From patchwork Tue Nov 8 15:50:44 2022
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Venugopal Iyer
X-Patchwork-Id: 1701358
X-Patchwork-Delegate: nusiddiq@redhat.com
Return-Path:
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@legolas.ozlabs.org
Authentication-Results: legolas.ozlabs.org;
spf=pass (sender SPF authorized) smtp.mailfrom=openvswitch.org
(client-ip=2605:bc80:3010::138; helo=smtp1.osuosl.org;
envelope-from=ovs-dev-bounces@openvswitch.org; receiver=)
Authentication-Results: legolas.ozlabs.org;
dkim=fail reason="signature verification failed" (2048-bit key;
unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256
header.s=selector2 header.b=EA491Pv+;
dkim-atps=neutral
Received: from smtp1.osuosl.org (smtp1.osuosl.org [IPv6:2605:bc80:3010::138])
(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
key-exchange X25519 server-signature ECDSA (P-384) server-digest SHA384)
(No client certificate requested)
by legolas.ozlabs.org (Postfix) with ESMTPS id 4N6CJ412V2z23lg
for ; Wed, 9 Nov 2022 02:51:15 +1100 (AEDT)
Received: from localhost (localhost [127.0.0.1])
by smtp1.osuosl.org (Postfix) with ESMTP id 193D3813E3;
Tue, 8 Nov 2022 15:51:14 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 193D3813E3
Authentication-Results: smtp1.osuosl.org;
dkim=fail reason="signature verification failed" (2048-bit key,
unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256
header.s=selector2 header.b=EA491Pv+
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp1.osuosl.org ([127.0.0.1])
by localhost (smtp1.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id wBgNSUFe41lp; Tue, 8 Nov 2022 15:51:12 +0000 (UTC)
Received: from lists.linuxfoundation.org (lf-lists.osuosl.org [140.211.9.56])
by smtp1.osuosl.org (Postfix) with ESMTPS id 660B0813DE;
Tue, 8 Nov 2022 15:51:11 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp1.osuosl.org 660B0813DE
Received: from lf-lists.osuosl.org (localhost [127.0.0.1])
by lists.linuxfoundation.org (Postfix) with ESMTP id 30A54C0033;
Tue, 8 Nov 2022 15:51:11 +0000 (UTC)
X-Original-To: dev@openvswitch.org
Delivered-To: ovs-dev@lists.linuxfoundation.org
Received: from smtp4.osuosl.org (smtp4.osuosl.org [140.211.166.137])
by lists.linuxfoundation.org (Postfix) with ESMTP id 6E15BC002D
for ; Tue, 8 Nov 2022 15:51:10 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
by smtp4.osuosl.org (Postfix) with ESMTP id 38DC041624
for ; Tue, 8 Nov 2022 15:51:10 +0000 (UTC)
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org 38DC041624
Authentication-Results: smtp4.osuosl.org; dkim=pass (2048-bit key,
unprotected) header.d=Nvidia.com header.i=@Nvidia.com header.a=rsa-sha256
header.s=selector2 header.b=EA491Pv+
X-Virus-Scanned: amavisd-new at osuosl.org
Received: from smtp4.osuosl.org ([127.0.0.1])
by localhost (smtp4.osuosl.org [127.0.0.1]) (amavisd-new, port 10024)
with ESMTP id OLAEDNtSZHhv for ;
Tue, 8 Nov 2022 15:51:07 +0000 (UTC)
X-Greylist: whitelisted by SQLgrey-1.8.0
DKIM-Filter: OpenDKIM Filter v2.11.0 smtp4.osuosl.org BAE3C41610
