From patchwork Wed Jul 22 19:21:30 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Numan Siddique
X-Patchwork-Id: 1334135
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
(client-ip=140.211.166.133; helo=hemlock.osuosl.org;
envelope-from=ovs-dev-bounces@openvswitch.org; receiver=)
Authentication-Results: ozlabs.org;
dmarc=none (p=none dis=none) header.from=ovn.org
Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ozlabs.org (Postfix) with ESMTPS id 4BBlhL1KY6z9sQt
for ; Thu, 23 Jul 2020 05:21:53 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
by hemlock.osuosl.org (Postfix) with ESMTP id 0788988794;
Wed, 22 Jul 2020 19:21:51 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from hemlock.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id jcNJ0WFCMShD; Wed, 22 Jul 2020 19:21:48 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
by hemlock.osuosl.org (Postfix) with ESMTP id 91C3C88367;
Wed, 22 Jul 2020 19:21:48 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
by lists.linuxfoundation.org (Postfix) with ESMTP id 7178EC004D;
Wed, 22 Jul 2020 19:21:48 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
by lists.linuxfoundation.org (Postfix) with ESMTP id D32A8C004C
for ; Wed, 22 Jul 2020 19:21:46 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by silver.osuosl.org (Postfix) with ESMTP id A6BF0214EB
for ; Wed, 22 Jul 2020 19:21:46 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 4ZKQUM0yqi9P for ;
Wed, 22 Jul 2020 19:21:44 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from relay2-d.mail.gandi.net (relay2-d.mail.gandi.net
[217.70.183.194])
by silver.osuosl.org (Postfix) with ESMTPS id E32F420507
for ; Wed, 22 Jul 2020 19:21:43 +0000 (UTC)
X-Originating-IP: 27.7.185.162
Received: from nusiddiq.home.org.home.org (unknown [27.7.185.162])
(Authenticated sender: numans@ovn.org)
by relay2-d.mail.gandi.net (Postfix) with ESMTPSA id 0FDEC40005;
Wed, 22 Jul 2020 19:21:39 +0000 (UTC)
From: numans@ovn.org
To: dev@openvswitch.org
Date: Thu, 23 Jul 2020 00:51:30 +0530
Message-Id: <20200722192130.8984-1-numans@ovn.org>
X-Mailer: git-send-email 2.26.2
MIME-Version: 1.0
Subject: [ovs-dev] [PATCH ovn 1/2] ovn-northd: Don't send the pkt to
conntrack if it is to be routed in egress stage.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev"
From: Numan Siddique
If there is a logical port 'P1' with the IP - 10.0.0.3 and a logical port 'P2' with
the IP 20.0.0.3 and if the logical switch of 'P1' has atleast one load balancer
associated with it and atleast one ACL with allow-related action associated with it.
Then for every packet from 'P1' to 'P2' after the TCP connection
is established we see a total of 4 recirculations in the datapath on the chassis
claiming 'P1'. This is because,
In the ingress logical switch pipeline, below logical flows are hit
- table=9 (ls_in_lb ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(reg0[2] = 1; next;)
- table=10(ls_in_stateful ), priority=100 , match=(reg0[2] == 1), action=(ct_lb;)
And in the egress logical switch pipeline, below logical flows are hit
- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[0] = 1; next;)
- table=2 (ls_out_pre_stateful), priority=100 , match=(reg0[0] == 1), action=(ct_next;)
- table=3 (ls_out_lb ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(reg0[2] = 1; next;)
- table=7 (ls_out_stateful ), priority=100 , match=(reg0[2] == 1), action=(ct_lb;)
In the above example, when the packet enters the egress pipeline and since it needs to
enter the router pipeline, we can skip setting reg0[0] if outport is peer port of
logical router port. There is no need to send the packet to conntrack in this case.
This patch handles this case for router ports. Next patch in the series avoids sending to
conntrack with the action - ct_lb if the packet is not destined to the LB VIP.
