From patchwork Wed Sep 23 18:00:12 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Ivanov X-Patchwork-Id: 1370010 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=cambridgegreys.com Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BxQvZ0f3Sz9sPB for ; Thu, 24 Sep 2020 04:00:42 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id AEDFE87385; Wed, 23 Sep 2020 18:00:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id OInGa1Km9J8P; Wed, 23 Sep 2020 18:00:31 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by hemlock.osuosl.org (Postfix) with ESMTP id 5289D87397; Wed, 23 Sep 2020 18:00:31 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 4151AC0889; Wed, 23 Sep 2020 18:00:31 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 3660CC0891 for ; Wed, 23 Sep 2020 18:00:29 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 76692272AB for ; Wed, 23 Sep 2020 18:00:28 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WOs12WdQU1iK for ; Wed, 23 Sep 2020 18:00:26 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from www.kot-begemot.co.uk (ivanoab7.miniserver.com [37.128.132.42]) by silver.osuosl.org (Postfix) with ESMTPS id AFFE9228E7 for ; Wed, 23 Sep 2020 18:00:25 +0000 (UTC) Received: from tun252.jain.kot-begemot.co.uk ([192.168.18.6] helo=jain.kot-begemot.co.uk) by www.kot-begemot.co.uk with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kL943-00025V-Ai; Wed, 23 Sep 2020 18:00:23 +0000 Received: from jain.kot-begemot.co.uk ([192.168.3.3]) by jain.kot-begemot.co.uk with esmtp (Exim 4.92) (envelope-from ) id 1kL940-0005wQ-Cn; Wed, 23 Sep 2020 19:00:22 +0100 From: anton.ivanov@cambridgegreys.com To: dev@openvswitch.org Date: Wed, 23 Sep 2020 19:00:12 +0100 Message-Id: <20200923180017.22380-2-anton.ivanov@cambridgegreys.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200923180017.22380-1-anton.ivanov@cambridgegreys.com> References: <20200923180017.22380-1-anton.ivanov@cambridgegreys.com> MIME-Version: 1.0 X-Clacks-Overhead: GNU Terry Pratchett Cc: i.maximets@ovn.org, Anton Ivanov Subject: [ovs-dev] [PATCH ovn v3 1/6] ovn-northd: reorganize processing of lflows X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Anton Ivanov 1. Merge lrouter and lswitch processing. 2. Move lrouter and lswitch lflow generation which uses the same iterator variables into common helpers 3. Set up structures to be used in parallel and sequential mode Signed-off-by: Anton Ivanov --- northd/ovn-northd.c | 199 +++++++++++++++++++++++++++----------------- 1 file changed, 123 insertions(+), 76 deletions(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 3324c9e81..5faa6cee6 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -8874,24 +8874,7 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, struct ds actions = DS_EMPTY_INITIALIZER; struct ovn_datapath *od; - HMAP_FOR_EACH (od, key_node, datapaths) { - build_adm_ctrl_flows_for_lrouter(od, lflows); - } - struct ovn_port *op; - HMAP_FOR_EACH (op, key_node, ports) { - build_adm_ctrl_flows_for_lrouter_port(op, lflows, &match, &actions); - } - - HMAP_FOR_EACH (od, key_node, datapaths) { - build_neigh_learning_flows_for_lrouter( - od, lflows, &match, &actions); - } - - HMAP_FOR_EACH (op, key_node, ports) { - build_neigh_learning_flows_for_lrouter_port( - op, lflows, &match, &actions); - } /* Drop IP traffic destined to router owned IPs. Part of it is dropped * in stage "lr_in_ip_input" but traffic that could have been unSNATed @@ -9935,63 +9918,6 @@ build_lrouter_flows(struct hmap *datapaths, struct hmap *ports, sset_destroy(&nat_entries); } - HMAP_FOR_EACH (op, key_node, ports) { - build_ND_RA_flows_for_lrouter_port(op, lflows, &match, &actions); - } - - /* Logical router ingress table ND_RA_OPTIONS & ND_RA_RESPONSE: RS - * responder, by default goto next. (priority 0). */ - HMAP_FOR_EACH (od, key_node, datapaths) { - build_ND_RA_flows_for_lrouter(od, lflows); - } - - HMAP_FOR_EACH (op, key_node, ports) { - build_ip_routing_flows_for_lrouter_port(op, lflows); - } - - /* Convert the static routes to flows. */ - HMAP_FOR_EACH (od, key_node, datapaths) { - build_static_route_flows_for_lrouter(od, lflows, ports); - } - - HMAP_FOR_EACH (od, key_node, datapaths) { - build_mcast_lookup_flows_for_lrouter(od, lflows, &match, &actions); - } - - HMAP_FOR_EACH (od, key_node, datapaths) { - build_ingress_policy_flows_for_lrouter(od, lflows, ports); - } - - /* XXX destination unreachable */ - - HMAP_FOR_EACH (od, key_node, datapaths) { - build_arp_resolve_flows_for_lrouter(od, lflows); - } - - HMAP_FOR_EACH (op, key_node, ports) { - build_arp_resolve_flows_for_lrouter_port( - op, lflows, ports, &match, &actions); - } - - HMAP_FOR_EACH (od, key_node, datapaths) { - build_check_pkt_len_flows_for_lrouter( - od, lflows, ports, &match, &actions); - } - - HMAP_FOR_EACH (od, key_node, datapaths) { - build_gateway_redirect_flows_for_lrouter( - od, lflows, &match, &actions); - } - - HMAP_FOR_EACH (od, key_node, datapaths) { - build_arp_request_flows_for_lrouter(od, lflows, &match, &actions); - } - - HMAP_FOR_EACH (op, key_node, ports) { - build_egress_delivery_flows_for_lrouter_port( - op, lflows, &match, &actions); - } - ds_destroy(&match); ds_destroy(&actions); } @@ -11389,6 +11315,128 @@ build_ipv6_input_flows_for_lrouter_port( } +struct lswitch_flow_build_info { + struct hmap *datapaths; + struct hmap *ports; + struct hmap *port_groups; + struct hmap *lflows; + struct hmap *mcgroups; + struct hmap *igmp_groups; + struct shash *meter_groups; + struct hmap *lbs; + char *svc_check_match; + struct ds match; + struct ds actions; +}; + +/* Helper function to combine all lflow generation which is iterated by + * datapath. It can be invoked with a lsi argument containing "all work" + * in single threaded mode or an lsi argument containing a "chunk of work" + * in parallel. + */ + +static void + build_converged_iterate_by_od( + struct ovn_datapath *od, struct lswitch_flow_build_info *lsi) +{ + + /* Build Logical Router Flows */ + build_adm_ctrl_flows_for_lrouter(od, lsi->lflows); + build_neigh_learning_flows_for_lrouter( + od, lsi->lflows, &lsi->match, &lsi->actions); + build_ND_RA_flows_for_lrouter(od, lsi->lflows); + build_static_route_flows_for_lrouter(od, lsi->lflows, lsi->ports); + build_mcast_lookup_flows_for_lrouter( + od, lsi->lflows, &lsi->match, &lsi->actions); + build_ingress_policy_flows_for_lrouter(od, lsi->lflows, lsi->ports); + build_arp_resolve_flows_for_lrouter(od, lsi->lflows); + build_check_pkt_len_flows_for_lrouter( + od, lsi->lflows, lsi->ports, &lsi->match, &lsi->actions); + build_gateway_redirect_flows_for_lrouter( + od, lsi->lflows, &lsi->match, &lsi->actions); + build_arp_request_flows_for_lrouter( + od, lsi->lflows, &lsi->match, &lsi->actions); +} + +/* Helper function to combine all lflow generation which is iterated by port. + * It can be invoked with a lsi argument containing "all work" in single + * threaded mode or an lsi argument containing a "chunk of work" in parallel. + */ + +static void + build_converged_iterate_by_op( + struct ovn_port *op, + struct lswitch_flow_build_info *lsi) +{ + /* Build Logical Router Flows */ + + build_adm_ctrl_flows_for_lrouter_port( + op, lsi->lflows, &lsi->match, &lsi->actions); + build_neigh_learning_flows_for_lrouter_port( + op, lsi->lflows, &lsi->match, &lsi->actions); + build_ip_routing_flows_for_lrouter_port(op, lsi->lflows); + build_ND_RA_flows_for_lrouter_port( + op, lsi->lflows, &lsi->match, &lsi->actions); + build_arp_resolve_flows_for_lrouter_port( + op, lsi->lflows, lsi->ports, &lsi->match, &lsi->actions); + build_egress_delivery_flows_for_lrouter_port( + op, lsi->lflows, &lsi->match, &lsi->actions); +} + +/* + * Combined LFLOW processing function. Intended to iterate over + * datapaths, ports, lbs and igmp_groups in single threaded mode + * or prepare and invoke a thread pool in multi-threaded mode. + * Must not contain any direct flow ops - all actual flow ops + * should be invoked out the per-iterable helper functions. + */ + +static void +build_converged_flows(struct hmap *datapaths, struct hmap *ports, + struct hmap *port_groups, struct hmap *lflows, + struct hmap *mcgroups, struct hmap *igmp_groups, + struct shash *meter_groups, + struct hmap *lbs) +{ + struct lswitch_flow_build_info lsi; + + struct ovn_datapath *od; + struct ovn_port *op; + + char *svc_check_match = xasprintf("eth.dst == %s", svc_monitor_mac); + + lsi.datapaths = datapaths; + lsi.ports = ports; + lsi.port_groups = port_groups; + lsi.lflows = lflows; + lsi.mcgroups = mcgroups; + lsi.igmp_groups = igmp_groups; + lsi.meter_groups = meter_groups; + lsi.lbs = lbs; + lsi.svc_check_match = svc_check_match; + lsi.match = (struct ds) DS_EMPTY_INITIALIZER; + lsi.actions = (struct ds) DS_EMPTY_INITIALIZER; + + /* Converged build - all lflow generation from lswitch and lrouter + * will move here and will be reogranized by iterator type. + * This allows it to be run (optionally) in parallel */ + HMAP_FOR_EACH (od, key_node, datapaths) { + build_converged_iterate_by_od(od, &lsi); + } + HMAP_FOR_EACH (op, key_node, ports) { + build_converged_iterate_by_op(op, &lsi); + } + free(svc_check_match); + + /* Legacy lswitch build */ + build_lswitch_flows(datapaths, ports, port_groups, lflows, mcgroups, + igmp_groups, meter_groups, lbs); + + /* Legacy lrouter build */ + build_lrouter_flows(datapaths, ports, lflows, meter_groups, lbs); +} + + /* Updates the Logical_Flow and Multicast_Group tables in the OVN_SB database, * constructing their contents based on the OVN_NB database. */ static void @@ -11400,9 +11448,8 @@ build_lflows(struct northd_context *ctx, struct hmap *datapaths, { struct hmap lflows = HMAP_INITIALIZER(&lflows); - build_lswitch_flows(datapaths, ports, port_groups, &lflows, mcgroups, + build_converged_flows(datapaths, ports, port_groups, &lflows, mcgroups, igmp_groups, meter_groups, lbs); - build_lrouter_flows(datapaths, ports, &lflows, meter_groups, lbs); /* Push changes to the Logical_Flow table to database. */ const struct sbrec_logical_flow *sbflow, *next_sbflow; From patchwork Wed Sep 23 18:00:13 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Ivanov X-Patchwork-Id: 1370009 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.133; helo=hemlock.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=cambridgegreys.com Received: from hemlock.osuosl.org (smtp2.osuosl.org [140.211.166.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BxQvS3rbfz9sPB for ; Thu, 24 Sep 2020 04:00:36 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by hemlock.osuosl.org (Postfix) with ESMTP id D3B8B8739E; Wed, 23 Sep 2020 18:00:29 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from hemlock.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id rF9YcOi1GOeZ; Wed, 23 Sep 2020 18:00:28 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by hemlock.osuosl.org (Postfix) with ESMTP id A1DBD87350; Wed, 23 Sep 2020 18:00:28 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 7506FC0891; Wed, 23 Sep 2020 18:00:28 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id AFB47C0893 for ; Wed, 23 Sep 2020 18:00:27 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 9CBE98618F for ; Wed, 23 Sep 2020 18:00:27 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id pCqGmmC7gkkD for ; Wed, 23 Sep 2020 18:00:27 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from www.kot-begemot.co.uk (ivanoab7.miniserver.com [37.128.132.42]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 112DA861F0 for ; Wed, 23 Sep 2020 18:00:27 +0000 (UTC) Received: from tun252.jain.kot-begemot.co.uk ([192.168.18.6] helo=jain.kot-begemot.co.uk) by www.kot-begemot.co.uk with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kL945-00025b-L4; Wed, 23 Sep 2020 18:00:25 +0000 Received: from jain.kot-begemot.co.uk ([192.168.3.3]) by jain.kot-begemot.co.uk with esmtp (Exim 4.92) (envelope-from ) id 1kL942-0005wQ-5Z; Wed, 23 Sep 2020 19:00:23 +0100 From: anton.ivanov@cambridgegreys.com To: dev@openvswitch.org Date: Wed, 23 Sep 2020 19:00:13 +0100 Message-Id: <20200923180017.22380-3-anton.ivanov@cambridgegreys.