Received: from NAM11-DM6-obe.outbound.protection.outlook.com
(mail-dm6nam11on2044.outbound.protection.outlook.com [40.107.223.44])
by smtp4.osuosl.org (Postfix) with ESMTPS id BAE3C41610
for ; Tue, 8 Nov 2022 15:51:07 +0000 (UTC)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none;
b=S56hzELg8VK/y9qvxew7CSoYRjQ4nRmFlHMHoTIdSA45POKYWRvafap9cKzVXJECooSQ2pPt4TUzNmQcOqBJOxUPzcQmr5vv8QuJoGkytNcSCzl/YuY1Ix5/nh2DJKuVlKlMUkjYI9RZIGvJMZqp2AMvPOYBEABJ+R8G5K5/QolVqyiTf85bAR/ACo3eOzM7yT3KV5dpjJ3CcWHWSbHhbFzJLoNGPbG8VmIf9DrQlRIIoGUYqso1nQCWZmFsxS4b7xqRCeeqfF5bONcKjJ7W82AoxyRwTlPwbJqyQVrQtAx8vFH4XGaxLPqVcKmH7ljTJsn2ZvdAASe3qdkucHNCyg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com;
s=arcselector9901;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1;
bh=hPCKQtJsZQyQZTF6rfGKVhYGtrIOkQR8g6JuIDq7PGs=;
b=fnNYw5Ml4+SVe27TRWZ7qfmvdh+01/epevNOcw+K6ymP/P76uCFik7xc2BxSHr+fOwrOInKnJIbMBwfX2lrYONfT3P2M/skHtvU5+vQFc+hApoIeYH7UUwfKSpRnobhngG2NPB9/04x8OWCLEqiUPUNOEcnEL5rwSaelTJ/9e0BPozby2zCoOnjAqOmGmEphAZc+R3zq5WM7P9VdRFWdvCIPox3mceA2A9TJbXKIDeNctJvWE9ROdFGFRmVIaim+F6QiMUkHJC62jS7+sKM+gZH/sBDX99g/DkgtqP4x6+edjaxFr2JLnIUHHhErKAIg/OkZRx0bv75YfRpHYX/GiQ==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass (sender ip is
216.228.117.161) smtp.rcpttodomain=openvswitch.org smtp.mailfrom=nvidia.com;
dmarc=pass (p=reject sp=reject pct=100) action=none header.from=nvidia.com;
dkim=none (message not signed); arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=Nvidia.com;
s=selector2;
h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck;
bh=hPCKQtJsZQyQZTF6rfGKVhYGtrIOkQR8g6JuIDq7PGs=;
b=EA491Pv+F03yItZdp9Jz81tWGk9MGxYagN/e2c3fIc746Txw521RVkzY88ExmVHt9asFFx+CjYAnm1rPqJjKt9vBaLNKaEAhQ2+feHVBOxXp0MnuKtvq4j8pytcEisPEKb8F2JfL2dKzDbo3ormtxJhdCr3Gw4JNn+zlLKdhYZ3+3LMZ00uxWmYdZTUOSL72LM6FyBPsFvQxtGDFYv9AIV0B93sFGqqbk1hVVNYzDWy/GxqNbee2nYsBLKvnHMk3gTp8UlDmcDmvVr3uAKFSq+H5TN76b5ZAF1bUvCa5s2ozUgDVpXFcYu+6LWZ14XFNQBrWNn901YjDrEhE+Ay85g==
Received: from MW4P223CA0002.NAMP223.PROD.OUTLOOK.COM (2603:10b6:303:80::7) by
BL0PR12MB4852.namprd12.prod.outlook.com (2603:10b6:208:1ce::16) with
Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5791.27; Tue, 8 Nov
2022 15:51:05 +0000
Received: from CO1NAM11FT024.eop-nam11.prod.protection.outlook.com
(2603:10b6:303:80:cafe::df) by MW4P223CA0002.outlook.office365.com
(2603:10b6:303:80::7) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5791.26 via Frontend
Transport; Tue, 8 Nov 2022 15:51:04 +0000
X-MS-Exchange-Authentication-Results: spf=pass (sender IP is 216.228.117.161)
smtp.mailfrom=nvidia.com;
dkim=none (message not signed)
header.d=none;dmarc=pass action=none header.from=nvidia.com;
Received-SPF: Pass (protection.outlook.com: domain of nvidia.com designates
216.228.117.161 as permitted sender) receiver=protection.outlook.com;
client-ip=216.228.117.161; helo=mail.nvidia.com; pr=C
Received: from mail.nvidia.com (216.228.117.161) by
CO1NAM11FT024.mail.protection.outlook.com (10.13.174.162) with Microsoft SMTP
Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.20.5791.20 via Frontend Transport; Tue, 8 Nov 2022 15:51:03 +0000
