:08:50 +0000 (UTC)","from localhost (localhost [127.0.0.1])\n by smtp3.osuosl.org (Postfix) with ESMTP id 92DB1600B5\n for <dev@openvswitch.org>; Thu, 22 Jul 2021 18:08:50 +0000 (UTC)","from smtp3.osuosl.org ([127.0.0.1])\n by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)\n with ESMTP id wJSAHFQPCiis for <dev@openvswitch.org>;\n Thu, 22 Jul 2021 18:08:48 +0000 (UTC)","from us-smtp-delivery-124.mimecast.com\n (us-smtp-delivery-124.mimecast.com [216.205.24.124])\n by smtp3.osuosl.org (Postfix) with ESMTPS id 7F8C1600B4\n for <dev@openvswitch.org>; Thu, 22 Jul 2021 18:08:48 +0000 (UTC)","from mail-ed1-f72.google.com (mail-ed1-f72.google.com\n [209.85.208.72]) (Using TLS) by relay.mimecast.com with ESMTP id\n us-mta-33-EboGfRKePOKvgFV30gLqxQ-1; Thu, 22 Jul 2021 14:08:45 -0400","by mail-ed1-f72.google.com with SMTP id\n ee46-20020a056402292eb02903a1187e547cso3173284edb.0\n for <dev@openvswitch.org>; Thu, 22 Jul 2021 11:08:44 -0700 (PDT)","from lore-desk.redhat.com (net-130-25-106-225.cust.vodafonedsl.it.\n [130.25.106.225])\n by smtp.gmail.com with ESMTPSA id n26sm8237270eds.63.2021.07.22.11.08.41\n (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);\n Thu, 22 Jul 2021 11:08:41 -0700 (PDT)"],"X-Virus-Scanned":["amavisd-new at osuosl.org","amavisd-new at osuosl.org"],"X-Greylist":"domain auto-whitelisted by SQLgrey-1.8.0","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;\n s=mimecast20190719; t=1626977326;\n h=from:from:reply-to:subject:subject:date:date:message-id:message-id:\n to:to:cc:cc:mime-version:mime-version:content-type:content-type:\n content-transfer-encoding:content-transfer-encoding;\n bh=BWxBHtMLe1hlc0DXenYu+3y5+LAT7Q5tYjfDRXeg8v4=;\n b=DWHYTgO+SzO0h6I37dwpr6WeQ3VH5OCl8CCAQYwJnJMvrQdW2A505gR/3glMOE2fC20n5l\n JA40g4MCBlDPrKti4A+/YSkg27BZZu2MVRgEgTkG1TTNwDLyiRDQmb0PpS0KrHCbmnP6K/\n 2+TwduanrCVnY5V4X7PMsM78PysrgxE=","X-MC-Unique":"EboGfRKePOKvgFV30gLqxQ-1","X-Google-DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed;\n d=1e100.net; s=20161025;\n h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version\n :content-transfer-encoding;\n bh=BWxBHtMLe1hlc0DXenYu+3y5+LAT7Q5tYjfDRXeg8v4=;\n b=tsNXxgn1/E/5+W6UlAmjiXqb2Bgz6l5qHM/mp8bO6sx+5bQpn1h9wVAo9GoeHD/rqc\n dsaQ8pQWENCIxZngH9yJHup/n4UJywFLB5li+rG4SnfQVnUmFmfntv5Ygkhni4a+UO7b\n As1N0xu4w4xHYeum1g4JtFuVBY5jYtlWU+MnDdbsiHmzqHZDe0YGp/8sMWWEnUryNyvn\n eKhPu5sOfgO+vrcyl/Yrkrzn0nxkQohXoVdLG28ZtmuQdW8aO0eRUlbuSiMDbZgEkngc\n aR1eDesMKIVA/JKd/AQqZnRzE/OBlJ7+Wue3crrRlpGp7KL89zo5k/H5z69iESvfHwne\n CQFg==","X-Gm-Message-State":"AOAM531wUtYTICf+B0xeqNHFW7sG0NChpZkmaLeR5QwcTdIKdX2hbUBm\n rHmf0d2aKasD+WBlTK9i+W8XmU4GBp2Uvl2qVeYBAyhBsWVhv3dI8wKKwSDRdh2ZnCv1yffcie4\n pO/hHqEwU3UqFN0dPOpU9g5cX7lBG92dVIiBbewq42HQgZOATYnvP8ZvCuiDMkr8XMM6yuX959s\n 0=","X-Received":["by 2002:aa7:df12:: with SMTP id c18mr1061784edy.62.1626977322092;\n Thu, 22 Jul 2021 11:08:42 -0700 (PDT)","by 2002:aa7:df12:: with SMTP id c18mr1061760edy.62.1626977321801;\n Thu, 22 Jul 2021 11:08:41 -0700 (PDT)"],"X-Google-Smtp-Source":"\n ABdhPJzMKzxHuvJ+/b4bwkRbf7+3Xtb/l741Gao2Lv+lbJB6pIqwGR5xNDxPUu1Rh6IVnVeHVcipfw==","From":"Lorenzo Bianconi <lorenzo.bianconi@redhat.com>","To":"dev@openvswitch.org","Date":"Thu, 22 Jul 2021 20:08:35 +0200","Message-Id":"\n <2b20d506ad0bc5582f52a2ae1924456cbf201bec.1626976781.git.lorenzo.bianconi@redhat.com>","X-Mailer":"git-send-email 2.31.1","MIME-Version":"1.0","X-Mimecast-Spam-Score":"0","X-Mimecast-Originator":"redhat.com","Cc":"dceara@redhat.com","Subject":"[ovs-dev] [PATCH v3 ovn] northd: do not centralized traffic for\n\tunclaimed virtual ports","X-BeenThere":"ovs-dev@openvswitch.org","X-Mailman-Version":"2.1.15","Precedence":"list","List-Id":"<ovs-dev.openvswitch.org>","List-Unsubscribe":"<https://mail.openvswitch.org/mailman/options/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>","List-Archive":"<http://mail.openvswitch.org/pipermail/ovs-dev/>","List-Post":"<mailto:ovs-dev@openvswitch.org>","List-Help":"<mailto:ovs-dev-request@openvswitch.org?subject=help>","List-Subscribe":"<https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,\n <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>","Content-Type":"text/plain; charset=\"us-ascii\"","Content-Transfer-Encoding":"7bit","Errors-To":"ovs-dev-bounces@openvswitch.org","Sender":"\"dev\" <ovs-dev-bounces@openvswitch.org>"},"content":"Add a rule to drop traffic from a distributed NAT if the virtual\nport has not claimed yet becaused otherwise the traffic will be\ncentralized misconfiguring the TOR switch.\n\nhttps://bugzilla.redhat.com/show_bug.cgi?id=1952961\n\nAcked-by: Dumitru Ceara <dceara@redhat.com>\nCo-authored-by: Numan Siddique <numans@ovn.org>\nSigned-off-by: Numan Siddique <numans@ovn.org>\nSigned-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>\n---\nChanges since v2:\n- rebase on top of ovn master\n\nChanges since v1:\n- add northd documentation\n- add DDlog support (numan)\n---\n northd/ovn-northd.8.xml |  7 +++++++\n northd/ovn-northd.c     | 22 +++++++++++++++++-----\n northd/ovn_northd.dl    | 15 +++++++++++++++\n tests/ovn.at            | 26 ++++++++++++++++++++++++++\n 4 files changed, 65 insertions(+), 5 deletions(-)","diff":"diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml\nindex 6599ba194..99a19f853 100644\n--- a/northd/ovn-northd.8.xml\n+++ b/northd/ovn-northd.8.xml\n@@ -3784,6 +3784,13 @@ icmp6 {\n         external ip and <var>D</var> is NAT external mac.\n       </li>\n \n+      <li>\n+        For each NAT rule in the OVN Northbound database that can\n+        be handled in a distributed manner, a priority-80 logical flow\n+        with drop action if the NAT logical port is a virtual port not\n+        claimed by any chassis yet.