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200923180017.22380-1-anton.ivanov@cambridgegreys.com> References: <20200923180017.22380-1-anton.ivanov@cambridgegreys.com> MIME-Version: 1.0 X-Clacks-Overhead: GNU Terry Pratchett Cc: i.maximets@ovn.org, Anton Ivanov Subject: [ovs-dev] [PATCH ovn v3 2/6] ovn-northd: move pre-acl and acl lswitch processing to a function X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Anton Ivanov Move pre-acl and acl lswitch processing to a function Invoke the pre-acl and acl lswitch processing out of the converged processing od loop. Signed-off-by: Anton Ivanov --- northd/ovn-northd.c | 54 ++++++++++++++++++++++++++------------------- 1 file changed, 31 insertions(+), 23 deletions(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 5faa6cee6..615ee16d4 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6781,34 +6781,15 @@ build_drop_arp_nd_flows_for_unbound_router_ports(struct ovn_port *op, static void build_lswitch_flows(struct hmap *datapaths, struct hmap *ports, - struct hmap *port_groups, struct hmap *lflows, - struct hmap *mcgroups, struct hmap *igmp_groups, - struct shash *meter_groups, - struct hmap *lbs) + struct hmap *lflows, struct hmap *mcgroups, + struct hmap *igmp_groups, struct hmap *lbs) { /* This flow table structure is documented in ovn-northd(8), so please * update ovn-northd.8.xml if you change anything. */ struct ds match = DS_EMPTY_INITIALIZER; struct ds actions = DS_EMPTY_INITIALIZER; - - /* Build pre-ACL and ACL tables for both ingress and egress. - * Ingress tables 3 through 10. Egress tables 0 through 7. */ struct ovn_datapath *od; - HMAP_FOR_EACH (od, key_node, datapaths) { - if (!od->nbs) { - continue; - } - - build_pre_acls(od, lflows); - build_pre_lb(od, lflows, meter_groups, lbs); - build_pre_stateful(od, lflows); - build_acl_hints(od, lflows); - build_acls(od, lflows, port_groups); - build_qos(od, lflows); - build_lb(od, lflows); - build_stateful(od, lflows, lbs); - } /* Build logical flows for the forwarding groups */ HMAP_FOR_EACH (od, key_node, datapaths) { @@ -7485,6 +7466,28 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports, ds_destroy(&actions); } +/* Build pre-ACL and ACL tables for both ingress and egress. + * Ingress tables 3 through 10. Egress tables 0 through 7. */ + +static void + build_lswitch_lflows_pre_acl_and_acl( + struct ovn_datapath *od, struct hmap *port_groups, + struct hmap *lflows, struct shash *meter_groups, + struct hmap *lbs) +{ + if (od->nbs) { + build_pre_acls(od, lflows); + build_pre_lb(od, lflows, meter_groups, lbs); + build_pre_stateful(od, lflows); + build_acl_hints(od, lflows); + build_acls(od, lflows, port_groups); + build_qos(od, lflows); + build_lb(od, lflows); + build_stateful(od, lflows, lbs); + } +} + + /* Returns a string of the IP address of the router port 'op' that * overlaps with 'ip_s". If one is not found, returns NULL. * @@ -11339,6 +11342,11 @@ static void build_converged_iterate_by_od( struct ovn_datapath *od, struct lswitch_flow_build_info *lsi) { + /* Build Logical Switch Flows */ + + build_lswitch_lflows_pre_acl_and_acl( + od, lsi->port_groups, lsi->lflows, + lsi->meter_groups, lsi->lbs); /* Build Logical Router Flows */ build_adm_ctrl_flows_for_lrouter(od, lsi->lflows); @@ -11429,8 +11437,8 @@ build_converged_flows(struct hmap *datapaths, struct hmap *ports, free(svc_check_match); /* Legacy lswitch build */ - build_lswitch_flows(datapaths, ports, port_groups, lflows, mcgroups, - igmp_groups, meter_groups, lbs); + build_lswitch_flows(datapaths, ports, lflows, mcgroups, + igmp_groups, lbs); /* Legacy lrouter build */ build_lrouter_flows(datapaths, ports, lflows, meter_groups, lbs); From patchwork Wed Sep 23 18:00:14 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Ivanov X-Patchwork-Id: 1370014 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=cambridgegreys.com Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BxQwB2h6Kz9sPB for ; Thu, 24 Sep 2020 04:01:14 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id B610627428; Wed, 23 Sep 2020 18:01:12 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Prz9vqF5zuFe; Wed, 23 Sep 2020 18:00:55 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by silver.osuosl.org (Postfix) with ESMTP id 5637C2741E; Wed, 23 Sep 2020 18:00:38 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 22894C0891; Wed, 23 Sep 2020 18:00:38 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6704CC0051 for ; Wed, 23 Sep 2020 18:00:34 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id 411ED2733D for ; Wed, 23 Sep 2020 18:00:34 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id etHirvsPGd76 for ; Wed, 23 Sep 2020 18:00:28 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from www.kot-begemot.co.uk (ivanoab7.miniserver.com [37.128.132.42]) by silver.osuosl.org (Postfix) with ESMTPS id 20C772729B for ; Wed, 23 Sep 2020 18:00:28 +0000 (UTC) Received: from tun252.jain.kot-begemot.co.uk ([192.168.18.6] helo=jain.kot-begemot.co.uk) by www.kot-begemot.co.uk with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kL946-00025h-LY; Wed, 23 Sep 2020 18:00:26 +0000 Received: from jain.kot-begemot.co.uk ([192.168.3.3]) by jain.kot-begemot.co.uk with esmtp (Exim 4.92) (envelope-from ) id 1kL943-0005wQ-TH; Wed, 23 Sep 2020 19:00:25 +0100 From: anton.ivanov@cambridgegreys.com To: dev@openvswitch.org Date: Wed, 23 Sep 2020 19:00:14 +0100 Message-Id: <20200923180017.22380-4-anton.ivanov@cambridgegreys.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200923180017.22380-1-anton.ivanov@cambridgegreys.com> References: <20200923180017.22380-1-anton.ivanov@cambridgegreys.com> MIME-Version: 1.0 X-Clacks-Overhead: GNU Terry Pratchett Cc: i.maximets@ovn.org, Anton Ivanov Subject: [ovs-dev] [PATCH ovn v3 3/6] ovn-northd: migrate build_fwd_group_lflows to build_converged X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Anton Ivanov 1. Move the condition from the old HMAP_FOR_EACH loop into the build_fwd_group_lflows() function. 2. Move build_fwd_group_lflows() into the converged build helper function Signed-off-by: Anton Ivanov --- northd/ovn-northd.c | 111 +++++++++++++++++++++----------------------- 1 file changed, 54 insertions(+), 57 deletions(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 615ee16d4..3e1cd411a 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6141,61 +6141,65 @@ build_stateful(struct ovn_datapath *od, struct hmap *lflows, struct hmap *lbs) static void build_fwd_group_lflows(struct ovn_datapath *od, struct hmap *lflows) { - struct ds match = DS_EMPTY_INITIALIZER; - struct ds actions = DS_EMPTY_INITIALIZER; - for (int i = 0; i < od->nbs->n_forwarding_groups; ++i) { - const struct nbrec_forwarding_group *fwd_group = NULL; - fwd_group = od->nbs->forwarding_groups[i]; - if (!fwd_group->n_child_port) { - continue; - } + if (!