[ovs-dev] [PATCH v5 0/6] ovn: add distributed NAT capability

Guru Shetty guru at ovn.org
Wed Jan 4 17:33:01 UTC 2017 

On 3 January 2017 at 01:33, Mickey Spiegel <mickeys.dev at gmail.com> wrote:

> Currently OVN supports NAT functionality by connecting each distributed
> logical router to a centralized "l3gateway" router that resides on a
> single chassis.  NAT is only carried out in the "l3gateway" router.
>
> This patch set introduces NAT capability in the distributed logical
> router itself, avoiding the need to pass through a transit logical
> switch and a second logical router, and in many cases avoiding the need
> to pass through a centralized chassis.
>
> NAT functionality is associated with the logical router gateway port.
> In order to support one-to-many SNAT (aka IP masquerading), where
> multiple private IP addresses spread across multiple chassis are mapped
> to a single public IP address, it will be necessary to handle some of
> the logical router processing on a specific chassis in a centralized
> manner.  Some NAT flows are handled in a distributed manner on all
> chassis (following the local "patch" port as is normally done for
> distributed logical routers), while other NAT flows are handled on a
> centralized "redirect-chassis".
>
> Possible future work items (hopefully not required for this patch set
> to be accepted) include:
> 1. The NAT flows patch lifts the restriction that conntrack zones are
>    only assigned to datapaths for gateway routers.  Given recent
>    changes to ovn-controller, a hypervisor only sees the datapaths
>    for which there is a port resident on this chassis, or datapaths
>    reachable from ports resident on this chassis.  Is that good
>    enough?  Or should conntrack zone assignment for datapaths be
>    restricted further, perhaps only to logical router datapaths?
> 2. The current automated test for NAT flows is single node, so it does
>    not cover the distributed functionality.  Full coverage requires a
>    multi-node test with conntrack NAT capability, either in the kernel
>    or userspace.  Is this possible?
>    Multi-node tests have been added for the chassisdirect patch,
>    testing non-NAT aspects of the distributed router gateway port.
> 3. Consider how to generalize distributed versus centralized handling
>    of non-NAT traffic being output on the distributed gateway port.
>    If MAC learning is used in the upstream network, then the
>    distributed gateway port’s MAC address must be restricted to the
>    redirect-chassis by using the chassisredirect port.  In the
>    presence of dynamic protocols such as BGP EVPN, non-NAT traffic
>    could be handled in a distributed manner.
> 4. Gratuitous ARP for NAT addresses needs to be updated for
>    distributed NAT.
> 5. Add load balancing on the redirect chassis of an otherwise
>    distributed logical router.
>
I had a cursory look. Some of the patches will probably need blp to look at
too. I did notice that changes to ovn-nbctl to add NAT rules does not exist
in this patch. Currently there are a few shortcuts there.


>
> PATCH v4 -> PATCH v5
> Limited router ingress table 0 flow matching router ethernet address
> on distributed gateway to redirect chassis.
> Limited router ingress table 0 flows matching NAT ethernet address to
> chassis where the NAT rule's logical port resides.
> Rolled back changes to ICMP since they are not necessary.
>
> PATCH v3 -> PATCH v4
> Rebase
>
> PATCH v2 -> PATCH v3
> Added table to set egress loopback flag in the egress pipeline stage,
> fixing east-west NAT across multiple chassis.
>
> PATCH v1 -> PATCH v2
> Added ovn-trace logic for chassisredirect ports, including automated test.
> Added ovn-trace logic for egress loopback.
> Fixed some bugs in ovn-trace register handling from ingress to egress,
> and across patch ports (should these be filed separately as well?).
>
> RFC v4 -> PATCH v1
> Added egress loopback capability
> Added east/west NAT tests to system-ovn.at (make check-kernel)
> Added REGBIT_NAT_REDIRECT flows to IN_IP_ROUTING and IN_ARP_RESOLVE,
> resolving remaining issues with east/west NAT
>
> RFC v3 -> RFC v4
> Rebased to pick up recent changes to ovn-controller, including a fix
> to the localnet issue where VIFs had to be added on a chassis in order
> to cause the localnet port to be instantiated.
> The chassisredirect port logic was rewritten to avoid creating an
> ofport.  Besides streamlining the code significantly, this fixed the
> problem when the distributed port name was longer than 12 characters.
> Restricted IPv6 ND replies for the router IP address to the redirect
> chassis, similar to IPv4 ARP restrictions.
> Added specific gateway redirect flows for unresolved ethernet
> destination, so that ARP requests generated by the router are sent
> through the redirect chassis regardless of NAT rules.
> Relaxed checks in chassisredirect tests so that they are independent
> of register assignments.
> Renamed ovn-northd.c "l3gateway_port" to "l3dgw_port" in order to
> avoid overlaps with gateway router terminology.
>
> RFC v2 -> RFC v3
> Reordered the first two patches.
> Moved non-NAT specific flows from patch 5 to patch 2.
> Added automated tests for is_chassis_resident (which is ready for
> review) and chassisredirect patches.
> Added flows to limit ICMP echo replies for router IPs on the gateway
> interface, so that they are only generated on the redirect-chassis.
>
> Mickey Spiegel (6):
>   ovn: add is_chassis_resident match expression component
>   ovn: Introduce "chassisredirect" port binding
>   ovn: add egress loopback capability
>   ovn: move load balancing flows after NAT flows
>   ovn: avoid snat recirc only on gateway routers
>   ovn: distributed NAT flows
>
>  include/ovn/actions.h           |   3 +
>  include/ovn/expr.h              |  22 +-
>  ovn/controller/binding.c        |   8 +
>  ovn/controller/lflow.c          |  49 ++-
>  ovn/controller/lflow.h          |   5 +-
>  ovn/controller/ovn-controller.c |  15 +-
>  ovn/controller/physical.c       | 101 +++++-
>  ovn/lib/actions.c               |  15 +-
>  ovn/lib/expr.c                  | 155 ++++++++-
>  ovn/lib/logical-fields.c        |   8 +
>  ovn/lib/logical-fields.h        |  14 +
>  ovn/northd/ovn-northd.8.xml     | 436 +++++++++++++++++++++++-
>  ovn/northd/ovn-northd.c         | 719 ++++++++++++++++++++++++++++++
> ++--------
>  ovn/ovn-nb.ovsschema            |  13 +-
>  ovn/ovn-nb.xml                  |  70 +++-
>  ovn/ovn-sb.xml                  |  37 ++-
>  ovn/utilities/ovn-trace.c       | 105 +++++-
>  tests/ovn.at                    | 303 ++++++++++++++++-
>  tests/system-ovn.at             | 338 +++++++++++++++++++
>  tests/test-ovn.c                |  15 +-
>  20 files changed, 2230 insertions(+), 201 deletions(-)
>
> --
> 1.9.1
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

More information about the dev mailing list