With the present master for the above example, we see total of 4 recirculations on the
chassis claiming the lport 'P1'. With this patch we see only 2 recirculations.
Signed-off-by: Numan Siddique
---
northd/ovn-northd.8.xml | 33 ++++++++++++++++++++++++++++++++-
northd/ovn-northd.c | 39 ++++++++++++++++++++++++++++++---------
2 files changed, 62 insertions(+), 10 deletions(-)
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index eb2514f15c..3a34e0ad7f 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -366,6 +366,15 @@
db="OVN_Northbound"/> table.
+
+ This table also has a priority-110 flow with the match
+ inport == I
for all logical switch
+ datapaths to move traffic to the next table. Where I
+ is the peer of a logical router port. This flow is added to
+ skip the connection tracking of packets which enter from
+ logical router datapath to logical switch datapath.
+
+
Ingress Table 5: Pre-stateful
@@ -533,7 +542,20 @@
It contains a priority-0 flow that simply moves traffic to the next
- table. For established connections a priority 100 flow matches on
+ table.
+
+
+
+ A priority-65535 flow with the match
+ inport == I
for all logical switch
+ datapaths to move traffic to the next table. Where I
+ is the peer of a logical router port. This flow is added to
+ skip the connection tracking of packets which enter from
+ logical router datapath to logical switch datapath.
+
+
+
+ For established connections a priority 65534 flow matches on
ct.est && !ct.rel && !ct.new &&
!ct.inv
and sets an action reg0[2] = 1; next;
to act
as a hint for table Stateful
to send packets through
@@ -1359,6 +1381,15 @@ output;
db="OVN_Northbound"/> table.
+
+ This table also has a priority-110 flow with the match
+ outport == I
for all logical switch
+ datapaths to move traffic to the next table. Where I
+ is the peer of a logical router port. This flow is added to
+ skip the connection tracking of packets which will be entering
+ logical router datapath from logical switch datapath for routing.
+
+
Egress Table 2: Pre-stateful
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 192198272a..ac1da73342 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -4850,8 +4850,9 @@ build_lswitch_output_port_sec(struct hmap *ports, struct hmap *datapaths,
}
static void
-build_pre_acl_flows(struct ovn_datapath *od, struct ovn_port *op,
- struct hmap *lflows)
+skip_port_from_conntrack(struct ovn_datapath *od, struct ovn_port *op,
+ enum ovn_stage in_stage, enum ovn_stage out_stage,
+ uint16_t priority, struct hmap *lflows)
{
/* Can't use ct() for router ports. Consider the following configuration:
* lp1(10.0.0.2) on hostA--ls1--lr0--ls2--lp2(10.0.1.2) on hostB, For a
@@ -4867,10 +4868,10 @@ build_pre_acl_flows(struct ovn_datapath *od, struct ovn_port *op,
ds_put_format(&match_in, "ip && inport == %s", op->json_key);
ds_put_format(&match_out, "ip && outport == %s", op->json_key);
- ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
+ ovn_lflow_add_with_hint(lflows, od, in_stage, priority,
ds_cstr(&match_in), "next;",
&op->nbsp->header_);
- ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
+ ovn_lflow_add_with_hint(lflows, od, out_stage, priority,
ds_cstr(&match_out), "next;",
&op->nbsp->header_);
@@ -4903,10 +4904,14 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
* defragmentation, in order to match L4 headers. */
if (has_stateful) {
for (size_t i = 0; i < od->n_router_ports; i++) {
- build_pre_acl_flows(od, od->router_ports[i], lflows);
+ skip_port_from_conntrack(od, od->router_ports[i],
+ S_SWITCH_IN_PRE_ACL, S_SWITCH_OUT_PRE_ACL,
+ 110, lflows);
}
for (size_t i = 0; i < od->n_localnet_ports; i++) {
- build_pre_acl_flows(od, od->localnet_ports[i], lflows);
+ skip_port_from_conntrack(od, od->localnet_ports[i],
+ S_SWITCH_IN_PRE_ACL, S_SWITCH_OUT_PRE_ACL,
+ 110, lflows);
}
/* Ingress and Egress Pre-ACL Table (Priority 110).