(!od->nbs || !od->nbs->n_forwarding_groups)) { + struct ds match = DS_EMPTY_INITIALIZER; + struct ds actions = DS_EMPTY_INITIALIZER; - /* ARP responder for the forwarding group's virtual IP */ - ds_put_format(&match, "arp.tpa == %s && arp.op == 1", - fwd_group->vip); - ds_put_format(&actions, - "eth.dst = eth.src; " - "eth.src = %s; " - "arp.op = 2; /* ARP reply */ " - "arp.tha = arp.sha; " - "arp.sha = %s; " - "arp.tpa = arp.spa; " - "arp.spa = %s; " - "outport = inport; " - "flags.loopback = 1; " - "output;", - fwd_group->vmac, fwd_group->vmac, fwd_group->vip); - - ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_ARP_ND_RSP, 50, - ds_cstr(&match), ds_cstr(&actions), - &fwd_group->header_); + for (int i = 0; i < od->nbs->n_forwarding_groups; ++i) { + const struct nbrec_forwarding_group *fwd_group = NULL; + fwd_group = od->nbs->forwarding_groups[i]; + if (!fwd_group->n_child_port) { + continue; + } - /* L2 lookup for the forwarding group's virtual MAC */ - ds_clear(&match); - ds_put_format(&match, "eth.dst == %s", fwd_group->vmac); + /* ARP responder for the forwarding group's virtual IP */ + ds_put_format(&match, "arp.tpa == %s && arp.op == 1", + fwd_group->vip); + ds_put_format(&actions, + "eth.dst = eth.src; " + "eth.src = %s; " + "arp.op = 2; /* ARP reply */ " + "arp.tha = arp.sha; " + "arp.sha = %s; " + "arp.tpa = arp.spa; " + "arp.spa = %s; " + "outport = inport; " + "flags.loopback = 1; " + "output;", + fwd_group->vmac, fwd_group->vmac, fwd_group->vip); + + ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_ARP_ND_RSP, 50, + ds_cstr(&match), ds_cstr(&actions), + &fwd_group->header_); - /* Create a comma separated string of child ports */ - struct ds group_ports = DS_EMPTY_INITIALIZER; - if (fwd_group->liveness) { - ds_put_cstr(&group_ports, "liveness=\"true\","); - } - ds_put_cstr(&group_ports, "childports="); - for (i = 0; i < (fwd_group->n_child_port - 1); ++i) { - ds_put_format(&group_ports, "\"%s\",", fwd_group->child_port[i]); + /* L2 lookup for the forwarding group's virtual MAC */ + ds_clear(&match); + ds_put_format(&match, "eth.dst == %s", fwd_group->vmac); + + /* Create a comma separated string of child ports */ + struct ds group_ports = DS_EMPTY_INITIALIZER; + if (fwd_group->liveness) { + ds_put_cstr(&group_ports, "liveness=\"true\","); + } + ds_put_cstr(&group_ports, "childports="); + for (i = 0; i < (fwd_group->n_child_port - 1); ++i) { + ds_put_format( + &group_ports, "\"%s\",", fwd_group->child_port[i]); + } + ds_put_format(&group_ports, "\"%s\"", + fwd_group->child_port[fwd_group->n_child_port - 1]); + + ds_clear(&actions); + ds_put_format(&actions, "fwd_group(%s);", ds_cstr(&group_ports)); + ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_L2_LKUP, 50, + ds_cstr(&match), ds_cstr(&actions), + &fwd_group->header_); } - ds_put_format(&group_ports, "\"%s\"", - fwd_group->child_port[fwd_group->n_child_port - 1]); - ds_clear(&actions); - ds_put_format(&actions, "fwd_group(%s);", ds_cstr(&group_ports)); - ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_L2_LKUP, 50, - ds_cstr(&match), ds_cstr(&actions), - &fwd_group->header_); + ds_destroy(&match); + ds_destroy(&actions); } - - ds_destroy(&match); - ds_destroy(&actions); } static void @@ -6791,15 +6795,6 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports, struct ds actions = DS_EMPTY_INITIALIZER; struct ovn_datapath *od; - /* Build logical flows for the forwarding groups */ - HMAP_FOR_EACH (od, key_node, datapaths) { - if (!od->nbs || !od->nbs->n_forwarding_groups) { - continue; - } - - build_fwd_group_lflows(od, lflows); - } - /* Logical switch ingress table 0: Admission control framework (priority * 100). */ HMAP_FOR_EACH (od, key_node, datapaths) { @@ -11348,6 +11343,8 @@ static void od, lsi->port_groups, lsi->lflows, lsi->meter_groups, lsi->lbs); + build_fwd_group_lflows(od, lsi->lflows); + /* Build Logical Router Flows */ build_adm_ctrl_flows_for_lrouter(od, lsi->lflows); build_neigh_learning_flows_for_lrouter( From patchwork Wed Sep 23 18:00:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Ivanov X-Patchwork-Id: 1370013 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.136; helo=silver.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=cambridgegreys.com Received: from silver.osuosl.org (smtp3.osuosl.org [140.211.166.136]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BxQvr4vs9z9sPB for ; Thu, 24 Sep 2020 04:00:56 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by silver.osuosl.org (Postfix) with ESMTP id E3CD62CD96; Wed, 23 Sep 2020 18:00:54 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from silver.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id W3RajepUc+NW; Wed, 23 Sep 2020 18:00:41 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by silver.osuosl.org (Postfix) with ESMTP id C6BCF2729B; Wed, 23 Sep 2020 18:00:34 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id A1798C0889; Wed, 23 Sep 2020 18:00:34 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from whitealder.osuosl.org (smtp1.osuosl.org [140.211.166.138]) by lists.linuxfoundation.org (Postfix) with ESMTP id 0153BC0893 for ; Wed, 23 Sep 2020 18:00:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by whitealder.osuosl.org (Postfix) with ESMTP id 9955086957 for ; Wed, 23 Sep 2020 18:00:31 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from whitealder.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 1tG8iBj+nxib for ; Wed, 23 Sep 2020 18:00:30 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from www.kot-begemot.co.uk (ivanoab7.miniserver.com [37.128.132.42]) by whitealder.osuosl.org (Postfix) with ESMTPS id 0FE3A86963 for ; Wed, 23 Sep 2020 18:00:30 +0000 (UTC) Received: from tun252.jain.kot-begemot.co.uk ([192.168.18.6] helo=jain.kot-begemot.co.uk) by www.kot-begemot.co.uk with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kL948-00025n-A5; Wed, 23 Sep 2020 18:00:28 +0000 Received: from jain.kot-begemot.co.uk ([192.168.3.3]) by jain.kot-begemot.co.uk with esmtp (Exim 4.92) (envelope-from ) id 1kL945-0005wQ-KK; Wed, 23 Sep 2020 19:00:27 +0100 From: anton.ivanov@cambridgegreys.com To: dev@openvswitch.org Date: Wed, 23 Sep 2020 19:00:15 +0100 Message-Id: <20200923180017.22380-5-anton.ivanov@cambridgegreys.