From patchwork Wed Aug 31 13:06:35 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Vladislav Odintsov <odivlad@gmail.com>
X-Patchwork-Id: 1672321
Return-Path: <ovs-dev-bounces@openvswitch.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
 (client-ip=2605:bc80:3010::136; helo=smtp3.osuosl.org;
 envelope-from=ovs-dev-bounces@openvswitch.org; receiver=<UNKNOWN>)
Authentication-Results: legolas.ozlabs.org;
	dkim=fail reason="signature verification failed" (2048-bit key;
 unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256
 header.s=20210112 header.b=KtJLqcpC;
	dkim-atps=neutral
Received: from smtp3.osuosl.org (smtp3.osuosl.org [IPv6:2605:bc80:3010::136])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
	(No client certificate requested)
	by legolas.ozlabs.org (Postfix) with ESMTPS id 4MHkwM3LFwz1yhQ
	for <incoming@patchwork.ozlabs.org>; Wed, 31 Aug 2022 23:06:59 +1000 (AEST)
Received: from localhost (localhost [127.0.0.1])
	by smtp3.osuosl.org (Postfix) with ESMTP id C835B610B2;
	Wed, 31 Aug 2022 13:06:53 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org C835B610B2
Authentication-Results: smtp3.osuosl.org;
	dkim=fail reason="signature verification failed" (2048-bit key)
 header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112
 header.b=KtJLqcpC
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp3.osuosl.org ([127.0.0.1])
	by localhost (smtp3.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
	with ESMTP id kdQhEAoVN-we; Wed, 31 Aug 2022 13:06:50 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
	by smtp3.osuosl.org (Postfix) with ESMTPS id 0C7C7610B9;
	Wed, 31 Aug 2022 13:06:49 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp3.osuosl.org 0C7C7610B9
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
	by lists.linuxfoundation.org (Postfix) with ESMTP id CA208C0032;
	Wed, 31 Aug 2022 13:06:48 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp2.osuosl.org (smtp2.osuosl.org [IPv6:2605:bc80:3010::133])
 by lists.linuxfoundation.org (Postfix) with ESMTP id 1FC38C002D
 for <dev@openvswitch.org>; Wed, 31 Aug 2022 13:06:47 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by smtp2.osuosl.org (Postfix) with ESMTP id EFBB74050C
 for <dev@openvswitch.org>; Wed, 31 Aug 2022 13:06:46 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org EFBB74050C
Authentication-Results: smtp2.osuosl.org;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.a=rsa-sha256 header.s=20210112 header.b=KtJLqcpC
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp2.osuosl.org ([127.0.0.1])
 by localhost (smtp2.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 6HiSGtidmvKM for <dev@openvswitch.org>;
 Wed, 31 Aug 2022 13:06:45 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp2.osuosl.org 7FEB54014C
Received: from mail-lf1-x12e.google.com (mail-lf1-x12e.google.com
 [IPv6:2a00:1450:4864:20::12e])
 by smtp2.osuosl.org (Postfix) with ESMTPS id 7FEB54014C