@@ -5050,6 +5055,17 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows,
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;");
+ for (size_t i = 0; i < od->n_router_ports; i++) {
+ skip_port_from_conntrack(od, od->router_ports[i],
+ S_SWITCH_IN_PRE_LB, S_SWITCH_OUT_PRE_LB,
+ 110, lflows);
+ }
+ for (size_t i = 0; i < od->n_localnet_ports; i++) {
+ skip_port_from_conntrack(od, od->localnet_ports[i],
+ S_SWITCH_IN_PRE_LB, S_SWITCH_OUT_PRE_LB,
+ 110, lflows);
+ }
+
struct sset all_ips_v4 = SSET_INITIALIZER(&all_ips_v4);
struct sset all_ips_v6 = SSET_INITIALIZER(&all_ips_v6);
bool vip_configured = false;
@@ -5725,13 +5741,18 @@ build_lb(struct ovn_datapath *od, struct hmap *lflows)
ovn_lflow_add(lflows, od, S_SWITCH_OUT_LB, 0, "1", "next;");
if (od->nbs->load_balancer) {
- /* Ingress and Egress LB Table (Priority 65535).
+ for (size_t i = 0; i < od->n_router_ports; i++) {
+ skip_port_from_conntrack(od, od->router_ports[i],
+ S_SWITCH_IN_LB, S_SWITCH_OUT_LB,
+ UINT16_MAX, lflows);
+ }
+ /* Ingress and Egress LB Table (Priority 65534).
*
* Send established traffic through conntrack for just NAT. */
- ovn_lflow_add(lflows, od, S_SWITCH_IN_LB, UINT16_MAX,
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_LB, UINT16_MAX - 1,
"ct.est && !ct.rel && !ct.new && !ct.inv",
REGBIT_CONNTRACK_NAT" = 1; next;");
- ovn_lflow_add(lflows, od, S_SWITCH_OUT_LB, UINT16_MAX,
+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_LB, UINT16_MAX - 1,
"ct.est && !ct.rel && !ct.new && !ct.inv",
REGBIT_CONNTRACK_NAT" = 1; next;");
}
From patchwork Wed Jul 22 19:21:54 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Numan Siddique
X-Patchwork-Id: 1334136
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
(client-ip=140.211.166.136; helo=silver.osuosl.org;
envelope-from=ovs-dev-bounces@openvswitch.org; receiver=)
Authentication-Results: ozlabs.org;
dmarc=none (p=none dis=none) header.from=ovn.org
Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136])
(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
(No client certificate requested)
by ozlabs.org (Postfix) with ESMTPS id 4BBljs426Pz9sQt
for ; Thu, 23 Jul 2020 05:23:13 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
by silver.osuosl.org (Postfix) with ESMTP id E991D228B4;
Wed, 22 Jul 2020 19:23:11 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from silver.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id k3wb-jCcrvR7; Wed, 22 Jul 2020 19:22:50 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
by silver.osuosl.org (Postfix) with ESMTP id 7076F229D4;
Wed, 22 Jul 2020 19:22:48 +0000 (UTC)
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
by lists.linuxfoundation.org (Postfix) with ESMTP id 56A1DC004D;
Wed, 22 Jul 2020 19:22:48 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 4556EC004C
for ; Wed, 22 Jul 2020 19:22:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by fraxinus.osuosl.org (Postfix) with ESMTP id F294C87A2F
for ; Wed, 22 Jul 2020 19:22:46 +0000 (UTC)
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from fraxinus.osuosl.org ([127.0.0.1])
by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id 7lnVGrqEHN1k for ;
Wed, 22 Jul 2020 19:22:31 +0000 (UTC)
X-Greylist: domain auto-whitelisted by SQLgrey-1.7.6
Received: from relay9-d.mail.gandi.net (relay9-d.mail.gandi.net
[217.70.183.199])
by fraxinus.osuosl.org (Postfix) with ESMTPS id 4D8F986CB8
for ; Wed, 22 Jul 2020 19:22:02 +0000 (UTC)
X-Originating-IP: 27.7.185.162
Received: from nusiddiq.home.org.home.org (unknown [27.7.185.162])
(Authenticated sender: numans@ovn.org)
by relay9-d.mail.gandi.net (Postfix) with ESMTPSA id BB184FF802;
Wed, 22 Jul 2020 19:21:57 +0000 (UTC)
From: numans@ovn.org
To: dev@openvswitch.org
Date: Thu, 23 Jul 2020 00:51:54 +0530
Message-Id: <20200722192154.9065-1-numans@ovn.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200722192130.8984-1-numans@ovn.org>
References: <20200722192130.8984-1-numans@ovn.org>
MIME-Version: 1.0
Subject: [ovs-dev] [PATCH ovn 2/2] ovn-northd: Don't send the pkt to
conntrack for NAT if its not destined for LB VIP.