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200923180017.22380-1-anton.ivanov@cambridgegreys.com> References: <20200923180017.22380-1-anton.ivanov@cambridgegreys.com> MIME-Version: 1.0 X-Clacks-Overhead: GNU Terry Pratchett Cc: i.maximets@ovn.org, Anton Ivanov Subject: [ovs-dev] [PATCH ovn v3 4/6] ovn-northd: Move lswitch admission control to a helper function X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Anton Ivanov 1. Move the admission control lflows to a helper function 2. Add the helper function to the converged build per-od loop. Signed-off-by: Anton Ivanov --- northd/ovn-northd.c | 41 ++++++++++++++++++++++------------------- 1 file changed, 22 insertions(+), 19 deletions(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 3e1cd411a..7354d752b 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6795,25 +6795,6 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports, struct ds actions = DS_EMPTY_INITIALIZER; struct ovn_datapath *od; - /* Logical switch ingress table 0: Admission control framework (priority - * 100). */ - HMAP_FOR_EACH (od, key_node, datapaths) { - if (!od->nbs) { - continue; - } - - /* Logical VLANs not supported. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "vlan.present", - "drop;"); - - /* Broadcast/multicast source address is invalid. */ - ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "eth.src[40]", - "drop;"); - - /* Port security flows have priority 50 (see below) and will continue - * to the next table if packet source is acceptable. */ - } - build_lswitch_input_port_sec(ports, datapaths, lflows); /* Ingress table 13: ARP/ND responder, skip requests coming from localnet @@ -7482,6 +7463,27 @@ static void } } +/* Logical switch ingress table 0: Admission control framework (priority + * 100). */ +static void + build_lswitch_lflows_admission_control( + struct ovn_datapath *od, struct hmap *lflows) +{ + if (od->nbs) { + + /* Logical VLANs not supported. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "vlan.present", + "drop;"); + + /* Broadcast/multicast source address is invalid. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_L2, 100, "eth.src[40]", + "drop;"); + + /* Port security flows have priority 50 (see below) and will continue + * to the next table if packet source is acceptable. */ + } +} + /* Returns a string of the IP address of the router port 'op' that * overlaps with 'ip_s". If one is not found, returns NULL. @@ -11344,6 +11346,7 @@ static void lsi->meter_groups, lsi->lbs); build_fwd_group_lflows(od, lsi->lflows); + build_lswitch_lflows_admission_control(od, lsi->lflows); /* Build Logical Router Flows */ build_adm_ctrl_flows_for_lrouter(od, lsi->lflows); From patchwork Wed Sep 23 18:00:16 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Ivanov X-Patchwork-Id: 1370011 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=cambridgegreys.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BxQvc48MYz9sPB for ; Thu, 24 Sep 2020 04:00:44 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 12A1A86422; Wed, 23 Sep 2020 18:00:40 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 64zuOixGvQ3V; Wed, 23 Sep 2020 18:00:36 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by fraxinus.osuosl.org (Postfix) with ESMTP id DF78E86288; Wed, 23 Sep 2020 18:00:35 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id ACC6AC1ADD; Wed, 23 Sep 2020 18:00:35 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id EEC6DC0051 for ; Wed, 23 Sep 2020 18:00:32 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id D8DB986211 for ; Wed, 23 Sep 2020 18:00:32 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id F_lGxLjJ9I5g for ; Wed, 23 Sep 2020 18:00:32 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from www.kot-begemot.co.uk (ivanoab7.miniserver.com [37.128.132.42]) by fraxinus.osuosl.org (Postfix) with ESMTPS id 96C0686207 for ; Wed, 23 Sep 2020 18:00:31 +0000 (UTC) Received: from tun252.jain.kot-begemot.co.uk ([192.168.18.6] helo=jain.kot-begemot.co.uk) by www.kot-begemot.co.uk with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kL94A-00025t-4O; Wed, 23 Sep 2020 18:00:30 +0000 Received: from jain.kot-begemot.co.uk ([192.168.3.3]) by jain.kot-begemot.co.uk with esmtp (Exim 4.92) (envelope-from ) id 1kL947-0005wQ-BK; Wed, 23 Sep 2020 19:00:29 +0100 From: anton.ivanov@cambridgegreys.com To: dev@openvswitch.org Date: Wed, 23 Sep 2020 19:00:16 +0100 Message-Id: <20200923180017.22380-6-anton.ivanov@cambridgegreys.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200923180017.22380-1-anton.ivanov@cambridgegreys.com> References: <20200923180017.22380-1-anton.ivanov@cambridgegreys.com> MIME-Version: 1.0 X-Clacks-Overhead: GNU Terry Pratchett Cc: i.maximets@ovn.org, Anton Ivanov Subject: [ovs-dev] [PATCH ovn v3 5/6] ovn-northd: migrate input port security flows to converged build X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Anton Ivanov 1. Split build_lswitch_input_port_sec into per-datapath and per-port iterators 2. Reuse common scratchpad in the per-port build 3. Migrate the two new functions to the converged build loops Signed-off-by: Anton Ivanov --- northd/ovn-northd.c | 92 ++++++++++++++++++++++----------------------- 1 file changed, 45 insertions(+), 47 deletions(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 7354d752b..0646897be 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -4793,69 +4793,63 @@ has_stateful_acl(struct ovn_datapath *od) } static void -build_lswitch_input_port_sec(struct hmap *ports, struct hmap *datapaths, - struct hmap *lflows) +build_lswitch_input_port_sec_op( + struct ovn_port *op, struct hmap *lflows, + struct ds *actions, struct ds *match) { /* Logical switch ingress table 0: Ingress port security - L2 * (priority 50). * Ingress table 1: Ingress port security - IP (priority 90 and 80) * Ingress table 2: Ingress port security - ND (priority 90 and 80) */ - struct ds actions = DS_EMPTY_INITIALIZER; - struct ds match = DS_EMPTY_INITIALIZER; - struct ovn_port *op; - HMAP_FOR_EACH (op, key_node, ports) { - if (!op->nbsp) { - continue; - } + if (!op->nbsp) { + return; + } - if (!lsp_is_enabled(op->nbsp)) { - /* Drop packets from disabled logical ports (since logical flow - * tables are default-drop). */ - continue; - } + if (!lsp_is_enabled(op->nbsp)) { + /* Drop packets from disabled logical ports (since logical flow + * tables are default-drop). */ + return; + } - if (lsp_is_external(op->nbsp)) { - continue; - } + if (lsp_is_external(op->nbsp)) { + return; + } - ds_clear(&match); - ds_clear(&actions); - ds_put_format(&match, "inport == %s", op->json_key); - build_port_security_l2("eth.src", op->ps_addrs, op->n_ps_addrs, - &match); + ds_clear(match); + ds_clear(actions); + ds_put_format(match, "inport == %s", op->json_key); + build_port_security_l2("eth.src", op->ps_addrs, op->n_ps_addrs, + match); - const char *queue_id = smap_get(&op->sb->options, "qdisc_queue_id"); - if (queue_id) { - ds_put_format(&actions, "set_queue(%s); ", queue_id); - } - ds_put_cstr(&actions, "next;"); - ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, - ds_cstr(&match), ds_cstr(&actions), - &op->nbsp->header_); + const char *queue_id = smap_get(&op->sb->options, "qdisc_queue_id"); + if (queue_id) { + ds_put_format(actions, "set_queue(%s); ", queue_id); + } + ds_put_cstr(actions, "next;"); + ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2, 50, + ds_cstr(match), ds_cstr(actions), + &op->nbsp->header_); - if (op->nbsp->n_port_security) { - build_port_security_ip(P_IN, op, lflows, &op->nbsp->header_); - build_port_security_nd(op, lflows, &op->nbsp->header_); - } + if (op->nbsp->n_port_security) { + build_port_security_ip(P_IN, op, lflows, &op->nbsp->header_); + build_port_security_nd(op, lflows, &op->nbsp->header_); } +} - /* Ingress table 1 and 2: Port security - IP and ND, by default - * goto next. (priority 0) - */ - struct ovn_datapath *od; - HMAP_FOR_EACH (od, key_node, datapaths) { - if (!od->nbs) { - continue; - } +static void +build_lswitch_input_port_sec_od( + struct ovn_datapath *od, struct hmap *lflows) +{ +/* Ingress table 1 and 2: Port security - IP and ND, by default + * goto next. (priority 0) + */ + if (od->nbs) { ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_ND, 0, "1", "next;"); ovn_lflow_add(lflows, od, S_SWITCH_IN_PORT_SEC_IP, 0, "1", "next;"); } - - ds_destroy(&match); - ds_destroy(&actions); } static void @@ -6795,8 +6789,6 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports, struct ds actions = DS_EMPTY_INITIALIZER; struct ovn_datapath *od; - build_lswitch_input_port_sec(ports, datapaths, lflows); - /* Ingress table 13: ARP/ND responder, skip requests coming from localnet * and vtep ports. (priority 100); see ovn-northd.8.xml for the * rationale. */ @@ -11347,6 +11339,8 @@ static void build_fwd_group_lflows(od, lsi->lflows); build_lswitch_lflows_admission_control(od, lsi->lflows); + build_lswitch_input_port_sec_od( + od, lsi->lflows); /* Build Logical Router Flows */ build_adm_ctrl_flows_for_lrouter(od, lsi->lflows); @@ -11376,6 +11370,10 @@ static void struct ovn_port *op, struct lswitch_flow_build_info *lsi) { + /* Build Logical Switch Flows */ + build_lswitch_input_port_sec_op( + op, lsi->lflows, &lsi->actions, &lsi->match); + /* Build Logical Router Flows */ build_adm_ctrl_flows_for_lrouter_port( From patchwork Wed Sep 23 18:00:17 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Anton Ivanov X-Patchwork-Id: 1370012 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org (client-ip=140.211.166.137; helo=fraxinus.osuosl.org; envelope-from=ovs-dev-bounces@openvswitch.org; receiver=) Authentication-Results: ozlabs.org; dmarc=none (p=none dis=none) header.from=cambridgegreys.com Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 4BxQvn4Kz1z9sPB for ; Thu, 24 Sep 2020 04:00:53 +1000 (AEST) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 2DE91863FF; Wed, 23 Sep 2020 18:00:52 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id u9s7H1T2Um4D; Wed, 23 Sep 2020 18:00:48 +0000 (UTC) Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56]) by fraxinus.osuosl.org (Postfix) with ESMTP id 6FF14863BB; Wed, 23 Sep 2020 18:00:39 +0000 (UTC) Received: from lf-lists.osuosl.org (localhost [127.0.0.1]) by lists.linuxfoundation.org (Postfix) with ESMTP id 5BB4BC0893; Wed, 23 Sep 2020 18:00:39 +0000 (UTC) X-Original-To: dev@openvswitch.org Delivered-To: ovs-dev@lists.linuxfoundation.org Received: from fraxinus.osuosl.org (smtp4.osuosl.org [140.211.166.137]) by lists.linuxfoundation.org (Postfix) with ESMTP id 6ED5DC0895 for ; Wed, 23 Sep 2020 18:00:35 +0000 (UTC) Received: from localhost (localhost [127.0.0.1]) by fraxinus.osuosl.org (Postfix) with ESMTP id 4AFFC8626E for ; Wed, 23 Sep 2020 18:00:35 +0000 (UTC) X-Virus-Scanned: amavisd-new at osuosl.org Received: from fraxinus.osuosl.org ([127.0.0.1]) by localhost (.osuosl.org [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 73XYfzfQ4H1R for ; Wed, 23 Sep 2020 18:00:34 +0000 (UTC) X-Greylist: from auto-whitelisted by SQLgrey-1.7.6 Received: from www.kot-begemot.co.uk (ivanoab7.miniserver.com [37.128.132.42]) by fraxinus.osuosl.org (Postfix) with ESMTPS id E3F02861C7 for ; Wed, 23 Sep 2020 18:00:33 +0000 (UTC) Received: from tun252.jain.kot-begemot.co.uk ([192.168.18.6] helo=jain.kot-begemot.co.uk) by www.kot-begemot.co.uk with esmtps (TLS1.3:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1kL94C-000260-7j; Wed, 23 Sep 2020 18:00:32 +0000 Received: from jain.kot-begemot.co.uk ([192.168.3.3]) by jain.kot-begemot.co.uk with esmtp (Exim 4.92) (envelope-from ) id 1kL949-0005wQ-3B; Wed, 23 Sep 2020 19:00:30 +0100 From: anton.ivanov@cambridgegreys.com To: dev@openvswitch.org Date: Wed, 23 Sep 2020 19:00:17 +0100 Message-Id: <20200923180017.22380-7-anton.ivanov@cambridgegreys.com> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20200923180017.22380-1-anton.ivanov@cambridgegreys.com> References: <20200923180017.22380-1-anton.ivanov@cambridgegreys.com> MIME-Version: 1.0 X-Clacks-Overhead: GNU Terry Pratchett Cc: i.maximets@ovn.org, Anton Ivanov Subject: [ovs-dev] [PATCH ovn v3 6/6] ovn-northd: migrate lswitch arp responder to converged build X-BeenThere: ovs-dev@openvswitch.org X-Mailman-Version: 2.1.15 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: ovs-dev-bounces@openvswitch.org Sender: "dev" From: Anton Ivanov Move the processing for arp responder, arp responder known ips and arp responder skip to next to helper functions. Move the invocation of the helper functions to the converged build. Signed-off-by: Anton Ivanov --- northd/ovn-northd.c | 398 +++++++++++++++++++++++--------------------- 1 file changed, 206 insertions(+), 192 