[ovs-dev] [PATCH v4] ovn: support ARP response for known IPs
Han Zhou
zhouhan at gmail.com
Mon Nov 30 19:42:46 UTC 2015
For lswitch ports with known IPs, ARP is responded directly from
local ovn-controller to avoid flooding.
Signed-off-by: Han Zhou <zhouhan at gmail.com>
---
Notes:
v1->v2: remove the extra arg of xasprintf()
v2->v3: update ovn-northd.8.xml to describe the new flows
v3->v4: update ovn.at to test ARP response for known IPs
ovn/northd/ovn-northd.8.xml | 18 ++++++++++++
ovn/northd/ovn-northd.c | 38 ++++++++++++++++++++++++
tests/ovn.at | 72 +++++++++++++++++++++++++++++++++++++++++----
3 files changed, 122 insertions(+), 6 deletions(-)
diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index 865c727..fa7675b 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -204,6 +204,24 @@
<ul>
<li>
+ Priority-150 flows that matches ARP requests to each known IP address
+ <var>A</var> of logical port <var>P</var>, and respond ARP replies
+ directly with corresponding Ethernet address <var>E</var>:
+ <pre>
+eth.dst = eth.src;
+eth.src = <var>E</var>;
+arp.op = 2; /* ARP reply. */
+arp.tha = arp.sha;
+arp.sha = <var>E</var>;
+arp.tpa = arp.spa;
+arp.spa = <var>A</var>;
+outport = <var>P</var>;
+inport = ""; /* Allow sending out inport. */
+output;
+ </pre>
+ </li>
+
+ <li>
A priority-100 flow that outputs all packets with an Ethernet broadcast
or multicast <code>eth.dst</code> to the <code>MC_FLOOD</code>
multicast group, which <code>ovn-northd</code> populates with all
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 01f289d..229f94f 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -1145,6 +1145,44 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports,
ds_destroy(&match);
}
+ /* Ingress table 3: Destination lookup, ARP reply for known IPs.
+ * (priority 150). */
+ HMAP_FOR_EACH (op, key_node, ports) {
+ if (!op->nbs) {
+ continue;
+ }
+
+ for (size_t i = 0; i < op->nbs->n_addresses; i++) {
+ struct eth_addr ea;
+ ovs_be32 ip;
+
+ if (ovs_scan(op->nbs->addresses[i],
+ ETH_ADDR_SCAN_FMT" "IP_SCAN_FMT,
+ ETH_ADDR_SCAN_ARGS(ea), IP_SCAN_ARGS(&ip))) {
+ char *match = xasprintf(
+ "arp.tpa == "IP_FMT" && arp.op == 1", IP_ARGS(ip));
+ char *actions = xasprintf(
+ "eth.dst = eth.src; "
+ "eth.src = "ETH_ADDR_FMT"; "
+ "arp.op = 2; /* ARP reply */ "
+ "arp.tha = arp.sha; "
+ "arp.sha = "ETH_ADDR_FMT"; "
+ "arp.tpa = arp.spa; "
+ "arp.spa = "IP_FMT"; "
+ "outport = inport; "
+ "inport = \"\"; /* Allow sending out inport. */ "
+ "output;",
+ ETH_ADDR_ARGS(ea),
+ ETH_ADDR_ARGS(ea),
+ IP_ARGS(ip));
+ ovn_lflow_add(lflows, op->od, S_SWITCH_IN_L2_LKUP, 150,
+ match, actions);
+ free(match);
+ free(actions);
+ }
+ }
+ }
+
/* Ingress table 3: Destination lookup, broadcast and multicast handling
* (priority 100). */
HMAP_FOR_EACH (op, key_node, ports) {
diff --git a/tests/ovn.at b/tests/ovn.at
index 75933c3..f1897e2 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -516,6 +516,7 @@ AT_BANNER([OVN end-to-end tests])
# 3 hypervisors, one logical switch, 3 logical ports per hypervisor
AT_SETUP([ovn -- 3 HVs, 1 LS, 3 lports/HV])
+AT_KEYWORDS([ovnarp])
AT_SKIP_IF([test $HAVE_PYTHON = no])
ovn_start
@@ -537,9 +538,9 @@ for i in 1 2 3; do
ovs-vsctl add-port br-int vif$i$j -- set Interface vif$i$j external-ids:iface-id=lp$i$j options:tx_pcap=hv$i/vif$i$j-tx.pcap options:rxq_pcap=hv$i/vif$i$j-rx.pcap ofport-request=$i$j
ovn-nbctl lport-add lsw0 lp$i$j
if test $j = 1; then
- ovn-nbctl lport-set-addresses lp$i$j f0:00:00:00:00:$i$j unknown
+ ovn-nbctl lport-set-addresses lp$i$j "f0:00:00:00:00:$i$j 192.168.0.$i$j" unknown
else
- ovn-nbctl lport-set-addresses lp$i$j f0:00:00:00:00:$i$j
+ ovn-nbctl lport-set-addresses lp$i$j "f0:00:00:00:00:$i$j 192.168.0.$i$j"
ovn-nbctl lport-set-port-security lp$i$j f0:00:00:00:00:$i$j
fi
done
@@ -558,6 +559,12 @@ ovn_populate_arp
sleep 1
ovn-sbctl dump-flows -- list multicast_group
+# Given the name of a logical port, prints the name of the hypervisor
+# on which it is located.