\n+      </li>\n+\n       <li>\n         A priority-50 logical flow with match\n         <code>outport == <var>GW</var></code> has actions\ndiff --git a/northd/ovn-northd.c b/northd/ovn-northd.c\nindex af3e0bf87..1058c1c26 100644\n--- a/northd/ovn-northd.c\n+++ b/northd/ovn-northd.c\n@@ -12045,7 +12045,8 @@ lrouter_check_nat_entry(struct ovn_datapath *od, const struct nbrec_nat *nat,\n /* NAT, Defrag and load balancing. */\n static void\n build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows,\n-                                struct ds *match, struct ds *actions)\n+                                struct hmap *ports, struct ds *match,\n+                                struct ds *actions)\n {\n     if (!od->nbr) {\n         return;\n@@ -12168,10 +12169,21 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows,\n             ds_clear(match);\n             ds_clear(actions);\n             ds_put_format(match,\n-                          \"ip%s.src == %s && outport == %s && \"\n-                          \"is_chassis_resident(\\\"%s\\\")\",\n+                          \"ip%s.src == %s && outport == %s\",\n                           is_v6 ? \"6\" : \"4\", nat->logical_ip,\n-                          od->l3dgw_port->json_key, nat->logical_port);\n+                          od->l3dgw_port->json_key);\n+            /* Add a rule to drop traffic from a distributed NAT if\n+             * the virtual port has not claimed yet becaused otherwise\n+             * the traffic will be centralized misconfiguring the TOR switch.\n+             */\n+            struct ovn_port *op = ovn_port_find(ports, nat->logical_port);\n+            if (op && op->nbsp && !strcmp(op->nbsp->type, \"virtual\")) {\n+                ovn_lflow_add_with_hint(lflows, od, S_ROUTER_IN_GW_REDIRECT,\n+                                        80, ds_cstr(match), \"drop;\",\n+                                        &nat->header_);\n+            }\n+            ds_put_format(match, \" && is_chassis_resident(\\\"%s\\\")\",\n+                          nat->logical_port);\n             ds_put_format(actions, \"eth.src = %s; %s = %s; next;\",\n                           nat->external_mac,\n                           is_v6 ? REG_SRC_IPV6 : REG_SRC_IPV4,\n@@ -12309,7 +12321,7 @@ build_lswitch_and_lrouter_iterate_by_od(struct ovn_datapath *od,\n                                         &lsi->actions);\n     build_misc_local_traffic_drop_flows_for_lrouter(od, lsi->lflows);\n     build_lrouter_arp_nd_for_datapath(od, lsi->lflows);\n-    build_lrouter_nat_defrag_and_lb(od, lsi->lflows, &lsi->match,\n+    build_lrouter_nat_defrag_and_lb(od, lsi->lflows, lsi->ports, &lsi->match,\n                                     &lsi->actions);\n }\n \ndiff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl\nindex bae34a6a1..ab33a139e 100644\n--- a/northd/ovn_northd.dl\n+++ b/northd/ovn_northd.dl\n@@ -5807,6 +5807,10 @@ for (rp in &RouterPort(.router = &Router{._uuid = lr_uuid, .options = lr_options\n     }\n }\n \n+relation VirtualLogicalPort(logical_port: Option<string>)\n+VirtualLogicalPort(Some{logical_port}) :-\n+    lsp in &nb::Logical_Switch_Port(.name = logical_port, .__type = \"virtual\").