Received: from rnnvmail201.nvidia.com (10.129.68.8) by mail.nvidia.com
(10.129.200.67) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.26; Tue, 8 Nov 2022
07:50:52 -0800
Received: from titan3.nvidia.com (10.126.230.35) by rnnvmail201.nvidia.com
(10.129.68.8) with Microsoft SMTP Server (version=TLS1_2,
cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.986.29; Tue, 8 Nov 2022
07:50:51 -0800
To:
Date: Tue, 8 Nov 2022 07:50:44 -0800
Message-ID: <20221108155044.23112-1-venugopali@nvidia.com>
X-Mailer: git-send-email 2.17.1
MIME-Version: 1.0
X-Originating-IP: [10.126.230.35]
X-ClientProxiedBy: rnnvmail201.nvidia.com (10.129.68.8) To
rnnvmail201.nvidia.com (10.129.68.8)
X-EOPAttributedMessage: 0
X-MS-PublicTrafficType: Email
X-MS-TrafficTypeDiagnostic: CO1NAM11FT024:EE_|BL0PR12MB4852:EE_
X-MS-Office365-Filtering-Correlation-Id: 6524b60a-fcbf-479c-ca80-08dac1a10ac1
X-MS-Exchange-SenderADCheck: 1
X-MS-Exchange-AntiSpam-Relay: 0
X-Microsoft-Antispam: BCL:0;
X-Microsoft-Antispam-Message-Info:
Po54mJcIItAoTPqtBTbS9Hxw9/pMWdmCpkuGTMHb9UKepbajdDx2i0R+p+YQB0V+1Siu7ebkIkacwMka7ZQzH28oy7aDLSFpnH4a47ez7QHc/LYCtP/OLz2OcBNjp1vXx3kcsAa2naYWQoGde6wNAthgXCMMBv9iGWhupBU8YCrAAxa2d+rWm7qPO29YhQvwcBaMqH02A1KJtZ0AuH6WejFhIN89a6PCZk5YMqXT73Gv8Iw0iKC15SAXawpulQ6xHZ76wlPNJPH33qnhcltkFM7hoO8NbtNophQYGx06UJgkIwNe5wMxGfA+5576YxW3pAx+TsUeqFA4ueIEDqb+H5KRsJ+BBHabI6Y4Lxai3lMKcaz0fyOsuvqNwpFaImV+N7UPWoPG96N28JyNkw4DHd+IcKqJtjeml9ueKJm6ZmLThOHcChgViR8Fc6JIPwUHPo7+SxIykl7IIWdIyo9P9GNfgrophxG0Zs6H7Fub0s3aI/nMxwDoxSwv/551EGOrNQLBBrAwE3Qbt1UICe758ifvlNryVisM+2HAFuBRj1HPxmxH5B6GFYFes+aOQbeUVkp+qeOQNMEUKbhtBPP2nUExnNZ38L8x0DvDNQ/8AV0SWKFa3Bd73b+GhgiYBCgNPbyc1RbU1edhp0SyrVdH6DHkNvUOUB7nMB6deCbHbVhXBKoY6wBkA4ZMDIiQ8TGC+wxDbSBGUeFdaE757pXeS2mktm0lh3ikJNih5UcwAwOQuHPPGe3oA5ewlJcKZ1pFk5pRKHk0cDQHR61tt112qg==
X-Forefront-Antispam-Report: CIP:216.228.117.161; CTRY:US; LANG:en; SCL:1;
SRV:;
IPV:NLI; SFV:NSPM; H:mail.nvidia.com; PTR:dc6edge2.nvidia.com; CAT:NONE;
SFS:(13230022)(4636009)(39860400002)(136003)(376002)(346002)(396003)(451199015)(46966006)(36840700001)(40470700004)(316002)(36756003)(6916009)(40480700001)(30864003)(8676002)(54906003)(5660300002)(70586007)(70206006)(4326008)(83380400001)(478600001)(8936002)(41300700001)(40460700003)(356005)(82740400003)(7696005)(47076005)(7636003)(36860700001)(86362001)(82310400005)(426003)(66574015)(26005)(336012)(1076003)(2616005)(6666004)(186003)(16526019)(2906002);
DIR:OUT; SFP:1101;
X-OriginatorOrg: Nvidia.com
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 08 Nov 2022 15:51:03.9151 (UTC)
X-MS-Exchange-CrossTenant-Network-Message-Id:
6524b60a-fcbf-479c-ca80-08dac1a10ac1
X-MS-Exchange-CrossTenant-Id: 43083d15-7273-40c1-b7db-39efd9ccc17a
X-MS-Exchange-CrossTenant-OriginalAttributedTenantConnectingIp:
TenantId=43083d15-7273-40c1-b7db-39efd9ccc17a; Ip=[216.228.117.161];
Helo=[mail.nvidia.com]
X-MS-Exchange-CrossTenant-AuthSource:
CO1NAM11FT024.eop-nam11.prod.protection.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Anonymous
X-MS-Exchange-CrossTenant-FromEntityHeader: HybridOnPrem
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BL0PR12MB4852
Cc: venugopali@nvidia.com
Subject: [ovs-dev] [PATCH ovn] northd: bypass connection tracking for
stateless flows when there are LB flows present
X-BeenThere: ovs-dev@openvswitch.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id:
List-Unsubscribe: ,
List-Archive:
List-Post:
List-Help:
List-Subscribe: ,
X-Patchwork-Original-From: "venu.iyer via dev"
From: Venugopal Iyer
Reply-To: "venu.iyer"
Errors-To: ovs-dev-bounces@openvswitch.org
Sender: "dev"
Currently, even stateless flows are subject to connection tracking when there are
LB rules (for DNAT). However, if a flow needs to be subjected to LB, then it shouldn't
be configured as stateless.
A stateless flow means we should not track it, and this change exempts stateless
flows from being tracked regardless of whether LB rules are present or not.
Signed-off-by: venu.iyer
Acked-by: Han Zhou
---
northd/northd.c | 24 +++++++++++++-----
northd/ovn-northd.8.xml | 56 ++++++++++++++++++++++-------------------
ovn-nb.xml | 3 +++
tests/ovn-northd.at | 48 ++++++++++++-----------------------
tests/ovn.at | 4 +--
5 files changed, 69 insertions(+), 66 deletions(-)
diff --git a/northd/northd.c b/northd/northd.c
index b7388afc5..da4beede6 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -137,8 +137,8 @@ enum ovn_stage {
PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 24, "ls_in_l2_unknown") \
\
/* Logical switch egress stages. */ \
- PIPELINE_STAGE(SWITCH, OUT, PRE_LB, 0, "ls_out_pre_lb") \
- PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 1, "ls_out_pre_acl") \
+ PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 0, "ls_out_pre_acl") \
+ PIPELINE_STAGE(SWITCH, OUT, PRE_LB, 1, "ls_out_pre_lb") \
PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") \
PIPELINE_STAGE(SWITCH, OUT, ACL_HINT, 3, "ls_out_acl_hint") \
PIPELINE_STAGE(SWITCH, OUT, ACL, 4, "ls_out_acl") \
@@ -210,6 +210,7 @@ enum ovn_stage {
#define REGBIT_ACL_LABEL "reg0[13]"
#define REGBIT_FROM_RAMP "reg0[14]"
#define REGBIT_PORT_SEC_DROP "reg0[15]"
+#define REGBIT_ACL_STATELESS "reg0[16]"
#define REG_ORIG_DIP_IPV4 "reg1"
#define REG_ORIG_DIP_IPV6 "xxreg1"
@@ -271,7 +272,7 @@ enum ovn_stage {
* | R0 | REGBIT_{CONNTRACK/DHCP/DNS} | | |
* | | REGBIT_{HAIRPIN/HAIRPIN_REPLY} | | |
* | | REGBIT_ACL_HINT_{ALLOW_NEW/ALLOW/DROP/BLOCK} | | |
- * | | REGBIT_ACL_LABEL | X | |
+ * | | REGBIT_ACL_{LABEL/STATELESS} | X | |
* +----+----------------------------------------------+ X | |
* | R1 | ORIG_DIP_IPV4 (>= IN_PRE_STATEFUL) | R | |
* +----+----------------------------------------------+ E | |
@@ -5677,17 +5678,18 @@ build_stateless_filter(struct ovn_datapath *od,
const struct nbrec_acl *acl,
struct hmap *lflows)
{
+ const char *action = REGBIT_ACL_STATELESS" = 1; next;";
if (!strcmp(acl->direction, "from-lport")) {
ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL,
acl->priority + OVN_ACL_PRI_OFFSET,
acl->match,
- "next;",
+ action,
&acl->header_);
} else {
ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL,
acl->priority + OVN_ACL_PRI_OFFSET,
acl->match,
- "next;",
+ action,
&acl->header_);
}
}
@@ -5779,6 +5781,10 @@ build_pre_acls(struct ovn_datapath *od, const struct hmap *port_groups,
REGBIT_CONNTRACK_DEFRAG" = 1; next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip",
REGBIT_CONNTRACK_DEFRAG" = 1; next;");
+ } else if (od->has_lb_vip) {
+ /* We'll build stateless filters if there are LB rules so that
+ * the stateless flows are not tracked in pre-lb. */
+ build_stateless_filters(od, port_groups, lflows);
}
}
@@ -5913,6 +5919,11 @@ build_pre_lb(struct ovn_datapath *od, const struct shash *meter_groups,
S_SWITCH_IN_PRE_LB, S_SWITCH_OUT_PRE_LB,
110, lflows);
}
+ /* Do not sent statless flows via conntrack */
+ ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110,
+ REGBIT_ACL_STATELESS" == 1", "next;");
+ ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110,
+ REGBIT_ACL_STATELESS" == 1", "next;");
/* 'REGBIT_CONNTRACK_NAT' is set to let the pre-stateful table send
* packet to conntrack for defragmentation and possibly for unNATting.
@@ -6918,7 +6929,8 @@ build_lb_rules_pre_stateful(struct hmap *lflows, struct ovn_northd_lb *lb,
}
ds_put_format(action, "%s;", ct_lb_mark ? "ct_lb_mark" : "ct_lb");
- ds_put_format(match, "%s.dst == %s", ip_match, lb_vip->vip_str);
+ ds_put_format(match, REGBIT_CONNTRACK_NAT" == 1 && %s.dst == %s",
+ ip_match, lb_vip->vip_str);
if (lb_vip->vip_port) {
ds_put_format(match, " && %s.dst == %d", proto, lb_vip->vip_port);
}
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index a70f2e678..162ec2b3b 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -440,7 +440,9 @@
priority-110 flow is added to skip over stateful ACLs. Multicast, IPv6
Neighbor Discovery and MLD traffic also skips stateful ACLs. For
"allow-stateless" ACLs, a flow is added to bypass setting the hint for
- connection tracker processing.
+ connection tracker processing when there are statelful ACLs or LB rules;
+ REGBIT_ACL_STATELESS
is set for traffic matching such
+ flows for this purpose.
@@ -460,8 +462,10 @@
in ingress table LB
and Stateful
. It contains
a priority-0 flow that simply moves traffic to the next table. Moreover
it contains two priority-110 flows to move multicast, IPv6 Neighbor
- Discovery and MLD traffic to the next table. If load balancing rules with
- virtual IP addresses (and ports) are configured in
+ Discovery and MLD traffic to the next table. It also contains two
+ priority-110 flows to move stateless traffic, i.e traffic for which
+ REGBIT_ACL_STATELESS
is set, to the next table. If load
+ balancing rules with virtual IP addresses (and ports) are configured in
OVN_Northbound
database for a logical switch datapath, a
priority-100 flow is added with the match ip
to match on IP
packets and sets the action reg0[2] = 1; next;
to act as a
@@ -1859,19 +1863,11 @@ output;
-
Egress Table 0: Pre-LB
+ Egress Table 0: to-lport
Pre-ACLs
- This table is similar to ingress table Pre-LB
. It
- contains a priority-0 flow that simply moves traffic to the next table.
- Moreover it contains two priority-110 flows to move multicast, IPv6
- Neighbor Discovery and MLD traffic to the next table. If any load
- balancing rules exist for the datapath, a priority-100 flow is added with
- a match of ip
and action of reg0[2] = 1; next;
- to act as a hint for table Pre-stateful
to send IP packets
- to the connection tracker for packet de-fragmentation and possibly DNAT
- the destination VIP to one of the selected backend for already committed
- load balanced traffic.
+ This is similar to ingress table Pre-ACLs
except for
+ to-lport
traffic.
@@ -1884,11 +1880,28 @@ output;
db="OVN_Northbound"/> table.
- Egress Table 1: to-lport
Pre-ACLs
+
+ This table also has a priority-110 flow with the match
+ outport == I
for all logical switch
+ datapaths to move traffic to the next table. Where I
+ is the peer of a logical router port. This flow is added to
+ skip the connection tracking of packets which will be entering
+ logical router datapath from logical switch datapath for routing.
+
+
+ Egress Table 1: Pre-LB
- This is similar to ingress table Pre-ACLs
except for
- to-lport
traffic.
+ This table is similar to ingress table Pre-LB
. It
+ contains a priority-0 flow that simply moves traffic to the next table.
+ Moreover it contains two priority-110 flows to move multicast, IPv6
+ Neighbor Discovery and MLD traffic to the next table. If any load
+ balancing rules exist for the datapath, a priority-100 flow is added with
+ a match of ip
and action of reg0[2] = 1; next;
+ to act as a hint for table Pre-stateful
to send IP packets
+ to the connection tracker for packet de-fragmentation and possibly DNAT
+ the destination VIP to one of the selected backend for already committed
+ load balanced traffic.
@@ -1901,15 +1914,6 @@ output;
db="OVN_Northbound"/> table.
-
- This table also has a priority-110 flow with the match
- outport == I
for all logical switch
- datapaths to move traffic to the next table. Where I
- is the peer of a logical router port. This flow is added to
- skip the connection tracking of packets which will be entering
- logical router datapath from logical switch datapath for routing.
-
-
Egress Table 2: Pre-stateful
diff --git a/ovn-nb.xml b/ovn-nb.xml
index f41e9d7c0..140dd9a4f 100644
--- a/ovn-nb.xml
+++ b/ovn-nb.xml
@@ -2063,6 +2063,9 @@
outgoing TCP traffic directed to an IP address, then you probably
also want to define another rule to allow incoming TCP traffic coming
from this same IP address.
+ In addition, traffic that matches stateless ACLs will bypass
+ load-balancer DNAT/un-DNAT processing. Stateful ACLs should be
+ used instead if the traffic is supposed to be load-balanced.
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 4f399eccb..85d5acfed 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -2056,27 +2056,27 @@ check ovn-nbctl ls-lb-add sw0 lb1
check ovn-nbctl add load_balancer_group $lbg load_balancer $lb3
check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0 | sort], [0], [dnl
- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
+ table=1 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
])
check ovn-nbctl ls-lb-add sw0 lb2
check ovn-nbctl add load_balancer_group $lbg load_balancer $lb4
check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0 | sort], [0], [dnl
- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
+ table=1 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
])
check ovn-nbctl clear load_balancer $lb1 vips
check ovn-nbctl clear load_balancer $lb3 vips
check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0 | sort], [0], [dnl
- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
+ table=1 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
])
check ovn-nbctl clear load_balancer $lb2 vips
check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0 | sort], [0], [dnl
- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
+ table=1 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
])
check ovn-nbctl clear load_balancer $lb4 vips
@@ -2091,7 +2091,7 @@ check ovn-nbctl set load_balancer $lb4 vips:"10.0.0.13"="10.0.0.6"
check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0 | sort], [0], [dnl
- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
+ table=1 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
])
# Now reverse the order of clearing the vip.
@@ -2099,13 +2099,13 @@ check ovn-nbctl clear load_balancer $lb2 vips
check ovn-nbctl clear load_balancer $lb4 vips
check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0 | sort], [0], [dnl
- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
+ table=1 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
])
check ovn-nbctl clear load_balancer $lb1 vips
check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep "ls_out_pre_lb.*priority=100" | grep reg0 | sort], [0], [dnl
- table=0 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
+ table=1 (ls_out_pre_lb ), priority=100 , match=(ip), action=(reg0[[2]] = 1; next;)
])
check ovn-nbctl clear load_balancer $lb3 vips
@@ -3044,18 +3044,10 @@ for direction in from to; do
done
ovn-nbctl --wait=sb sync
-# TCP packets should go to conntrack for load balancing.
+# TCP packets should not go to conntrack for load balancing.
flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}"
AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
-ct_lb_mark {
- ct_lb_mark {
- reg0[[6]] = 0;
- reg0[[12]] = 0;
- ct_lb_mark /* default (use --ct to customize) */ {
- output("lsp2");
- };
- };
-};
+output("lsp2");
])
# UDP packets still go to conntrack.
@@ -3188,18 +3180,10 @@ for direction in from to; do
done
ovn-nbctl --wait=sb sync
-# TCP packets should go to conntrack for load balancing.
+# TCP packets should not go to conntrack for load balancing.
flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}"
AT_CHECK_UNQUOTED([ovn_trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
-ct_lb_mark {
- ct_lb_mark {
- reg0[[6]] = 0;
- reg0[[12]] = 0;
- ct_lb_mark /* default (use --ct to customize) */ {
- output("lsp2");
- };
- };
-};
+output("lsp2");
])
# UDP packets still go to conntrack.
@@ -4015,8 +3999,8 @@ check_stateful_flows() {
table=? (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)
table=? (ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1), action=(ct_next;)
table=? (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(ip4.dst == 10.0.0.20 && tcp.dst == 80), action=(reg1 = 10.0.0.20; reg2[[0..15]] = 80; ct_lb_mark;)
+ table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark;)
+ table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 10.0.0.20 && tcp.dst == 80), action=(reg1 = 10.0.0.20; reg2[[0..15]] = 80; ct_lb_mark;)
])
AT_CHECK([grep "ls_in_lb" sw0flows | sort | sed 's/table=../table=??/'], [0], [dnl
@@ -7650,7 +7634,7 @@ check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl
table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 66.66.66.66 && ct_mark.natted == 1), action=(next;)
table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 66.66.66.66), action=(ct_lb_mark(backends=42.42.42.2);)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(ip4.dst == 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;)
+ table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;)
table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;)
table=11(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);)
table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;)
@@ -7662,7 +7646,7 @@ check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl
table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 66.66.66.66 && ct_label.natted == 1), action=(next;)
table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 66.66.66.66), action=(ct_lb(backends=42.42.42.2);)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(ip4.dst == 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb;)
+ table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb;)
table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb;)
table=11(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb(backends=42.42.42.2);)
table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb;)
@@ -7674,7 +7658,7 @@ check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl
table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0 == 66.66.66.66 && ct_mark.natted == 1), action=(next;)
table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0 == 66.66.66.66), action=(ct_lb_mark(backends=42.42.42.2);)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(ip4.dst == 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;)
+ table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;)
table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;)
table=11(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst == 66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);)
table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1), action=(ct_lb_mark;)
diff --git a/tests/ovn.at b/tests/ovn.at
index f8b8db4df..f43455f60 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -23656,7 +23656,7 @@ OVS_WAIT_FOR_OUTPUT(
[ovn-sbctl dump-flows > sbflows
ovn-sbctl dump-flows sw0 | grep ct_lb_mark | grep priority=120 | sed 's/table=..//'], 0,
[dnl
- (ls_in_pre_stateful ), priority=120 , match=(ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark;)
+ (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark;)
(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80; hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");)
])
@@ -23699,7 +23699,7 @@ ovn-sbctl dump-flows sw0 > sbflows3
AT_CHECK(
[grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" sbflows3 | grep priority=120 |\
sed 's/table=../table=??/'], [0], [dnl
- table=??(ls_in_pre_stateful ), priority=120 , match=(ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark;)
+ table=??(ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark;)
table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10 && tcp.dst == 80), action=(drop;)
])