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev"
From: Numan Siddique
Presently when a logical switch has load balancer(s) associated to it, then the
packet is still sent to conntrack with the action ct_lb on both the ingress
and egress logical switch pipeline even if the destination IP is not LB VIP.
This is because below logical flows are hit:
In the ingress logical switch pipeline:
- table=9 (ls_in_lb ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(reg0[2] = 1; next;)
- table=10(ls_in_stateful ), priority=100 , match=(reg0[2] == 1), action=(ct_lb;)
In the egress logical switch pipeline:
- table=3 (ls_out_lb ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(reg0[2] = 1; next;)
- table=7 (ls_out_stateful), priority=100 , match=(reg0[2] == 1), action=(ct_lb;)
This patch avoid unnecessary ct actions by setting the ct_mark to 0x1/0x1 when the ct_lb(backends=...) action
is applied for NEW connections and updating the above logical flows to check for this mark:
- table=9 (ls_in_lb), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.mark == 1/1),
action=(reg0[2] = 1; next;)
- table=3 (ls_out_lb), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct.mark == 1/1),
action=(reg0[2] = 1; next;)
Signed-off-by: Numan Siddique
---
lib/actions.c | 3 +-
lib/logical-fields.c | 1 +
northd/ovn-northd.c | 6 ++-
tests/ovn.at | 17 +++---
tests/system-ovn.at | 122 +++++++++++++++++++++----------------------
5 files changed, 77 insertions(+), 72 deletions(-)
diff --git a/lib/actions.c b/lib/actions.c
index e14907e3d4..ae61ec4d84 100644
--- a/lib/actions.c
+++ b/lib/actions.c
@@ -1159,7 +1159,8 @@ encode_CT_LB(const struct ovnact_ct_lb *cl,
if (dst->port) {
ds_put_format(&ds, ":%"PRIu16, dst->port);
}
- ds_put_format(&ds, "),commit,table=%d,zone=NXM_NX_REG%d[0..15])",
+ ds_put_format(&ds, "),commit,table=%d,zone=NXM_NX_REG%d[0..15],"
+ "exec(set_field:2/3->ct_label))",
recirc_table, zone_reg);
}
diff --git a/lib/logical-fields.c b/lib/logical-fields.c
index 8639523ea1..a592479423 100644
--- a/lib/logical-fields.c
+++ b/lib/logical-fields.c
@@ -127,6 +127,7 @@ ovn_init_symtab(struct shash *symtab)
expr_symtab_add_field(symtab, "ct_label", MFF_CT_LABEL, NULL, false);
expr_symtab_add_subfield(symtab, "ct_label.blocked", NULL, "ct_label[0]");
+ expr_symtab_add_subfield(symtab, "ct_label.natted", NULL, "ct_label[1]");
expr_symtab_add_field(symtab, "ct_state", MFF_CT_STATE, NULL, false);
diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index ac1da73342..ce4432318d 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -5750,10 +5750,12 @@ build_lb(struct ovn_datapath *od, struct hmap *lflows)
*
* Send established traffic through conntrack for just NAT. */
ovn_lflow_add(lflows, od, S_SWITCH_IN_LB, UINT16_MAX - 1,
- "ct.est && !ct.rel && !ct.new && !ct.inv",
+ "ct.est && !ct.rel && !ct.new && !ct.inv && "
