From patchwork Mon Aug 15 14:18:51 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Vladislav Odintsov X-Patchwork-Id: 1666467 Return-Path: X-Original-To: patchwork-incoming@bilbo.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=RjqzvHmD; dkim-atps=neutral Received: from legolas.ozlabs.org (legolas.ozlabs.org [150.107.73.247]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4M5xHR46lrz9sG6 for ; Tue, 16 Aug 2022 00:19:31 +1000 (AEST) Received: by legolas.ozlabs.org (Postfix) id 4M5xHQ2Byvz1ygR; Tue, 16 Aug 2022 00:19:30 +1000 (AEST) Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=RjqzvHmD; dkim-atps=neutral Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4M5xHP4QV2z1yfq for ; Tue, 16 Aug 2022 00:19:29 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by smtp3.osuosl.org (Postfix) with ESMTP id 6866760E48; Mon, 15 Aug 2022 14:19:27 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 6866760E48 Authentication-Results: smtp3.osuosl.org; dkim=fail reason="signature verification failed" (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=RjqzvHmD X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp3.osuosl.org ([127.0.0.1]) by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id UTyIVNWW9FhE; Mon, 15 Aug 2022 14:19:26 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [IPv6:2605:bc80:3010:104::8cd3:938]) by smtp3.osuosl.org (Postfix) with ESMTPS id 5762B60F45; Mon, 15 Aug 2022 14:19:25 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 5762B60F45 Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 1EC80C0032; Mon, 15 Aug 2022 14:19:25 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138]) by lists.linuxfoundation.org (Postfix) with ESMTP id D23DEC002D for ; Mon, 15 Aug 2022 14:19:23 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by smtp1.osuosl.org (Postfix) with ESMTP id A3DA8818DC for ; Mon, 15 Aug 2022 14:19:23 +0000 (UTC) DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org A3DA8818DC Authentication-Results: smtp1.osuosl.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=RjqzvHmD X-Virus-Scanned: amavisd-new at osuosl.org Received: from smtp1.osuosl.org ([127.0.0.1]) by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id j5m1Zom8P654 for ; Mon, 15 Aug 2022 14:19:22 +0000 (UTC) X-Greylist: whitelisted by SQLgrey-1.8.0 DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 61DB78177C Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136]) by smtp1.osuosl.org (Postfix) with ESMTPS id 61DB78177C for ; Mon, 15 Aug 2022 14:19:22 +0000 (UTC) Received: by mail-lf1-x136.google.com with SMTP id v2so10836829lfi.6 for ; Mon, 15 Aug 2022 07:19:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc; bh=oTgmz6aIcODI3ahaL/8gH6FPall+Wgmp7ea/jgyLd9c=; b=RjqzvHmDdnCSSXOv9tlYPW9t6B0pkV8d4M7drzRbZv1N6G/YBKo9efhFReJVTNGwCO jYcVdSePGtPPaBndHiw2kp/2U7/MBK93owFRGHDDETe3YHZXDmSwzSjLkWlHN78Kbq9N v7Mn6zN5yClN7my1sFNWSBri5e4AJvo2903Qd5KBbzQ8n2fLKn7fmusuT2Icybc5gNOX a9k44VKheUj17To0FZQGuZ4X8nhdfTl/yl2ZShoDRBZHyWaS9U+dm+uq0biUns61yP9I +CDL7ETHB6Q/n1VUpxaXMzQZLVqA4p84edzhjAV6KK2LFwms/N2Z0kEBb8ZK/WXmZ0nT 0g5g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-message-state:from:to:cc; bh=oTgmz6aIcODI3ahaL/8gH6FPall+Wgmp7ea/jgyLd9c=; b=xr6jaQtluInm4JLTM1USL/1fp6mAWsMsxs+SZ7HbeC4n/FDmsPCfkMULThSsb9lPLd T1yCC8iLRjLjXFsdd3Yf/YNWwxACGz4islVAh8cIIua3h5JaGUqxV7bAFLAjIw7j+Io6 S/8N7blLY+oLU4I50hnk0iZj2yMYwYmaIDOjYqGJfEMww7+AQuWx9j+9+Z3yJpncpKb2 Y45rlJBR4cJhtiBOYk5LI7WsTcoeLoI5HXkH9vY3u85SMbjkgg7xza1n0ndHJFA9oWpc R7Z9rz1WFBCqa5SZnIj3BO9PNjjGBx9rCMGhyNjn/hECotzDgU/XHdDCj8JU8RNOGW1H kndg== X-Gm-Message-State: ACgBeo0GNsVMGQvYIc2vOnNY8qxScKbhZtNmFX4zlRYLuJVuXEaYV62K 90kVQrfKitLEMKpQS+YGUAPtcxwsUAs= X-Google-Smtp-Source: AA6agR4XEB8xjockHLsutw4PctHzVXz7weIxJmrCjJ3aVoUurfFZ5ZkXaVxIMt0hBkmWDVdAtqlhEw== X-Received: by 2002:a05:6512:6cc:b0:48d:acaa:8a66 with SMTP id u12-20020a05651206cc00b0048dacaa8a66mr6075520lff.272.1660573159882; Mon, 15 Aug 2022 07:19:19 -0700 (PDT) Received: from ip-10-70-112-12.vpc-1e810be1.internal (c2-178-216-98-9.elastic.cloud.croc.ru. [178.216.98.9]) by smtp.gmail.com with ESMTPSA id d16-20020a193850000000b0047fb0d5e049sm1104741lfj.273.2022.08.15.07.19.