deletions(-) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0646897be..51e6da9aa 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -1,4 +1,4 @@ -/* +/*od, lsi->lflows); * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -6788,198 +6788,7 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports, struct ds match = DS_EMPTY_INITIALIZER; struct ds actions = DS_EMPTY_INITIALIZER; struct ovn_datapath *od; - - /* Ingress table 13: ARP/ND responder, skip requests coming from localnet - * and vtep ports. (priority 100); see ovn-northd.8.xml for the - * rationale. */ struct ovn_port *op; - HMAP_FOR_EACH (op, key_node, ports) { - if (!op->nbsp) { - continue; - } - - if ((!strcmp(op->nbsp->type, "localnet")) || - (!strcmp(op->nbsp->type, "vtep"))) { - ds_clear(&match); - ds_put_format(&match, "inport == %s", op->json_key); - ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, - 100, ds_cstr(&match), "next;", - &op->nbsp->header_); - } - } - - /* Ingress table 13: ARP/ND responder, reply for known IPs. - * (priority 50). */ - HMAP_FOR_EACH (op, key_node, ports) { - if (!op->nbsp) { - continue; - } - - if (!strcmp(op->nbsp->type, "virtual")) { - /* Handle - * - GARPs for virtual ip which belongs to a logical port - * of type 'virtual' and bind that port. - * - * - ARP reply from the virtual ip which belongs to a logical - * port of type 'virtual' and bind that port. - * */ - ovs_be32 ip; - const char *virtual_ip = smap_get(&op->nbsp->options, - "virtual-ip"); - const char *virtual_parents = smap_get(&op->nbsp->options, - "virtual-parents"); - if (!virtual_ip || !virtual_parents || - !ip_parse(virtual_ip, &ip)) { - continue; - } - - char *tokstr = xstrdup(virtual_parents); - char *save_ptr = NULL; - char *vparent; - for (vparent = strtok_r(tokstr, ",", &save_ptr); vparent != NULL; - vparent = strtok_r(NULL, ",", &save_ptr)) { - struct ovn_port *vp = ovn_port_find(ports, vparent); - if (!vp || vp->od != op->od) { - /* vparent name should be valid and it should belong - * to the same logical switch. */ - continue; - } - - ds_clear(&match); - ds_put_format(&match, "inport == \"%s\" && " - "((arp.op == 1 && arp.spa == %s && " - "arp.tpa == %s) || (arp.op == 2 && " - "arp.spa == %s))", - vparent, virtual_ip, virtual_ip, - virtual_ip); - ds_clear(&actions); - ds_put_format(&actions, - "bind_vport(%s, inport); " - "next;", - op->json_key); - ovn_lflow_add_with_hint(lflows, op->od, - S_SWITCH_IN_ARP_ND_RSP, 100, - ds_cstr(&match), ds_cstr(&actions), - &vp->nbsp->header_); - } - - free(tokstr); - } else { - /* - * Add ARP/ND reply flows if either the - * - port is up and it doesn't have 'unknown' address defined or - * - port type is router or - * - port type is localport - */ - if (check_lsp_is_up && - !lsp_is_up(op->nbsp) && strcmp(op->nbsp->type, "router") && - strcmp(op->nbsp->type, "localport")) { - continue; - } - - if (lsp_is_external(op->nbsp) || op->has_unknown) { - continue; - } - - for (size_t i = 0; i < op->n_lsp_addrs; i++) { - for (size_t j = 0; j < op->lsp_addrs[i].n_ipv4_addrs; j++) { - ds_clear(&match); - ds_put_format(&match, "arp.tpa == %s && arp.op == 1", - op->lsp_addrs[i].ipv4_addrs[j].addr_s); - ds_clear(&actions); - ds_put_format(&actions, - "eth.dst = eth.src; " - "eth.src = %s; " - "arp.op = 2; /* ARP reply */ " - "arp.tha = arp.sha; " - "arp.sha = %s; " - "arp.tpa = arp.spa; " - "arp.spa = %s; " - "outport = inport; " - "flags.loopback = 1; " - "output;", - op->lsp_addrs[i].ea_s, op->lsp_addrs[i].ea_s, - op->lsp_addrs[i].ipv4_addrs[j].addr_s); - ovn_lflow_add_with_hint(lflows, op->od, - S_SWITCH_IN_ARP_ND_RSP, 50, - ds_cstr(&match), - ds_cstr(&actions), - &op->nbsp->header_); - - /* Do not reply to an ARP request from the port that owns - * the address (otherwise a DHCP client that ARPs to check - * for a duplicate address will fail). Instead, forward - * it the usual way. - * - * (Another alternative would be to simply drop the packet. - * If everything is working as it is configured, then this - * would produce equivalent results, since no one should - * reply to the request. But ARPing for one's own IP - * address is intended to detect situations where the - * network is not working as configured, so dropping the - * request would frustrate that intent.) */ - ds_put_format(&match, " && inport == %s", op->json_key); - ovn_lflow_add_with_hint(lflows, op->od, - S_SWITCH_IN_ARP_ND_RSP, 100, - ds_cstr(&match), "next;", - &op->nbsp->header_); - } - - /* For ND solicitations, we need to listen for both the - * unicast IPv6 address and its all-nodes multicast address, - * but always respond with the unicast IPv6 address. */ - for (size_t j = 0; j < op->lsp_addrs[i].n_ipv6_addrs; j++) { - ds_clear(&match); - ds_put_format(&match, - "nd_ns && ip6.dst == {%s, %s} && nd.target == %s", - op->lsp_addrs[i].ipv6_addrs[j].addr_s, - op->lsp_addrs[i].ipv6_addrs[j].sn_addr_s, - op->lsp_addrs[i].ipv6_addrs[j].addr_s); - - ds_clear(&actions); - ds_put_format(&actions, - "%s { " - "eth.src = %s; " - "ip6.src = %s; " - "nd.target = %s; " - "nd.tll = %s; " - "outport = inport; " - "flags.loopback = 1; " - "output; " - "};", - !strcmp(op->nbsp->type, "router") ? - "nd_na_router" : "nd_na", - op->lsp_addrs[i].ea_s, - op->lsp_addrs[i].ipv6_addrs[j].addr_s, - op->lsp_addrs[i].ipv6_addrs[j].addr_s, - op->lsp_addrs[i].ea_s); - ovn_lflow_add_with_hint(lflows, op->od, - S_SWITCH_IN_ARP_ND_RSP, 50, - ds_cstr(&match), - ds_cstr(&actions), - &op->nbsp->header_); - - /* Do not reply to a solicitation from the port that owns - * the address (otherwise DAD detection will fail). */ - ds_put_format(&match, " && inport == %s", op->json_key); - ovn_lflow_add_with_hint(lflows, op->od, - S_SWITCH_IN_ARP_ND_RSP, 100, - ds_cstr(&match), "next;", - &op->nbsp->header_); - } - } - } - } - - /* Ingress table 13: ARP/ND responder, by default goto next. - * (priority 0)*/ - HMAP_FOR_EACH (od, key_node, datapaths) { - if (!od->nbs) { - continue; - } - - ovn_lflow_add(lflows, od, S_SWITCH_IN_ARP_ND_RSP, 0, "1", "next;"); - } /* Ingress table 13: ARP/ND responder for service monitor source ip. * (priority 110)*/ @@ -7476,6 +7285,205 @@ static void } } +/* Ingress table 13: ARP/ND responder, skip requests coming from localnet + * and vtep ports. (priority 100); see ovn-northd.8.xml for the + * rationale. */ + +static void + build_lswitch_arp_nd_responder( + struct