+ "ct_label.natted == 1",
REGBIT_CONNTRACK_NAT" = 1; next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_LB, UINT16_MAX - 1,
- "ct.est && !ct.rel && !ct.new && !ct.inv",
+ "ct.est && !ct.rel && !ct.new && !ct.inv && "
+ "ct_label.natted == 1",
REGBIT_CONNTRACK_NAT" = 1; next;");
}
}
diff --git a/tests/ovn.at b/tests/ovn.at
index e19efafbe2..2930721d7c 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -195,6 +195,7 @@ ct.snat = ct_state[6]
ct.trk = ct_state[5]
ct_label = NXM_NX_CT_LABEL
ct_label.blocked = ct_label[0]
+ct_label.natted = ct_label[1]
ct_mark = NXM_NX_CT_MARK
ct_state = NXM_NX_CT_STATE
]])
@@ -997,17 +998,17 @@ ct_lb(192.168.1.2:80, 192.168.1.3:80);
Syntax error at `192.168.1.2' expecting backends.
ct_lb(backends=192.168.1.2:80,192.168.1.3:80);
encodes as group:1
- uses group: id(1), name(type=select,selection_method=dp_hash,bucket=bucket_id=0,weight:100,actions=ct(nat(dst=192.168.1.2:80),commit,table=19,zone=NXM_NX_REG13[0..15]),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=192.168.1.3:80),commit,table=19,zone=NXM_NX_REG13[0..15]))
+ uses group: id(1), name(type=select,selection_method=dp_hash,bucket=bucket_id=0,weight:100,actions=ct(nat(dst=192.168.1.2:80),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=192.168.1.3:80),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)))
has prereqs ip
ct_lb(backends=192.168.1.2, 192.168.1.3, );
formats as ct_lb(backends=192.168.1.2,192.168.1.3);
encodes as group:2
- uses group: id(2), name(type=select,selection_method=dp_hash,bucket=bucket_id=0,weight:100,actions=ct(nat(dst=192.168.1.2),commit,table=19,zone=NXM_NX_REG13[0..15]),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=192.168.1.3),commit,table=19,zone=NXM_NX_REG13[0..15]))
+ uses group: id(2), name(type=select,selection_method=dp_hash,bucket=bucket_id=0,weight:100,actions=ct(nat(dst=192.168.1.2),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=192.168.1.3),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)))
has prereqs ip
ct_lb(backends=fd0f::2, fd0f::3, );
formats as ct_lb(backends=fd0f::2,fd0f::3);
encodes as group:3
- uses group: id(3), name(type=select,selection_method=dp_hash,bucket=bucket_id=0,weight:100,actions=ct(nat(dst=fd0f::2),commit,table=19,zone=NXM_NX_REG13[0..15]),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=fd0f::3),commit,table=19,zone=NXM_NX_REG13[0..15]))
+ uses group: id(3), name(type=select,selection_method=dp_hash,bucket=bucket_id=0,weight:100,actions=ct(nat(dst=fd0f::2),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=fd0f::3),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)))
has prereqs ip
ct_lb(backends=192.168.1.2:);
@@ -1023,23 +1024,23 @@ ct_lb(backends=192.168.1.2:80,192.168.1.3:80; hash_fields=eth_src,eth_dst,ip_src
Syntax error at `eth_src' invalid hash_fields.