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 15 Aug 2022 07:19:19 -0700 (PDT) From: Vladislav Odintsov To: dev@openvswitch.org Date: Mon, 15 Aug 2022 17:18:51 +0300 Message-Id: <20220815141851.78904-1-odivlad@gmail.com> X-Mailer: git-send-email 2.36.1 MIME-Version: 1.0 Cc: Vladislav Odintsov Subject: [ovs-dev] [PATCH ovn] northd: support vtep LSP-attached LS to use L3 services X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" If LRP's logical switch has attached LSP of vtep type, the is_chassis_resident() part is not added to lflow to allow traffic originated from logical switch to reach LR services (LBs, NAT). Signed-off-by: Vladislav Odintsov --- This is a continuation from [1] as a v2 edition after Numan's review. - reworked to use od->has_vtep_lports and removed lrp's confusing option 'is_distributed' - added related tests - updated ovn-northd flows docs 1: https://mail.openvswitch.org/pipermail/ovs-dev/2022-August/396796.html --- northd/northd.c | 33 +++++++++++++++++--- northd/ovn-northd.8.xml | 4 +++ tests/ovn-northd.at | 69 +++++++++++++++++++++++++++++++++++++++++ 3 files changed, 102 insertions(+), 4 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index facd41a59..b1e9ffc87 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -637,6 +637,7 @@ struct ovn_datapath { bool has_lb_vip; bool has_unknown; bool has_acls; + bool has_vtep_lports; /* IPAM data. */ struct ipam_info ipam_info; @@ -1847,6 +1848,12 @@ lsp_is_localnet(const struct nbrec_logical_switch_port *nbsp) return !strcmp(nbsp->type, "localnet"); } +static bool +lsp_is_vtep(const struct nbrec_logical_switch_port *nbsp) +{ + return !strcmp(nbsp->type, "vtep"); +} + static bool localnet_can_learn_mac(const struct nbrec_logical_switch_port *nbsp) { @@ -2655,6 +2662,10 @@ join_logical_ports(struct northd_input *input_data, od->localnet_ports[od->n_localnet_ports++] = op; } + if (lsp_is_vtep(nbsp)) { + od->has_vtep_lports = true; + } + op->lsp_addrs = xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses); for (size_t j = 0; j < nbsp->n_addresses; j++) { @@ -5518,7 +5529,7 @@ build_lswitch_port_sec_op(struct ovn_port *op, struct hmap *lflows, ds_put_format(actions, "set_queue(%s); ", queue_id); } - if (!strcmp(op->nbsp->type, "vtep")) { + if (lsp_is_vtep(op->nbsp)) { ds_put_format(actions, REGBIT_FROM_RAMP" = 1; "); ds_put_format(actions, "next(pipeline=ingress, table=%d);", ovn_stage_get_table(S_SWITCH_IN_HAIRPIN)); @@ -10894,6 +10905,22 @@ build_gateway_mtu_flow(struct hmap *lflows, struct ovn_port *op, va_end(extra_actions_args); } +static bool +consider_l3dwg_port_is_centralized(struct ovn_port *op) +{ + if (op->peer && op->peer->od->has_vtep_lports) { + return false; + } + + if (is_l3dgw_port(op)) { + /* Traffic with eth.dst = l3dgw_port->lrp_networks.ea_s + * should only be received on the gateway chassis. */ + return true; + } + + return false; +} + /* Logical router ingress Table 0: L2 Admission Control * This table drops packets that the router shouldn’t see at all based * on their Ethernet headers. @@ -10930,9 +10957,7 @@ build_adm_ctrl_flows_for_lrouter_port( ds_clear(match); ds_put_format(match, "eth.dst == %s && inport == %s", op->lrp_networks.ea_s, op->json_key); - if (is_l3dgw_port(op)) { - /* Traffic with eth.dst = l3dgw_port->lrp_networks.ea_s - * should only be received on the gateway chassis. */ + if (consider_l3dwg_port_is_centralized(op)) { ds_put_format(match, " && is_chassis_resident(%s)", op->cr_port->json_key); } diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index ff21c0737..9b6459d9e 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -2114,6 +2114,10 @@ output; gateway chassis), the above flow matching eth.dst == E is only programmed on the gateway port instance on the gateway chassis. + If LRP's logical switch has attached LSP of vtep type, + the is_chassis_resident() part is not added to lflow to + allow traffic originated from logical switch to reach LR services + (LBs, NAT).

diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at index 5b5eeb0ee..3ffa39419 100644 --- a/tests/ovn-northd.at +++ b/tests/ovn-northd.at @@ -5747,6 +5747,75 @@ AT_CHECK([grep lr_in_gw_redirect lrflows | grep cr-DR | sed 's/table=../table=?? AT_CLEANUP ]) +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn-northd -- lr admission with vtep lports]) +AT_KEYWORDS([multiple-l3dgw-ports]) +ovn_start NORTHD_TYPE +check ovn-sbctl chassis-add ch1 geneve 127.0.0.2 + +check ovn-nbctl lr-add lr1 +check ovn-nbctl lrp-add lr1 lrp1 00:00:00:00:00:01 10.0.0.1/24 +check ovn-nbctl ls-add ls1 +check ovn-nbctl lsp-add ls1 lsp1 -- \ + lsp-set-addresses lsp1 router -- \ + lsp-set-type lsp1 router -- \ + lsp-set-options lsp1 router-port=lrp1 + +# ensure initial flows are installed without is_chassis_resident match part +ovn-nbctl --wait=sb sync +ovn-sbctl dump-flows lr1 > lrflows +AT_CAPTURE_FILE([lrflows]) + +# Check the flows in lr_in_admission stage +AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_admission ), priority=50 , match=(eth.dst == 00:00:00:00:00:01 && inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;) + table=??(lr_in_admission ), priority=50 , match=(eth.mcast && inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;) +]) + +# make lrp a cr-port and check its flows +check ovn-nbctl lrp-set-gateway-chassis lrp1 ch1 + +ovn-nbctl --wait=sb sync +ovn-sbctl dump-flows lr1 > lrflows +AT_CAPTURE_FILE([lrflows]) + +# Check the flows in lr_in_admission stage +AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_admission ), priority=50 , match=(eth.dst == 00:00:00:00:00:01 && inport == "lrp1" && is_chassis_resident("cr-lrp1")), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;) + table=??(lr_in_admission ), priority=50 , match=(eth.mcast && inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;) +]) + +# attach vtep logical port to logical switch and check flows. +# there should not be is_chassis_resident part. +check ovn-nbctl lsp-add ls1 lsp-vtep -- lsp-set-type lsp-vtep vtep + +ovn-nbctl --wait=sb sync +ovn-sbctl dump-flows lr1 > lrflows +AT_CAPTURE_FILE([lrflows]) + +# Check the flows in lr_in_admission stage +AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_admission ), priority=50 , match=(eth.dst == 00:00:00:00:00:01 && inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;) + table=??(lr_in_admission ), priority=50 , match=(eth.mcast && inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;) +]) + +# delete vtep lport and check lrp has is_chassis_resident match part again. +check ovn-nbctl lsp-del lsp-vtep + +ovn-nbctl --wait=sb sync +ovn-sbctl dump-flows lr1 > lrflows +AT_CAPTURE_FILE([lrflows]) + +# Check the flows in lr_in_admission stage +AT_CHECK([grep lr_in_admission lrflows | grep lrp1 | sed 's/table=../table=??/' | sort], [0], [dnl + table=??(lr_in_admission ), priority=50 , match=(eth.dst == 00:00:00:00:00:01 && inport == "lrp1" && is_chassis_resident("cr-lrp1")), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;) + table=??(lr_in_admission ), priority=50 , match=(eth.mcast && inport == "lrp1"), action=(xreg0[[0..47]] = 00:00:00:00:00:01; next;) +]) + +AT_CLEANUP +]) + + OVN_FOR_EACH_NORTHD([ AT_SETUP([check options:requested-chassis fills requested_chassis col]) ovn_start NORTHD_TYPE