 for <dev@openvswitch.org>; Wed, 31 Aug 2022 13:06:45 +0000 (UTC)
Received: by mail-lf1-x12e.google.com with SMTP id z25so19886602lfr.2
 for <dev@openvswitch.org>; Wed, 31 Aug 2022 06:06:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:from:to:cc:subject:date;
 bh=icJMizUkxtaSH7CLB/Vh687AR2vPi+1ofl7zA/CtV/s=;
 b=KtJLqcpCfJYhyiyeRSEFjatmSQtp6oun/pOevh+u/HEHbiyrb2bUp7k24IlMb4n85Z
 d3bRYlEKdghTLLLooibeLOL2Hmdcpv+gBLXfEUat1fpLuxqGWpmqCwLm62eVTxeU8Jab
 JrUytVfHq4Qrx/eAbgETbowoPtsKQWTZSRG0y6TSdDylpsT0qiJybycJpxWVbwBZmwIc
 JK8P7rXHCusA9uk0fFHamQRBZgbM0yZ3iX2MEbiaOfjDbbg+2OCT2uEuI7YWphcQQ8Pc
 GxsJGwToy4ZZdxdwxqPdPgZvsTAEasWx4L4b+BDMsh/LNprfkrz/wJQ/nSoHzoTbaJ9S
 DKBA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20210112;
 h=content-transfer-encoding:mime-version:message-id:date:subject:cc
 :to:from:x-gm-message-state:from:to:cc:subject:date;
 bh=icJMizUkxtaSH7CLB/Vh687AR2vPi+1ofl7zA/CtV/s=;
 b=gvSfKv/c1AyDyWwEFX52o0Sz729l89Em/ShVreENLdVg9JKjcFaTzLPQ9NilgVEHSn
 Bw8DfwnEIzG7YzZ4yLgqlHbKcaqxbgOsXKK+U5hEeO2jpF49Ar983abHxdcUTc4KIsdM
 6lkW+8FqH8YQawqorB5mq1tS4fFUnSTMVBa0RZznasU9UEeY1KE38GfmOnMeHkoUJl7t
 tkbxrKVsLn8WN2MlgcYqKfYh8GvctMRoPczX6cy1RA2tbOZemYN5IUX5noMzIuzR1aqE
 Pi+KOjVjy1cD6PdEd9/RKYg4/ufMFdypl2jgUQMG8Acm+EqUxvLEmxpMW8xEre3HCOCr
 Dtww==
X-Gm-Message-State: ACgBeo2rNHPi1hiA4h53Fdd6AgIGdaOZwE4k54i32VlJsNyLYNWLyUx2
 iXhFDMqjhRfw/1eJjywD3Sbr+J9SjwI=
X-Google-Smtp-Source: 
 AA6agR7s+/DwjQLb+K1GAQ6W4HWHRKH0hQCH6eNC7TkjoZO6KgqjceQ8J9d7BAa7Im+ql2lbhv12ow==
X-Received: by 2002:a05:6512:39d1:b0:494:7698:8ae2 with SMTP id
 k17-20020a05651239d100b0049476988ae2mr2831600lfu.407.1661951202783;
 Wed, 31 Aug 2022 06:06:42 -0700 (PDT)
Received: from ip-10-70-112-12.vpc-1e810be1.internal
 (c2-178-216-98-9.elastic.cloud.croc.ru. [178.216.98.9])
 by smtp.gmail.com with ESMTPSA id
 c28-20020a05651200dc00b00492e10b1723sm298303lfp.139.2022.08.31.06.06.41
 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
 Wed, 31 Aug 2022 06:06:41 -0700 (PDT)
From: Vladislav Odintsov <odivlad@gmail.com>
To: dev@openvswitch.org
Date: Wed, 31 Aug 2022 16:06:35 +0300
Message-Id: <20220831130635.146270-1-odivlad@gmail.com>
X-Mailer: git-send-email 2.36.1
MIME-Version: 1.0
Cc: Vladislav Odintsov <odivlad@gmail.com>
Subject: [ovs-dev] [PATCH ovn] northd: don't add drop lflow if LB VIP
	matches LRP IP
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <ovs-dev.openvswitch.org>
List-Unsubscribe: <https://mail.openvswitch.org/mailman/options/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=unsubscribe>
List-Archive: <http://mail.openvswitch.org/pipermail/ovs-dev/>
List-Post: <mailto:ovs-dev@openvswitch.org>
List-Help: <mailto:ovs-dev-request@openvswitch.org?subject=help>
List-Subscribe: <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>,
 <mailto:ovs-dev-request@openvswitch.org?subject=subscribe>
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev" <ovs-dev-bounces@openvswitch.org>