ovn_port *op, struct hmap *lflows, + struct ds *match) +{ + if (op->nbsp) { + if ((!strcmp(op->nbsp->type, "localnet")) || + (!strcmp(op->nbsp->type, "vtep"))) { + ds_clear(match); + ds_put_format(match, "inport == %s", op->json_key); + ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, + 100, ds_cstr(match), "next;", + &op->nbsp->header_); + } + } +} + +/* Ingress table 13: ARP/ND responder, reply for known IPs. + * (priority 50). */ +static void + build_lswitch_arp_nd_responder_known( + struct ovn_port *op, struct hmap *lflows, + struct hmap *ports, + struct ds *match, struct ds *actions) +{ + if (!op->nbsp) { + return; + } + if (!strcmp(op->nbsp->type, "virtual")) { + /* Handle + * - GARPs for virtual ip which belongs to a logical port + * of type 'virtual' and bind that port. + * + * - ARP reply from the virtual ip which belongs to a logical + * port of type 'virtual' and bind that port. + * */ + ovs_be32 ip; + const char *virtual_ip = smap_get(&op->nbsp->options, + "virtual-ip"); + const char *virtual_parents = smap_get(&op->nbsp->options, + "virtual-parents"); + if (!virtual_ip || !virtual_parents || + !ip_parse(virtual_ip, &ip)) { + return; + } + + char *tokstr = xstrdup(virtual_parents); + char *save_ptr = NULL; + char *vparent; + for (vparent = strtok_r(tokstr, ",", &save_ptr); vparent != NULL; + vparent = strtok_r(NULL, ",", &save_ptr)) { + struct ovn_port *vp = ovn_port_find(ports, vparent); + if (!vp || vp->od != op->od) { + /* vparent name should be valid and it should belong + * to the same logical switch. */ + continue; + } + + ds_clear(match); + ds_put_format(match, "inport == \"%s\" && " + "((arp.op == 1 && arp.spa == %s && " + "arp.tpa == %s) || (arp.op == 2 && " + "arp.spa == %s))", + vparent, virtual_ip, virtual_ip, + virtual_ip); + ds_clear(actions); + ds_put_format(actions, + "bind_vport(%s, inport); " + "next;", + op->json_key); + ovn_lflow_add_with_hint(lflows, op->od, + S_SWITCH_IN_ARP_ND_RSP, 100, + ds_cstr(match), ds_cstr(actions), + &vp->nbsp->header_); + } + + free(tokstr); + } else { + /* + * Add ARP/ND reply flows if either the + * - port is up and it doesn't have 'unknown' address defined or + * - port type is router or + * - port type is localport + */ + if (check_lsp_is_up && + !lsp_is_up(op->nbsp) && strcmp(op->nbsp->type, "router") && + strcmp(op->nbsp->type, "localport")) { + return; + } + + if (lsp_is_external(op->nbsp) || op->has_unknown) { + return; + } + + for (size_t i = 0; i < op->n_lsp_addrs; i++) { + for (size_t j = 0; j < op->lsp_addrs[i].n_ipv4_addrs; j++) { + ds_clear(match); + ds_put_format(match, "arp.tpa == %s && arp.op == 1", + op->lsp_addrs[i].ipv4_addrs[j].addr_s); + ds_clear(actions); + ds_put_format(actions, + "eth.dst = eth.src; " + "eth.src = %s; " + "arp.op = 2; /* ARP reply */ " + "arp.tha = arp.sha; " + "arp.sha = %s; " + "arp.tpa = arp.spa; " + "arp.spa = %s; " + "outport = inport; " + "flags.loopback = 1; " + "output;", + op->lsp_addrs[i].ea_s, op->lsp_addrs[i].ea_s, + op->lsp_addrs[i].ipv4_addrs[j].addr_s); + ovn_lflow_add_with_hint(lflows, op->od, + S_SWITCH_IN_ARP_ND_RSP, 50, + ds_cstr(match), + ds_cstr(actions), + &op->nbsp->header_); + + /* Do not reply to an ARP request from the port that owns + * the address (otherwise a DHCP client that ARPs to check + * for a duplicate address will fail). Instead, forward + * it the usual way. + * + * (Another alternative would be to simply drop the packet. + * If everything is working as it is configured, then this + * would produce equivalent results, since no one should + * reply to the request. But ARPing for one's own IP + * address is intended to detect situations where the + * network is not working as configured, so dropping the + * request would frustrate that intent.) */ + ds_put_format(match, " && inport == %s", op->json_key); + ovn_lflow_add_with_hint(lflows, op->od, + S_SWITCH_IN_ARP_ND_RSP, 100, + ds_cstr(match), "next;", + &op->nbsp->header_); + } + + /* For ND solicitations, we need to listen for both the + * unicast IPv6 address and its all-nodes multicast address, + * but always respond with the unicast IPv6 address. */ + for (size_t j = 0; j < op->lsp_addrs[i].n_ipv6_addrs; j++) { + ds_clear(match); + ds_put_format(match, + "nd_ns && ip6.dst == {%s, %s} && nd.target == %s", + op->lsp_addrs[i].ipv6_addrs[j].addr_s, + op->lsp_addrs[i].ipv6_addrs[j].sn_addr_s, + op->lsp_addrs[i].ipv6_addrs[j].addr_s); + + ds_clear(actions); + ds_put_format(actions, + "%s { " + "eth.src = %s; " + "ip6.src = %s; " + "nd.target = %s; " + "nd.tll = %s; " + "outport = inport; " + "flags.loopback = 1; " + "output; " + "};", + !strcmp(op->nbsp->type, "router") ? + "nd_na_router" : "nd_na", + op->lsp_addrs[i].ea_s, + op->lsp_addrs[i].ipv6_addrs[j].addr_s, + op->lsp_addrs[i].ipv6_addrs[j].addr_s, + op->lsp_addrs[i].ea_s); + ovn_lflow_add_with_hint(lflows, op->od, + S_SWITCH_IN_ARP_ND_RSP, 50, + ds_cstr(match), + ds_cstr(actions), + &op->nbsp->header_); + + /* Do not reply to a solicitation from the port that owns + * the address (otherwise DAD detection will fail). */ + ds_put_format(match, " && inport == %s", op->json_key); + ovn_lflow_add_with_hint(lflows, op->od, + S_SWITCH_IN_ARP_ND_RSP, 100, + ds_cstr(match), "next;", + &op->nbsp->header_); + } + } + } +} + +/* Ingress table 13: ARP/ND responder, by default goto next. + * (priority 0)*/ +static void + build_lswitch_arp_nd_responder_next( + struct ovn_datapath *od, struct hmap *lflows) +{ + if (od->nbs) { + ovn_lflow_add(lflows, od, S_SWITCH_IN_ARP_ND_RSP, 0, "1", "next;"); + } +} + /* Returns a string of the IP address of the router port 'op' that * overlaps with 'ip_s". If one is not found, returns NULL. @@ -11341,6 +11349,7 @@ static void build_lswitch_lflows_admission_control(od, lsi->lflows); build_lswitch_input_port_sec_od( od, lsi->lflows); + build_lswitch_arp_nd_responder_next(od, lsi->lflows); /* Build Logical Router Flows */ build_adm_ctrl_flows_for_lrouter(od, lsi->lflows); @@ -11373,6 +11382,11 @@ static void /* Build Logical Switch Flows */ build_lswitch_input_port_sec_op( op, lsi->lflows, &lsi->actions, &lsi->match); + build_lswitch_arp_nd_responder( + op, lsi->lflows, &lsi->match); + build_lswitch_arp_nd_responder_known( + op, lsi->lflows, lsi->ports, + &lsi->match, &lsi->actions); /* Build Logical Router Flows */