| Message ID | 20200819074100.2682036-1-numans@ovn.org |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [ovs-dev,ovn,v3] northd: Fix the routing for external logical ports of bridged logical switches. | expand |
On 8/19/20 9:41 AM, numans@ovn.org wrote: > From: Numan Siddique <numans@ovn.org> > > Routing for external logical ports is broken if these ports belonged > to bridged logical switches (with localnet port) and 'ovn-chassis-mac-mappings' > is configured. External logical ports are those which are external to OVN, > but there is a logical port for it and it is claimed by one of the HA chassis. > The claimed chassis provides routing and other native OVN serices like dhcp and dns. > > When the external port sends ARP request for the router IP, the claimed chassis > replies for the ARP request, but the arp.sha is set to the actual router mac instead > of the chassis mac. This causes the traffic from external port VM/container to be handled > incorrectly. A ping to the router ip, is replied by all the chassis which can see this > packet instead of just the claimed HA chassis. > > This patch fixes this issue by adding a logical flow to drop any packet from the external > ports destined to the router port mac on all the chassis except the claimed chassis. > > Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1829762 > Reported-by: Daniel Alvarez <dalvarez@redhat.com> > Suggested-by: Dumitru Ceara <dceara@redhat.com> > Signed-off-by: Numan Siddique <numans@ovn.org> > --- Looks good to me, thanks! Acked-by: Dumitru Ceara <dceara@redhat.com> Regards, Dumitru
On Wed, Aug 19, 2020 at 5:24 PM Dumitru Ceara <dceara@redhat.com> wrote: > > On 8/19/20 9:41 AM, numans@ovn.org wrote: > > From: Numan Siddique <numans@ovn.org> > > > > Routing for external logical ports is broken if these ports belonged > > to bridged logical switches (with localnet port) and 'ovn-chassis-mac-mappings' > > is configured. External logical ports are those which are external to OVN, > > but there is a logical port for it and it is claimed by one of the HA chassis. > > The claimed chassis provides routing and other native OVN serices like dhcp and dns. > > > > When the external port sends ARP request for the router IP, the claimed chassis > > replies for the ARP request, but the arp.sha is set to the actual router mac instead > > of the chassis mac. This causes the traffic from external port VM/container to be handled > > incorrectly. A ping to the router ip, is replied by all the chassis which can see this > > packet instead of just the claimed HA chassis. > > > > This patch fixes this issue by adding a logical flow to drop any packet from the external > > ports destined to the router port mac on all the chassis except the claimed chassis. > > > > Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1829762 > > Reported-by: Daniel Alvarez <dalvarez@redhat.com> > > Suggested-by: Dumitru Ceara <dceara@redhat.com> > > Signed-off-by: Numan Siddique <numans@ovn.org> > > --- > > Looks good to me, thanks! > > Acked-by: Dumitru Ceara <dceara@redhat.com> Thanks Dumitru. I applied this patch to master and branch-20.06. Numan > > Regards, > Dumitru > > _______________________________________________ > dev mailing list > dev@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-dev >
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index ee21c825d..989e3643b 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -1161,6 +1161,17 @@ output; which has claimed these external ports. All the other chassis, drops these packets. </p> + + <p> + A priority-100 flow is added for each <code>external</code> logical + port which doesn't reside on a chassis to drop any packet destined + to the router mac - with the match + <code>inport == <var>external</var> && + eth.src == <var>E</var> && eth.dst == <var>R</var> + && !is_chassis_resident("<var>external</var>")</code> + where <var>E</var> is the external port mac and <var>R</var> is the + router port mac. + </p> </li> <li> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index dc4592980..212de2f1f 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6577,6 +6577,19 @@ build_drop_arp_nd_flows_for_unbound_router_ports(struct ovn_port *op, ds_cstr(&match), "drop;", &op->nbsp->header_); } + + ds_clear(&match); + ds_put_format( + &match, "inport == %s && eth.src == %s" + " && eth.dst == %s" + " && !is_chassis_resident(%s)", + port->json_key, + op->lsp_addrs[i].ea_s, rp->lsp_addrs[k].ea_s, + op->json_key); + ovn_lflow_add_with_hint(lflows, op->od, + S_SWITCH_IN_EXTERNAL_PORT, + 100, ds_cstr(&match), "drop;", + &op->nbsp->header_); } } } diff --git a/tests/ovn.at b/tests/ovn.at index 9b250b02f..8aabdf307 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -14870,6 +14870,13 @@ OVS_WAIT_UNTIL( logical_port=ls1-lp_ext1` test "$chassis" = "$hv1_uuid"]) +# There should be a flow in hv2 to drop traffic from ls1-lp_ext1 destined +# to router mac. +AT_CHECK([as hv2 ovs-ofctl dump-flows br-int \ +table=26,dl_src=f0:00:00:00:00:03,dl_dst=a0:10:00:00:00:01 | \ +grep -c "actions=drop"], [0], [1 +]) + # Stop ovn-controllers on hv1 and hv3. as hv1 ovn-appctl -t ovn-controller exit as hv3 ovn-appctl -t ovn-controller exit