If it is needed to create Load Balancer within LR with VIP, which matches
any of LR's LRP IP, there is no need to create SNAT entry.  Now such
traffic destined to LRP IP is not dropped.

With this patch a drop lflow with match=(ipX.dst == {IP}) is not added to
lr_in_ip_input stage if LRP IP matches associated with this LR LB VIP.

Tests are added as well.

Signed-off-by: Vladislav Odintsov <odivlad@gmail.com>
---
 NEWS                |  3 ++
 northd/northd.c     | 10 ++++--
 tests/ovn-northd.at | 86 +++++++++++++++++++++++++++++++++++++++++++++
 3 files changed, 96 insertions(+), 3 deletions(-)

diff --git a/NEWS b/NEWS
index 0f12b6abf..98dc17dd3 100644
--- a/NEWS
+++ b/NEWS
@@ -18,6 +18,9 @@ Post v22.06.0
   - Added MAC binding aging mechanism, that is disabled by default.
     It can be enabled per logical router with option
     "mac_binding_age_threshold".
+  - If it is needed to create Load Balancer within LR with VIP, which matches
+    any of LR's LRP IP, there is no need to create SNAT entry.  Now such
+    traffic destined to LRP IP is not dropped.
 
 OVN v22.06.0 - 03 Jun 2022
 --------------------------
diff --git a/northd/northd.c b/northd/northd.c
index 7e2681865..338091728 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -10664,7 +10664,9 @@ build_lrouter_drop_own_dest(struct ovn_port *op, enum ovn_stage stage,
             const char *ip = op->lrp_networks.ipv4_addrs[i].addr_s;
 
             bool router_ip_in_snat_ips = !!shash_find(&op->od->snat_ips, ip);
-            bool drop_router_ip = (drop_snat_ip == router_ip_in_snat_ips);
+            bool router_ip_in_lb_ips = !!sset_find(&op->od->lb_ips_v4, ip);
+            bool drop_router_ip = (drop_snat_ip == (router_ip_in_snat_ips ||
+                                                    router_ip_in_lb_ips));
 
             if (drop_router_ip) {
                 ds_put_format(&match_ips, "%s, ", ip);
@@ -10690,7 +10692,9 @@ build_lrouter_drop_own_dest(struct ovn_port *op, enum ovn_stage stage,
             const char *ip = op->lrp_networks.ipv6_addrs[i].addr_s;
 
             bool router_ip_in_snat_ips = !!shash_find(&op->od->snat_ips, ip);
-            bool drop_router_ip = (drop_snat_ip == router_ip_in_snat_ips);
+            bool router_ip_in_lb_ips = !!sset_find(&op->od->lb_ips_v6, ip);
+            bool drop_router_ip = (drop_snat_ip == (router_ip_in_snat_ips ||
+                                                    router_ip_in_lb_ips));
 
             if (drop_router_ip) {
                 ds_put_format(&match_ips, "%s, ", ip);
@@ -12865,7 +12869,7 @@ build_lrouter_ipv4_ip_input(struct ovn_port *op,
          * also a SNAT IP. Those are dropped later, in stage
          * "lr_in_arp_resolve", if unSNAT was unsuccessful.
          *
-         * If op->pd->lb_force_snat_router_ip is true, it means the IP of the
+         * If op->od->lb_force_snat_router_ip is true, it means the IP of the
          * router port is also SNAT IP.
          *
          * Priority 60.
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 157f9f60c..a60b3b0a9 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -1499,6 +1499,92 @@ AT_CHECK([grep "lr_in_unsnat" sbflows | sort], [0], [dnl
 AT_CLEANUP
 ])
 
