[ovs-dev,v8,0/3,ovn] OVN: Vlan backed DVR, enable N-S packet flow
mbox series

Message ID 1566957337-56025-1-git-send-email-ankur.sharma@nutanix.com
Headers show
Series
  • OVN: Vlan backed DVR, enable N-S packet flow
Related show

Message

Ankur Sharma Aug. 28, 2019, 1:55 a.m. UTC
Problem Description:
Redirection to chassisredirect ports happens only via tunnel
encapsulation. As a result, same cannot be leveraged upon for vlan backed
environments.

This series addresses the issue by allowing redirection to happen without
encapsulation.


Design:
=======
a. High level design is that CMS/user will provision "redirect-type"
   on a gateway chassis attached logical router port.

b. If the redirect-type is set as "vlan", then redirected packet
   from compute chassis to gateway chassis will go via the localnet
   port.

c. This redirected vlan packet will have following attributes:
   i. Source Mac ==> Chassis mac of compute chassis.
  ii. Destination Mac ==> Mac address of chassisredirect router port.
                          i.e cr-lrp-*
 iii. Vlan id  ==> Vlan id of peer logical switch of gateway chassis
                   attached logical router port.

d. To attain c. above a logical flow added in table=33 will send the
   packet to table=65, where it will hit regular flow which will
   send the packet out of localnet port.


This Series:
============

Patch 1
-------
ovn-nbctl and ovn-northd changes to accept a "redirect-type" option
associated with a logical router port. This configuration
is added so that we have a parameter to decide if want to send
a redirected packet via tunnel port or localnet port.

Patch 2
-------
Adding a logical flow in lrp_in_arp_resolve to make sure that ARP requests
from logical router are generated on gateway chassis only. This flow
will make sure that we DO NOT call get_arp on compute chassis.

Patch 3
-------
Changes in ovn-controller, to add the redirect related OVS flow based
on configuration parameter added in Patch 2. i.e if redirect-type
is 'overlay', then flow in table=32 will be added (to send the packet
out via tunnel port), if redirect-type is 'vlan', then flow in table=33
will be added, to send the packet out via localnet port.


Existing Efforts:
=================
There has been an effort done in solving same problem.
https://patchwork.ozlabs.org/patch/920447/ by vkommadi@redhat.com

This patch differs from above changes in following areas:
a. Existing patch adds an additional flow in lr_in_ip_routing to mark the packet
   as NAT_REDIRECT in compute chassis. This approach looks reasonable,
   especially since through this we can avoid Patch 3 in this series.
   However, using something similar based on our approach lead to following:
   i. For each route pointing to gateway router port, we will need 2 flows
      in lr_in_ip_routing, one which executes ONLY on compute chassis
      and marks the packet for NAT_REDIRECT and one which executes ONLY
      on gateway chassis and does not mark the packet.

      Since, we cannot change the priority of a route flow
      (prefix length decides the priority), hence we will end up with
      2 logical flows with  same match (with is_chassis_resident being the
      only differentiating factor). OVN controller considered both such
      flows as duplicate and ends up considering only one of them, i.e either
      either only the compute chassis got is relevant flow or only
      gateway chassis.

b. Existing patch considers a tenant as VLAN backed. Whereas this patch
   considers overlay/vlan as the property of gateway logical switch. And
   from a router's perspective, configuration is done on the peer router port.

c. Existing patch sends the packet to gateway router port mac, but uses
   source logical switch (tenant logical switch's) vlan id.
   This will always cause flooding in physical network, because
   gateway router port mac will be learnt on the peer logical switch.
   Using a different vlan id will always cause flooding of
   redirected packets from compute chassis to gateway chassis.

d. Because of c. above, existing patch needs changes on receiving side as well.
   This is because since packet's vlan id is not of the correct logical switch,
   hence on receiving node (gateway chassis), packet has to be forced forwaded to
   the logical router pipeline.

v7 -> v8
------
  * Removed the not needed ovs side changes.

v6 -> v7
------
  * Replace vlan with bridged in the redirect-type implementation
  * Added documentation for new ARP resolution logical flow.
  * Converted to a 3 patch series, as first patch has been applied.

v5 -> v6
------
  * Removed sleep from unit tests

v4 -> v5
------
  * Fixed a compilation warning in lport.h

v3 -> v4
------
  * Handle review comments.
  * Rebased to TOT.

v2 -> v3
------
  * Fix merge conflicts.

v1 -> v2
------
  * Added ovn in the comment description prefix.



Ankur Sharma (3):
  OVN: Vlan backed DVR N-S, redirect-type option
  OVN: Vlan backed DVR N-S, avoid get_arp on non redirect chassis.
  OVN: Vlan backed DVR N-S, redirect packet via localnet port

 controller/physical.c   | 255 +++++++++++++++++++++++++++-------------
 lib/ovn-util.c          |  33 ++++++
 lib/ovn-util.h          |   5 +
 northd/ovn-northd.8.xml |  12 ++
 northd/ovn-northd.c     |  38 ++++++
 ovn-architecture.7.xml  |  64 ++++++++++
 ovn-nb.xml              |  43 +++++++
 tests/ovn-nbctl.at      |  25 ++++
 tests/ovn-northd.at     |  31 +++++
 tests/ovn.at            | 304 ++++++++++++++++++++++++++++++++++++++++++++++++
 utilities/ovn-nbctl.c   |  65 +++++++++++
 11 files changed, 792 insertions(+), 83 deletions(-)