ct_lb(backends=192.168.1.2:80,192.168.1.3:80; hash_fields="eth_src,eth_dst,ip_src");
encodes as group:4
- uses group: id(4), name(type=select,selection_method=hash,fields(eth_src,eth_dst,ip_src),bucket=bucket_id=0,weight:100,actions=ct(nat(dst=192.168.1.2:80),commit,table=19,zone=NXM_NX_REG13[0..15]),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=192.168.1.3:80),commit,table=19,zone=NXM_NX_REG13[0..15]))
+ uses group: id(4), name(type=select,selection_method=hash,fields(eth_src,eth_dst,ip_src),bucket=bucket_id=0,weight:100,actions=ct(nat(dst=192.168.1.2:80),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=192.168.1.3:80),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)))
has prereqs ip
ct_lb(backends=fd0f::2,fd0f::3; hash_fields="eth_src,eth_dst,ip_src,ip_dst,tp_src,tp_dst");
encodes as group:5
- uses group: id(5), name(type=select,selection_method=hash,fields(eth_src,eth_dst,ip_src,ip_dst,tp_src,tp_dst),bucket=bucket_id=0,weight:100,actions=ct(nat(dst=fd0f::2),commit,table=19,zone=NXM_NX_REG13[0..15]),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=fd0f::3),commit,table=19,zone=NXM_NX_REG13[0..15]))
+ uses group: id(5), name(type=select,selection_method=hash,fields(eth_src,eth_dst,ip_src,ip_dst,tp_src,tp_dst),bucket=bucket_id=0,weight:100,actions=ct(nat(dst=fd0f::2),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=fd0f::3),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)))
has prereqs ip
ct_lb(backends=fd0f::2,fd0f::3; hash_fields="eth_src,eth_dst,ip_src,ip_dst,tcp_src,tcp_dst");
encodes as group:6
- uses group: id(6), name(type=select,selection_method=hash,fields(eth_src,eth_dst,ip_src,ip_dst,tcp_src,tcp_dst),bucket=bucket_id=0,weight:100,actions=ct(nat(dst=fd0f::2),commit,table=19,zone=NXM_NX_REG13[0..15]),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=fd0f::3),commit,table=19,zone=NXM_NX_REG13[0..15]))
+ uses group: id(6), name(type=select,selection_method=hash,fields(eth_src,eth_dst,ip_src,ip_dst,tcp_src,tcp_dst),bucket=bucket_id=0,weight:100,actions=ct(nat(dst=fd0f::2),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=fd0f::3),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)))
has prereqs ip
ct_lb(backends=fd0f::2,fd0f::3; hash_fields="eth_src,eth_dst,ip_src,ip_dst,udp_src,udp_dst");
encodes as group:7
- uses group: id(7), name(type=select,selection_method=hash,fields(eth_src,eth_dst,ip_src,ip_dst,udp_src,udp_dst),bucket=bucket_id=0,weight:100,actions=ct(nat(dst=fd0f::2),commit,table=19,zone=NXM_NX_REG13[0..15]),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=fd0f::3),commit,table=19,zone=NXM_NX_REG13[0..15]))
+ uses group: id(7), name(type=select,selection_method=hash,fields(eth_src,eth_dst,ip_src,ip_dst,udp_src,udp_dst),bucket=bucket_id=0,weight:100,actions=ct(nat(dst=fd0f::2),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=fd0f::3),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)))
has prereqs ip
ct_lb(backends=fd0f::2,fd0f::3; hash_fields="eth_src,eth_dst,ip_src,ip_dst,sctp_src,sctp_dst");
encodes as group:8
- uses group: id(8), name(type=select,selection_method=hash,fields(eth_src,eth_dst,ip_src,ip_dst,sctp_src,sctp_dst),bucket=bucket_id=0,weight:100,actions=ct(nat(dst=fd0f::2),commit,table=19,zone=NXM_NX_REG13[0..15]),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=fd0f::3),commit,table=19,zone=NXM_NX_REG13[0..15]))
+ uses group: id(8), name(type=select,selection_method=hash,fields(eth_src,eth_dst,ip_src,ip_dst,sctp_src,sctp_dst),bucket=bucket_id=0,weight:100,actions=ct(nat(dst=fd0f::2),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)),bucket=bucket_id=1,weight:100,actions=ct(nat(dst=fd0f::3),commit,table=19,zone=NXM_NX_REG13[0..15],exec(set_field:2/3->ct_label)))
has prereqs ip
# ct_next
diff --git a/tests/system-ovn.at b/tests/system-ovn.at
index eddc530f97..a9b9b278f0 100644
--- a/tests/system-ovn.at
+++ b/tests/system-ovn.at
@@ -1124,9 +1124,9 @@ done
dnl Each server should have at least one connection.
AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(30.0.0.1) | \
sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl
-tcp,orig=(src=192.168.1.2,dst=30.0.0.1,sport=,dport=),reply=(src=172.16.1.2,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=192.168.1.2,dst=30.0.0.1,sport=,dport=),reply=(src=172.16.1.3,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=192.168.1.2,dst=30.0.0.1,sport=,dport=),reply=(src=172.16.1.4,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=)
+tcp,orig=(src=192.168.1.2,dst=30.0.0.1,sport=,dport=),reply=(src=172.16.1.2,dst=192.168.1.2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
+tcp,orig=(src=192.168.1.2,dst=30.0.0.1,sport=,dport=),reply=(src=172.16.1.3,dst=192.168.1.2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
+tcp,orig=(src=192.168.1.2,dst=30.0.0.1,sport=,dport=),reply=(src=172.16.1.4,dst=192.168.1.2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
])
dnl Should work with the virtual IP 30.0.0.3 address through NAT
@@ -1138,9 +1138,9 @@ done
dnl Each server should have at least one connection.
AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(30.0.0.3) | \
sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl
-tcp,orig=(src=192.168.1.2,dst=30.0.0.3,sport=,dport=),reply=(src=172.16.1.2,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=192.168.1.2,dst=30.0.0.3,sport=,dport=),reply=(src=172.16.1.3,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=192.168.1.2,dst=30.0.0.3,sport=,dport=),reply=(src=172.16.1.4,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=)
+tcp,orig=(src=192.168.1.2,dst=30.0.0.3,sport=,dport=),reply=(src=172.16.1.2,dst=192.168.1.2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
+tcp,orig=(src=192.168.1.2,dst=30.0.0.3,sport=,dport=),reply=(src=172.16.1.3,dst=192.168.1.2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
+tcp,orig=(src=192.168.1.2,dst=30.0.0.3,sport=,dport=),reply=(src=172.16.1.4,dst=192.168.1.2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
])
dnl Test load-balancing that includes L4 ports in NAT.
@@ -1152,9 +1152,9 @@ done
dnl Each server should have at least one connection.
AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(30.0.0.2) | \
sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl
-tcp,orig=(src=192.168.1.2,dst=30.0.0.2,sport=,dport=),reply=(src=172.16.1.2,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=192.168.1.2,dst=30.0.0.2,sport=,dport=),reply=(src=172.16.1.3,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=192.168.1.2,dst=30.0.0.2,sport=,dport=),reply=(src=172.16.1.4,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=)
+tcp,orig=(src=192.168.1.2,dst=30.0.0.2,sport=,dport=),reply=(src=172.16.1.2,dst=192.168.1.2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
+tcp,orig=(src=192.168.1.2,dst=30.0.0.2,sport=,dport=),reply=(src=172.16.1.3,dst=192.168.1.2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
+tcp,orig=(src=192.168.1.2,dst=30.0.0.2,sport=,dport=),reply=(src=172.16.1.4,dst=192.168.1.2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
])
# Configure selection_fields.
@@ -1175,9 +1175,9 @@ done
dnl Each server should have at least one connection.
AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(30.0.0.2) | \
sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl
-tcp,orig=(src=192.168.1.2,dst=30.0.0.2,sport=,dport=),reply=(src=172.16.1.2,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=192.168.1.2,dst=30.0.0.2,sport=,dport=),reply=(src=172.16.1.3,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=192.168.1.2,dst=30.0.0.2,sport=,dport=),reply=(src=172.16.1.4,dst=192.168.1.2,sport=,dport=),zone=,protoinfo=(state=)
+tcp,orig=(src=192.168.1.2,dst=30.0.0.2,sport=,dport=),reply=(src=172.16.1.2,dst=192.168.1.2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
+tcp,orig=(src=192.168.1.2,dst=30.0.0.2,sport=,dport=),reply=(src=172.16.1.3,dst=192.168.1.2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
+tcp,orig=(src=192.168.1.2,dst=30.0.0.2,sport=,dport=),reply=(src=172.16.1.4,dst=192.168.1.2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
])
AT_CHECK([ovs-appctl dpctl/flush-conntrack])
@@ -1370,9 +1370,9 @@ done
dnl Each server should have at least one connection.
AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fd03::1) | grep -v fe80 | \
sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl
-tcp,orig=(src=fd01::2,dst=fd03::1,sport=,dport=),reply=(src=fd02::2,dst=fd01::2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=fd01::2,dst=fd03::1,sport=,dport=),reply=(src=fd02::3,dst=fd01::2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=fd01::2,dst=fd03::1,sport=,dport=),reply=(src=fd02::4,dst=fd01::2,sport=,dport=),zone=,protoinfo=(state=)
+tcp,orig=(src=fd01::2,dst=fd03::1,sport=,dport=),reply=(src=fd02::2,dst=fd01::2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
+tcp,orig=(src=fd01::2,dst=fd03::1,sport=,dport=),reply=(src=fd02::3,dst=fd01::2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
+tcp,orig=(src=fd01::2,dst=fd03::1,sport=,dport=),reply=(src=fd02::4,dst=fd01::2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
])
dnl Should work with the virtual IP fd03::3 address through NAT
@@ -1384,9 +1384,9 @@ done
dnl Each server should have at least one connection.
AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fd03::3) | grep -v fe80 | \
sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl
-tcp,orig=(src=fd01::2,dst=fd03::3,sport=,dport=),reply=(src=fd02::2,dst=fd01::2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=fd01::2,dst=fd03::3,sport=,dport=),reply=(src=fd02::3,dst=fd01::2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=fd01::2,dst=fd03::3,sport=,dport=),reply=(src=fd02::4,dst=fd01::2,sport=,dport=),zone=,protoinfo=(state=)
+tcp,orig=(src=fd01::2,dst=fd03::3,sport=,dport=),reply=(src=fd02::2,dst=fd01::2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
+tcp,orig=(src=fd01::2,dst=fd03::3,sport=,dport=),reply=(src=fd02::3,dst=fd01::2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
+tcp,orig=(src=fd01::2,dst=fd03::3,sport=,dport=),reply=(src=fd02::4,dst=fd01::2,sport=,dport=),zone=,labels=0x2,protoinfo=(state=)
])
dnl Test load-balancing that includes L4 ports in NAT.
@@ -1398,9 +1398,9 @@ done
dnl Each server should have at least one connection.
AT_CHECK([ovs-appctl dpctl/dump-conntrack | FORMAT_CT(fd03::2) | grep -v fe80 | \
sed -e 's/zone=[[0-9]]*/zone=/'], [0], [dnl
-tcp,orig=(src=fd01::2,dst=fd03::2,sport=,dport=),reply=(src=fd02::2,dst=fd01::2,sport=,dport=),zone=,protoinfo=(state=)
-tcp,orig=(src=fd01::2,dst=fd03::2,sport=,dport=),reply=(src=fd02::3,dst=fd01::2,sport=,dport=),zone=,protoinfo=(state=