From patchwork Wed Dec 1 12:56:06 2021 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vladislav Odintsov X-Patchwork-Id: 1562161 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=Jzg9nyFX; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4J3zcD2mwSz9sCD for ; Wed, 1 Dec 2021 23:56:28 +1100 (AEDT) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id 4EB08827A8; Wed, 1 Dec 2021 12:56:21 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cZk0ylbi7gSt; Wed, 1 Dec 2021 12:56:20 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp1.osuosl.org (Postfix) with ESMTPS id 41D1781D47; Wed, 1 Dec 2021 12:56:19 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7DAD6C0040; Wed, 1 Dec 2021 12:56:17 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0ABE4C000A for ; Wed, 1 Dec 2021 12:56:16 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id EC2C081D47 for ; Wed, 1 Dec 2021 12:56:15 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iSIgDlWw4TcG for ; Wed, 1 Dec 2021 12:56:15 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 Received: from mail-ed1-x52a.google.com (mail-ed1-x52a.google.com [IPv6:2a00:1450:4864:20::52a]) by smtp1.osuosl.org (Postfix) with ESMTPS id 01F7A81D2D for ; Wed, 1 Dec 2021 12:56:14 +0000 (UTC) Received: by mail-ed1-x52a.google.com with SMTP id v1so101169900edx.2 for ; Wed, 01 Dec 2021 04:56:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:in-reply-to:references :mime-version:content-transfer-encoding; bh=m2l0UqlzkEreLUPJnZifzW3Xk4DtqjIWVRZh3mvkRJE=; b=Jzg9nyFXWp8hrEvc2XHN+incIvwkS0ZvEntZilSrmRrSTm5bMgDbPqNtC0oksZaTwj sVh+up0sPRw4R6qaz+sKnGHrybF7T/UKm8lFnvH+NwbNvnQjtohkrsOjR0iUySurbqkl G+vBPdHEFM429WYgy6AcJTp5F454yW1pJbo+B5ilKj6xsfp37lSQnqLi6UcdYLqLfg4s QtCthX9wsq+W5BdbhLQujUOBbM5fs1DMXzahCYUeaA0osd0q3+O01/MfJbMM1aH/nyNq BErCr2qzs0/FghVMUT1g8bsQOgQhW3o8ayvoF1NjDAeYKKp5hZScye082G1z18B9Y+7u EtSg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references:mime-version:content-transfer-encoding; bh=m2l0UqlzkEreLUPJnZifzW3Xk4DtqjIWVRZh3mvkRJE=; b=XyW4eQx2RpI+mYalh6dseQHurVEEhYOOCDxVNY3vjXOxW3LykwcIOcqJPy9iU34HNJ QHkYTq/btWmwyjBCwU7uPVgfCHxyApgCj55fuol3ZyxrSucydSdUFEEvQXkCy82ABzQg CiEit4gdPYo44XAsPk8I1jjE1kDBJfkxc3LMvBWj7cFFwXOeJRISKfqvbWVIPPkEfrNE Pna516ShTVjiZVwpOb68BjWJQElmbjmC/Q4tB7eQKugDhcFWd98m97yUuV02c/DlAsx+ HFyjOoD83oBbz/Sgi243Y2tWDaGXJPHMWsIyqtVGJ/JAGhRGavCyrV/8oHoEHVil7Psc gXaQ== X-Gm-Message-State: AOAM533aNwwUuyu8dnS/pktCc00QL9myYxIzU6Du7bDK5apxWyhSMq0w Ln4aZgE8IY8JYdHcQ7KB3w+Hu+v3KccnMQ== X-Google-Smtp-Source: ABdhPJzbwgb4zJcW3ognppDXMTI4HTJD65uQv0BNLjhcbmv9itA531VJ3muzj68P3V81UAFJ3uxTCw== X-Received: by 2002:a05:6402:405:: with SMTP id q5mr8379722edv.62.1638363372810; Wed, 01 Dec 2021 04:56:12 -0800 (PST) Received: from localhost.localdomain (109-252-131-59.dynamic.spd-mgts.ru. [109.252.131.59]) by smtp.gmail.com with ESMTPSA id dm6sm6499907ejc.89.2021.12.01.04.56.12 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 01 Dec 2021 04:56:12 -0800 (PST) From: Vladislav Odintsov To: dev@openvswitch.org Date: Wed, 1 Dec 2021 15:56:06 +0300 Message-Id: <20211201125608.36918-2-odivlad@gmail.com> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20211201125608.36918-1-odivlad@gmail.com> References: <20211201125608.36918-1-odivlad@gmail.com> MIME-Version: 1.0 Cc: Vladislav Odintsov Subject: [ovs-dev] [PATCH ovn 1/3] Revert "northd: support HW VTEP with stateful datapath" X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" This reverts commit 62ca8b9620cc1168ace6905575b7d36438363aed. Signed-off-by: Vladislav Odintsov --- northd/northd.c | 14 -------------- northd/ovn-northd.8.xml | 28 ---------------------------- northd/ovn_northd.dl | 33 ++------------------------------- tests/ovn-northd.at | 2 -- 4 files changed, 2 insertions(+), 75 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index e784ae192..4c1a2a382 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -197,7 +197,6 @@ enum ovn_stage { #define REGBIT_LKUP_FDB "reg0[11]" #define REGBIT_HAIRPIN_REPLY "reg0[12]" #define REGBIT_ACL_LABEL "reg0[13]" -#define REGBIT_FROM_RAMP "reg0[14]" #define REG_ORIG_DIP_IPV4 "reg1" #define REG_ORIG_DIP_IPV6 "xxreg1" @@ -5477,15 +5476,10 @@ build_lswitch_input_port_sec_op( build_port_security_l2("eth.src", op->ps_addrs, op->n_ps_addrs, match); - if (!strcmp(op->nbsp->type, "vtep")) { - ds_put_format(actions, REGBIT_FROM_RAMP" = 1; "); - } - const char *queue_id = smap_get(&op->sb->options, "qdisc_queue_id"); if (queue_id) { ds_put_format(actions, "set_queue(%s); ", queue_id); } - ds_put_cstr(actions, "next;"); ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, ds_cstr(match), ds_cstr(actions), @@ -5734,10 +5728,6 @@ build_pre_acls(struct ovn_datapath *od, const struct hmap *port_groups, "nd || nd_rs || nd_ra || mldv1 || mldv2 || " "(udp && udp.src == 546 && udp.dst == 547)", "next;"); - /* Do not send coming from RAMP switch packets to conntrack. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, - REGBIT_FROM_RAMP" == 1", "next;"); - /* Ingress and Egress Pre-ACL Table (Priority 100). * * Regardless of whether the ACL is "from-lport" or "to-lport", @@ -5828,10 +5818,6 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows) ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110, "eth.src == $svc_monitor_mac", "next;"); - /* Do not send coming from RAMP switch packets to conntrack. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110, - REGBIT_FROM_RAMP" == 1", "next;"); - /* Allow all packets to go to next tables by default. */ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;"); diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 5d06ac6a7..00fb925f8 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -262,16 +262,6 @@ logical ports on which port security is not enabled, these advance all packets that match the inport. -
  • - For logical ports of type vtep, the above logical flow - will also apply the action REGBIT_FROM_RAMP = 1; to - indicate that the packet is coming from a RAMP (controller-vtep) - device. Later pipelines will use this information to skip - sending the packet to the conntrack. Packets from vtep - logical ports should go though ingress pipeline only to determine - the output port and they should not be subjected to any ACL checks. - Egress pipeline will do the ACL checks. -