+vif_to_hv() {
+ echo hv${1%?}
+}
+
# test_packet INPORT DST SRC ETHTYPE OUTPORT...
#
# This shell function causes a packet to be received on INPORT. The packet's
@@ -575,7 +582,7 @@ for i in 1 2 3; do
done
test_packet() {
local inport=$1 packet=$2$3$4; shift; shift; shift; shift
- hv=hv`echo $inport | sed 's/^\(.\).*/\1/'`
+ hv=`vif_to_hv $inport`
vif=vif$inport
as $hv ovs-appctl netdev-dummy/receive $vif $packet
for outport; do
@@ -583,6 +590,44 @@ test_packet() {
done
}
+# test_arp INPORT SHA SPA TPA [REPLY_HA]
+#
+# Causes a packet to be received on INPORT. The packet is an ARP
+# request with SHA, SPA, and TPA as specified. If REPLY_HA is provided, then
+# it should be the hardware address of the target to expect to receive in an
+# ARP reply; otherwise no reply is expected.
+#
+# INPORT is an lport number, e.g. 11 for vif11.
+# SHA and REPLY_HA are each 12 hex digits.
+# SPA and TPA are each 8 hex digits.
+test_arp() {
+ local inport=$1 sha=$2 spa=$3 tpa=$4 reply_ha=$5
+ local request=ffffffffffff${sha}08060001080006040001${sha}${spa}ffffffffffff${tpa}
+ hv=`vif_to_hv $inport`
+ as $hv ovs-appctl netdev-dummy/receive vif$inport $request
+
+ if test X$reply_ha == X; then
+ # Expect to receive the broadcast ARP on the other logical switch ports
+ # if no reply is expected.
+ local i j
+ for i in 1 2 3; do
+ for j in 1 2 3; do
+ if test $i$j != $inport; then
+ echo $request >> $i$j.expected
+ fi
+ done
+ done
+ else
+ # Expect to receive the reply, if any.
+ local reply=${sha}${reply_ha}08060001080006040002${reply_ha}${tpa}${sha}${spa}
+ echo $reply >> $inport.expected
+ fi
+}
+
+ip_to_hex() {
+ printf "%02x%02x%02x%02x" "$@"
+}
+
# Send packets between all pairs of source and destination ports:
#
# 1. Unicast packets are delivered to exactly one lport (except that packets
@@ -605,6 +650,10 @@ test_packet() {
# 7. The lswitch drops unicast packets that violate an ACL.
#
# 8. The lswitch drops multicast and broadcast packets that violate an ACL.
+#
+# 9. ARP requests to known IPs are responded directly.
+#
+# 10. No response to ARP requests for unknown IPs.
for is in 1 2 3; do
for js in 1 2 3; do
s=$is$js
@@ -641,6 +690,12 @@ for is in 1 2 3; do
bcast="$bcast $unicast"
bacl2="$bacl2 $acl2"
bacl3="$bacl3 $acl3"
+
+ sip=`ip_to_hex 192 168 0 $i$j`
+ tip=`ip_to_hex 192 168 0 $id$jd`
+ tip_unknown=`ip_to_hex 11 11 11 11`
+ test_arp $s f000000000$s $sip $tip f000000000$d #9
+ test_arp $s f000000000$s $sip $tip_unknown #10
done
done
@@ -883,6 +938,9 @@ for i in 1 2 3; do
done
done
+ovn-nbctl set Logical_Port lrp33-attachment \
+ addresses='"00:00:00:00:ff:33 192.168.33.254"'
+
# Physical network:
#
# Three hypervisors hv[123].
@@ -1041,13 +1099,15 @@ test_arp() {
as $hv ovs-appctl netdev-dummy/receive vif$inport $request
#as $hv ovs-appctl ofproto/trace br-int in_port=$inport $request
- # Expect to receive the broadcast ARP on the other logical switch ports.
- # (OVN should probably suppress these.)
+ # Expect to receive the broadcast ARP on the other logical switch ports if
+ # IP address is not configured to the lswitch patch port.
local i=`vif_to_ls $inport`
local j k
for j in 1 2 3; do
for k in 1 2 3; do
- if test $i$j$k != $inport; then
+ # 192.168.33.254 is configured to the lswtich patch port for lrp33,
+ # so no ARP flooding expected for it.
+ if test $i$j$k != $inport && test $tpa != `ip_to_hex 192 168 33 254`; then
echo $request >> $i$j$k.expected
fi
done
--
2.1.0
More information about the dev
mailing list