\n+\n /* NAT rules are only valid on Gateway routers and routers with\n  * l3dgw_port (router has a port with \"redirect-chassis\"\n  * specified). */\n@@ -6151,6 +6155,17 @@ for (r in &Router(._uuid = lr_uuid,\n                  .actions          = actions,\n                  .external_ids     = stage_hint(nat.nat._uuid));\n \n+            for (VirtualLogicalPort(nat.nat.logical_port)) {\n+                Some{var gwport} = l3dgw_port in\n+                Flow(.logical_datapath = lr_uuid,\n+                     .stage            = s_ROUTER_IN_GW_REDIRECT(),\n+                    .priority         = 80,\n+                    .__match          = \"${ipX}.src == ${nat.nat.logical_ip} && \"\n+                                        \"outport == ${json_string_escape(gwport.name)}\",\n+                    .actions          = \"drop;\",\n+                    .external_ids     = stage_hint(nat.nat._uuid))\n+            };\n+\n             /* Egress Loopback table: For NAT on a distributed router.\n              * If packets in the egress pipeline on the distributed\n              * gateway port have ip.dst matching a NAT external IP, then\ndiff --git a/tests/ovn.at b/tests/ovn.at\nindex 777409144..eaf344be9 100644\n--- a/tests/ovn.at\n+++ b/tests/ovn.at\n@@ -17397,6 +17397,16 @@ send_arp_reply() {\n     as hv$hv ovs-appctl netdev-dummy/receive hv${hv}-vif$inport $request\n }\n \n+send_icmp_packet() {\n+    local inport=$1 hv=$2 eth_src=$3 eth_dst=$4 ipv4_src=$5 ipv4_dst=$6 ip_chksum=$7 data=$8\n+    shift 8\n+\n+    local ip_ttl=ff\n+    local ip_len=001c\n+    local packet=${eth_dst}${eth_src}08004500${ip_len}00004000${ip_ttl}01${ip_chksum}${ipv4_src}${ipv4_dst}${data}\n+    as hv$hv ovs-appctl netdev-dummy/receive hv${hv}-vif$inport $packet\n+}\n+\n net_add n1\n \n sim_add hv1\n@@ -17611,6 +17621,22 @@ logical_port=sw0-vir) = x])\n wait_row_count nb:Logical_Switch_Port 1 up=false name=sw0-vir\n \n check ovn-nbctl --wait=hv sync\n+\n+# verify the traffic from virtual port is discarded if the port is not claimed\n+AT_CHECK([grep lr_in_gw_redirect lr0-flows2 | grep \"ip4.src == 10.0.0.10\"], [0], [dnl\n+  table=17(lr_in_gw_redirect  ), priority=100  , match=(ip4.src == 10.0.0.10 && outport == \"lr0-public\" && is_chassis_resident(\"sw0-vir\")), action=(eth.src = 10:54:00:00:00:10; reg1 = 172.168.0.50; next;)\n+  table=17(lr_in_gw_redirect  ), priority=80   , match=(ip4.src == 10.0.0.10 && outport == \"lr0-public\"), action=(drop;)\n+])\n+\n+eth_src=505400000003\n+eth_dst=00000000ff01\n+ip_src=$(ip_to_hex 10 0 0 10)\n+ip_dst=$(ip_to_hex 172 168 0 101)\n+send_icmp_packet 1 1 $eth_src $eth_dst $ip_src $ip_dst c4c9 0000000000000000000000\n+AT_CHECK([as hv1 ovs-ofctl dump-flows br-int | awk '/table=25, n_packets=1, n_bytes=45/{print $7\" \"$8}'],[0],[dnl\n+priority=80,ip,reg15=0x3,metadata=0x3,nw_src=10.0.0.10 actions=drop\n+])\n+\n # hv1 should remove the flow for the ACL with is_chassis_redirect check for sw0-vir.\n check_virtual_offlows_not_present hv1\n \n","prefixes":["ovs-dev","v3"]}