    • @@ -463,15 +453,6 @@ processing.

    -

    - This table has a priority-110 flow with the match - REGBIT_FROM_RAMP == 1 for all logical switch datapaths to - resubmit traffic to the next table. REGBIT_FROM_RAMP - indicates that packet was received from vtep logical ports - and it can be skipped from the stateful ACL processing in the ingress - pipeline. -

    -

    This table also has a priority-110 flow with the match eth.dst == E for all logical switch @@ -531,15 +512,6 @@ configured. We can now add a lflow to drop ct.inv packets.

    -

    - This table has a priority-110 flow with the match - REGBIT_FROM_RAMP == 1 for all logical switch datapaths to - resubmit traffic to the next table. REGBIT_FROM_RAMP - indicates that packet was received from vtep logical ports - and it can be skipped from the load balancer processing in the ingress - pipeline. -

    -

    This table also has a priority-110 flow with the match eth.dst == E for all logical switch diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl index 817b11bdc..ffa2e06db 100644 --- a/northd/ovn_northd.dl +++ b/northd/ovn_northd.dl @@ -1738,7 +1738,6 @@ function rEGBIT_ACL_HINT_BLOCK() : istring = i"reg0[10]" function rEGBIT_LKUP_FDB() : istring = i"reg0[11]" function rEGBIT_HAIRPIN_REPLY() : istring = i"reg0[12]" function rEGBIT_ACL_LABEL() : istring = i"reg0[13]" -function rEGBIT_FROM_RAMP() : istring = i"reg0[14]" function rEG_ORIG_DIP_IPV4() : istring = i"reg1" function rEG_ORIG_DIP_IPV6() : istring = i"xxreg1" @@ -2178,16 +2177,6 @@ for (&Switch(._uuid = ls_uuid, .has_stateful_acl = true)) { .io_port = None, .controller_meter = None); - /* Do not send coming from RAMP switch packets to conntrack. */ - Flow(.logical_datapath = ls_uuid, - .stage = s_SWITCH_IN_PRE_ACL(), - .priority = 110, - .__match = i"${rEGBIT_FROM_RAMP()} == 1", - .actions = i"next;", - .stage_hint = 0, - .io_port = None, - .controller_meter = None); - /* Ingress and Egress Pre-ACL Table (Priority 100). * * Regardless of whether the ACL is "from-lport" or "to-lport", @@ -2254,16 +2243,6 @@ for (&Switch(._uuid = ls_uuid)) { .io_port = None, .controller_meter = None); - /* Do not send coming from RAMP switch packets to conntrack. */ - Flow(.logical_datapath = ls_uuid, - .stage = s_SWITCH_IN_PRE_LB(), - .priority = 110, - .__match = i"${rEGBIT_FROM_RAMP()} == 1", - .actions = i"next;", - .stage_hint = 0, - .io_port = None, - .controller_meter = None); - /* Allow all packets to go to next tables by default. */ Flow(.logical_datapath = ls_uuid, .stage = s_SWITCH_IN_PRE_LB(), @@ -3489,18 +3468,10 @@ for (&SwitchPort(.lsp = lsp, .sw = sw, .json_name = json_name, .ps_eth_addresses } else { i"inport == ${json_name} && eth.src == {${ps_eth_addresses.join(\" \")}}" } in - var actions = { - var ramp = if (lsp.__type == i"vtep") { - i"${rEGBIT_FROM_RAMP()} = 1; " - } else { - i"" - }; - var queue = match (pbinding.options.get(i"qdisc_queue_id")) { + var actions = match (pbinding.options.get(i"qdisc_queue_id")) { None -> i"next;", Some{id} -> i"set_queue(${id}); next;" - }; - i"${ramp}${queue}" - } in + } in Flow(.logical_datapath = sw._uuid, .stage = s_SWITCH_IN_PORT_SEC_L2(), .priority = 50, diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index f03d14082..c4424ab14 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -3834,7 +3834,6 @@ check_stateful_flows() { table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) - table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1), action=(next;) ]) AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl @@ -3901,7 +3900,6 @@ AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort], [0], [dnl table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst == $svc_monitor_mac), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport == "sw0-lr0"), action=(next;) table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;) - table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1), action=(next;) ]) AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl