[ovs-dev] [PATCH v13 0/6] ovn: add distributed NAT capability

Mickey Spiegel mickeys.dev at gmail.com
Thu Jan 26 19:33:06 UTC 2017


PATCH v12 -> PATCH v13
Addressed minor comments from shettyg on nat flows patch.


Currently OVN supports NAT functionality by connecting each distributed
logical router to a centralized "l3gateway" router that resides on a
single chassis.  NAT is only carried out in the "l3gateway" router.

This patch set introduces NAT capability in the distributed logical
router itself, avoiding the need to pass through a transit logical
switch and a second logical router, and in many cases avoiding the need
to pass through a centralized chassis.

NAT functionality is associated with the logical router gateway port.
In order to support one-to-many SNAT (aka IP masquerading), where
multiple private IP addresses spread across multiple chassis are mapped
to a single public IP address, it will be necessary to handle some of
the logical router processing on a specific chassis in a centralized
manner.  Some NAT flows are handled in a distributed manner on all
chassis (following the local "patch" port as is normally done for
distributed logical routers), while other NAT flows are handled on a
centralized "redirect-chassis".

Possible future work items (hopefully not required for this patch set
to be accepted) include:
1. The NAT flows patch lifts the restriction that conntrack zones are
   only assigned to datapaths for gateway routers.  Given recent
   changes to ovn-controller, a hypervisor only sees the datapaths
   for which there is a port resident on this chassis, or datapaths
   reachable from ports resident on this chassis.  Is that good
   enough?  Or should conntrack zone assignment for datapaths be
   restricted further, perhaps only to logical router datapaths?
2. The current automated test for NAT flows is single node, so it does
   not cover the distributed functionality.  Full coverage requires a
   multi-node test with conntrack NAT capability, either in the kernel
   or userspace.  Is this possible?
   Multi-node tests have been added for the chassisdirect patch,
   testing non-NAT aspects of the distributed router gateway port.
3. Consider how to generalize distributed versus centralized handling
   of non-NAT traffic being output on the distributed gateway port.
   If MAC learning is used in the upstream network, then the
   distributed gateway port’s MAC address must be restricted to the
   redirect-chassis by using the chassisredirect port.  In the
   presence of dynamic protocols such as BGP EVPN, non-NAT traffic
   could be handled in a distributed manner.
4. Gratuitous ARP for NAT addresses needs to be updated for
   distributed NAT.
5. Add load balancing on the redirect chassis of an otherwise
   distributed logical router.

PATCH v11 -> PATCH v12
Added a patch to automatically add router NAT and load balancer IP
addresses to "options:nat-addresses" of type "router" lsps, in order
to trigger gratuitous ARPs.  This patch is for existing gateway
routers.  A separate patch (not yet ready) is being developed to
extend gratuitous ARP functionality to distributed routers.

PATCH v10 -> PATCH v11
Rebase.
The first 3 patches from v10 were accepted, so they are no longer
included in the patch set.
Instead of the egress loopback patch from v10, finer-grained actions
were proposed by blp (thanks a lot!) and accepted, so the egress
loopback patch has been dropped from the patch set.
The NAT flows patch was revised to leverage the finer-grained actions
from blp's patch set.
A small new patch was added at the end to address concerns that
ovn-nb.xml descriptions should not describe southbound constructs and
flow details, since it is user facing documentation.

PATCH v9 -> PATCH v10
Patch 3 (distributed gateway port / chassisredirect port_binding) is
based on v8, with some rewrites in ovn-nb.xml to make it higher level
and remove references to sb constructs.
A decision still needs to be made between v10 patch 3 and v9 patch 3,
which dropped the suggested new port type of "chassisredirect" and
replaced it with a MLF_FORCE_CHASSIS_REDIRECT flag.
The egress loopback patch (patch 4) has been completely rewritten as
an action.  Flags are no longer needed for egress loopback, and there
are no longer any changes to ovn/controller/physical.c.  The action
now includes ct_clear.
The NAT flows patch now uses the new egress_loopback action, and adds
REGBIT_EGRESS_LOOPBACK, instead of the previous
MLF_EGRESS_LOOPBACK_OCCURRED flag.
SNAT recirc changes are now documented in ovn-sb.xml.
A new patch has been added extending ovn-nbctl nat commands with new
arguments for logical_port and external_mac.

PATCH v8 -> PATCH v9
This is just the first 3 patches.  The rest of the patch set will follow
once a decision is made on v8 patch 4 versus v9 patch 3.
The peer address patch was accepted, so it is no longer included in the
patch set.
The suggested new port type of "chassisredirect" has been dropped and
replaced by MLF_FORCE_CHASSIS_REDIRECT flag.

