[ovs-dev] Native DNS support proposal in OVN for internal DNS resolution

Numan Siddique nusiddiq at redhat.com
Thu Oct 13 12:04:22 UTC 2016 

Below is the proposal to add native DNS support in OVN for internal DNS
resolution. This will be useful If a VM sends a DNS lookup request for
another VM belonging to the same virtual network.

 - hostname of the logical ports will be stored in the north db lsp row

 - ovn-northd will add the below logical flows for each of the lsp's having
hostname defined. (3 new logical stages "ls_in_l7_parse", "ls_in_l7_match",
"ls_in_l7_response" will be defined).

----------------------------------------
   table=13(ls_in_l7_parse     ), priority=100  , match=(ip4 && udp.dst ==
53), action=(reg0[4] = extract_dns_packet(); next;)
  table=13(ls_in_l7_parse     ), priority=0    , match=(1), action=(next;)
  table=14(ls_in_l7_match     ), priority=90   , match=(dns.query ==
"vm1"), action=(put_dns_answer(10.0.0.20);)
  table=14(ls_in_l7_match     ), priority=90   , match=(dns.query ==
"vm2"), action=(put_dns_answer(10.0.0.21);)
....
....
  table=14(ls_in_l7_match     ), priority=0    , match=(1), action=(next;)
  table=15(ls_in_l7_response  ), priority=100  , match=(ip4 && udp.dst ==
53 && reg0[4]), action=(eth.dst <-> eth.src; ip4.src <-> ip4.dst; udp.dst
<-> udp.src; outport = inport; flags.loopback = 1; output;)
  table=15(ls_in_l7_response  ), priority=0    , match=(1), action=(next;)
----------------------------------------------------

 - ovn-controller will translate these into below OF Flows

   cookie=0x0, duration=631.516s, table=29, n_packets=8, n_bytes=504,
idle_age=585, priority=100,udp,metadata=0x1,tp_dst=53
actions=controller(userdata=00.00.00.06.00.00.00.00.00.01.
de.10.00.00.00.64,pause),resubmit(,30)

 cookie=0x0, duration=631.517s, table=29, n_packets=0, n_bytes=0,
idle_age=631, priority=0,metadata=0x1 actions=resubmit(,30)

 cookie=0x0, duration=631.523s, table=30, n_packets=0, n_bytes=0,
idle_age=631, priority=0,metadata=0x1 actions=resubmit(,31)
 cookie=0x0, duration=631.521s, table=31, n_packets=0, n_bytes=0,
idle_age=631, priority=100,udp,reg0=0x10/0x10,metadata=0x1,tp_dst=53
actions=push:NXM_OF_ETH_SRC[],push:NXM_OF_ETH_DST[],pop:NXM_
OF_ETH_SRC[],pop:NXM_OF_ETH_DST[],push:NXM_OF_IP_DST[],
push:NXM_OF_IP_SRC[],pop:NXM_OF_IP_DST[],pop:NXM_OF_IP_SRC[
],push:NXM_OF_UDP_SRC[],push:NXM_OF_UDP_DST[],pop:NXM_OF_
UDP_SRC[],pop:NXM_OF_UDP_DST[],move:NXM_NX_REG14[]->NXM_NX_
REG15[],load:0x1->NXM_NX_REG10[0],resubmit(,32)


​ovn-controller will translate the "extract_dns_packet" ovn action to
"controller action with pause flag set.
For the flows in the table "​ls_in_l7_match", ovn-controller will NOT
translate it into any OF Flow, instead it will
   - maintain a hash map for each logical datapath (with datapath_key as
key) - "l7_dp_flows"
   - store the (dns query value, ip address) pair in the hash map of the
datapath.

​Below is what happens when a dns request packet is received​

  - ovs-vswitchd will send it to ovn-controller.
  - ovn-controller  will parse the dns packet and extract the host name
  - ovn-controller will extract the datapath key from the packet metadata
and looks up the ip address for the host name in the hash map (l7_dp_flows).
  - If the match is found, it will generate a dns response packet, sets 1
bit in the result register bit and resumes the packet.
  - on resuming the packet, the flow in "ls_in_l7_response" will reply back
if the result register bit is set. otherwise the packet will continue
further down in the pipeline.

- It will handle both queries for A (IPv4) and AAAA (IPv6) records.

I want to get the feedback and see if this approach is reasonable ? If so,
I will continue with the development.

Thanks
Numan

More information about the dev mailing list