+OVN_FOR_EACH_NORTHD([
+AT_SETUP([LRP same IP as VIP or SNAT])
+ovn_start
+
+check ovn-nbctl lr-add lr0
+check ovn-nbctl lrp-add lr0 lr0-public 00:00:00:00:00:10 192.168.0.1/24 2000::1/64
+check ovn-nbctl --wait=sb lrp-add lr0 lr0-join 00:00:00:00:00:20 10.10.0.1/24 192.168.1.1/24
+
+ovn-sbctl dump-flows lr0 > sbflows
+AT_CAPTURE_FILE([sbflows])
+
+# There should be drop lflows for all IPs of both LRPs
+AT_CHECK([grep "lr_in_ip_input" sbflows | grep 'ip.\.dst == {' | grep drop | sed 's/table=../table=??/g' | sort], [0], [dnl
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip4.dst == {10.10.0.1, 192.168.1.1}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip4.dst == {192.168.0.1}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip6.dst == {2000::1, fe80::200:ff:fe00:10}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip6.dst == {fe80::200:ff:fe00:20}), action=(drop;)
+])
+
+# create SNAT with external IP equal to LRP's IP
+check ovn-nbctl --wait=sb lr-nat-add lr0 snat 192.168.0.1 10.10.0.0/24
+
+ovn-sbctl dump-flows lr0 > sbflows
+AT_CAPTURE_FILE([sbflows])
+
+# There should be no drop lflow for 192.168.0.1
+AT_CHECK([grep "lr_in_ip_input" sbflows | grep 'ip.\.dst == {' | grep drop | sed 's/table=../table=??/g' | sort], [0], [dnl
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip4.dst == {10.10.0.1, 192.168.1.1}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip6.dst == {2000::1, fe80::200:ff:fe00:10}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip6.dst == {fe80::200:ff:fe00:20}), action=(drop;)
+])
+
+check ovn-nbctl lr-nat-del lr0
+
+# create SNAT with external IPv6 equal to LRP's IPv6
+check ovn-nbctl --wait=sb lr-nat-add lr0 snat 2000::1 2aaa::/64
+ovn-nbctl show lr0
+
+ovn-sbctl dump-flows lr0 > sbflows
+AT_CAPTURE_FILE([sbflows])
+
+# There should be no drop lflow for 2000::1
+AT_CHECK([grep "lr_in_ip_input" sbflows | grep 'ip.\.dst == {' | grep drop | sed 's/table=../table=??/g' | sort], [0], [dnl
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip4.dst == {10.10.0.1, 192.168.1.1}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip4.dst == {192.168.0.1}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip6.dst == {fe80::200:ff:fe00:10}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip6.dst == {fe80::200:ff:fe00:20}), action=(drop;)
+])
+
+check ovn-nbctl lr-nat-del lr0
+
+# create LB with VIP equal to LRP's IP and assign it to LR
+check ovn-nbctl lb-add lb1 "192.168.1.1:8080" "10.0.0.4:8080"
+check ovn-nbctl --wait=sb lr-lb-add lr0 lb1
+
+ovn-sbctl dump-flows lr0 > sbflows
+AT_CAPTURE_FILE([sbflows])
+
+# There should be no drop lflow for 192.168.1.1
+AT_CHECK([grep "lr_in_ip_input" sbflows | grep 'ip.\.dst == {' | grep drop | sed 's/table=../table=??/g' | sort], [0], [dnl
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip4.dst == {10.10.0.1}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip4.dst == {192.168.0.1}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip6.dst == {2000::1, fe80::200:ff:fe00:10}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip6.dst == {fe80::200:ff:fe00:20}), action=(drop;)
+])
+
+check ovn-nbctl lb-del lb1
+
+# create LB with VIP equal to LRP's IPv6 and assign it to LR
+check ovn-nbctl lb-add lb1 [[2000::1]]:8080 [[2aaa::10]]:8080
+check ovn-nbctl --wait=sb lr-lb-add lr0 lb1
+
+ovn-sbctl dump-flows lr0 > sbflows
+AT_CAPTURE_FILE([sbflows])
+
+# There should be no drop lflow for 2000::1
+AT_CHECK([grep "lr_in_ip_input" sbflows | grep 'ip.\.dst == {' | grep drop | sed 's/table=../table=??/g' | sort], [0], [dnl
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip4.dst == {10.10.0.1, 192.168.1.1}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip4.dst == {192.168.0.1}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip6.dst == {fe80::200:ff:fe00:10}), action=(drop;)
+  table=??(lr_in_ip_input     ), priority=60   , match=(ip6.dst == {fe80::200:ff:fe00:20}), action=(drop;)
+])
+
+AT_CLEANUP
+])
+
 OVN_FOR_EACH_NORTHD([
 AT_SETUP([DNAT force snat IP])
 ovn_start