PATCH v7 -> PATCH v8
Incorporated incremental changes to is_chassis_resident() from blp.
Added patch that describes logical routers and logical patches in
ovn-architecture.
Renamed chassisredirect patch to emphasize distributed gateway ports
as well.
Added description of distributed gateway ports to ovn-architecture,
in distributed gateway port / chassisredirect patch.
Rewrote commit message for distributed gateway port / chassisredirect.

PATCH v6 -> PATCH v7
Rebase.
Documentation improvements to lsp addresses "router" patch as
suggested by blp.  Also added to ovn-nbctl documentation.

PATCH v5 -> PATCH v6
Added patch to automatically add router addresses to the addresses of
type "router" lsps.
Restricted logical switch destination lookup flows for logical router
distributed gateway port's MAC to the redirect chassis.
Automatically add distributed NAT MAC addresses to logical switch
destination lookup flows on the chassis where the NAT logical port resides.
Added tests for reachability from VIFs on the same logical switch as
localnet, through the logical router's distributed gateway port, to
internal VIFs.

PATCH v4 -> PATCH v5
Limited router ingress table 0 flow matching router ethernet address
on distributed gateway to redirect chassis.
Limited router ingress table 0 flows matching NAT ethernet address to
chassis where the NAT rule's logical port resides.
Rolled back changes to ICMP since they are not necessary.

PATCH v3 -> PATCH v4
Rebase

PATCH v2 -> PATCH v3
Added table to set egress loopback flag in the egress pipeline stage,
fixing east-west NAT across multiple chassis.

PATCH v1 -> PATCH v2
Added ovn-trace logic for chassisredirect ports, including automated test.
Added ovn-trace logic for egress loopback.
Fixed some bugs in ovn-trace register handling from ingress to egress,
and across patch ports (should these be filed separately as well?).

RFC v4 -> PATCH v1
Added egress loopback capability
Added east/west NAT tests to system-ovn.at (make check-kernel)
Added REGBIT_NAT_REDIRECT flows to IN_IP_ROUTING and IN_ARP_RESOLVE,
resolving remaining issues with east/west NAT

RFC v3 -> RFC v4
Rebased to pick up recent changes to ovn-controller, including a fix
to the localnet issue where VIFs had to be added on a chassis in order
to cause the localnet port to be instantiated.
The chassisredirect port logic was rewritten to avoid creating an
ofport.  Besides streamlining the code significantly, this fixed the
problem when the distributed port name was longer than 12 characters.
Restricted IPv6 ND replies for the router IP address to the redirect
chassis, similar to IPv4 ARP restrictions.
Added specific gateway redirect flows for unresolved ethernet
destination, so that ARP requests generated by the router are sent
through the redirect chassis regardless of NAT rules.
Relaxed checks in chassisredirect tests so that they are independent
of register assignments.
Renamed ovn-northd.c "l3gateway_port" to "l3dgw_port" in order to
avoid overlaps with gateway router terminology.

RFC v2 -> RFC v3
Reordered the first two patches.
Moved non-NAT specific flows from patch 5 to patch 2.
Added automated tests for is_chassis_resident (which is ready for
review) and chassisredirect patches.
Added flows to limit ICMP echo replies for router IPs on the gateway
interface, so that they are only generated on the redirect-chassis.

Mickey Spiegel (6):
  ovn: move load balancing flows after NAT flows
  ovn: avoid snat recirc only on gateway routers
  ovn: distributed NAT flows
  ovn: ovn-nbctl commands for distributed NAT
  ovn: rewrite redirect-chassis description in ovn-nb.xml
  ovn: specify options:nat-addresses as "router"

 include/ovn/actions.h           |   3 +
 ovn/controller/lflow.c          |  10 +
 ovn/controller/ovn-controller.c |   6 +-
 ovn/lib/actions.c               |  15 +-
 ovn/northd/ovn-northd.8.xml     | 400 ++++++++++++++++++++++-
 ovn/northd/ovn-northd.c         | 680 +++++++++++++++++++++++++++++++---------
 ovn/ovn-architecture.7.xml      |   7 +-
 ovn/ovn-nb.ovsschema            |   6 +-
 ovn/ovn-nb.xml                  | 123 ++++++--
 ovn/ovn-sb.xml                  |  23 +-
 ovn/utilities/ovn-nbctl.8.xml   |  27 +-
 ovn/utilities/ovn-nbctl.c       |  54 +++-
 tests/ovn-nbctl.at              |  47 ++-
 tests/ovn.at                    |  62 +++-
 tests/system-ovn.at             | 320 +++++++++++++++++++
 15 files changed, 1561 insertions(+), 222 deletions(-)

-- 
1.9.1



More information about the dev mailing list