[ovs-dev] [PATCH ovn] ovn-northd: Address scale issues with DNAT flows.

Dumitru Ceara dceara at redhat.com
Tue Feb 4 12:59:24 UTC 2020 

On 2/1/20 11:53 AM, numans at ovn.org wrote:
> From: Numan Siddique <numans at ovn.org>
> 
> When the commit [1] added Distributed NAT support in OVN, it didn't address
> the requirement of making East/West NAT traffic distributed. The E/W NAT
> traffic was still centralized. Later a couple of patches [2], addressed this
> requirement. But the approach taken in [2] resulted in a lot of logical flows
> as number of dnat_and_snat entries increase, as reported in @Reported-at.
> 
> This patch
>   - reverts the approch taken in [2].
>   - removing the flows which does the NAT direct (REGBIT_NAT_REDIRECT) to
>     the gateway chassis.
>   - and to solve the E/W centralized NAT it does the following:
>      * Since for each NAT entry we know the MAC binding to be used for the
>        external_ip - either the external_mac if set or the MAC of the
>        distributed gateway router port, this patch adds the flows in the
>        S_ROUTER_IN_ARP_RESOLVE stage to set the eth.dst to the MAC if the
>        IP destination is external_ip.
>      * The existing flows in the S_ROUTER_OUT_EGR_LOOP are now added by additional
>        match -  is_chassis_resident('P') - where 'P' is logical_port of the NAT entry
>        if set, otherwise it is the chassis resident port of distributed router port.
>        With this additional match, the packet will be loopbacked to apply the unSNAT/DNAT
>        rules on the relevant chassis.
> 
> Suppose if a logical port 'P' with IP 'A' has a dnat_and_snat entry with external_mac/logical_port
> set, and if the packet's IP destination is one of the DNAT IP - then the packet will be sent out
> of the local chassis, since eth.dst is resolved in the S_ROUTER_IN_ARP_RESOLVE stage.
> If the external_mac/logical_port is not in NAT entry, then the packet will be redirected to
> the gateway chassis.
> 
> With this patch, for the logical resource reported in @Reported-at, the number of logical
> flows come down to around 45k from 650k.
> 
> [1] - ceacd9d49316("ovn: distributed NAT flows")
> 
> [2] - 551e3d989557("OVN: fix DVR Floating IP support")
>       8244c6b6bd88("OVN: do not distribute traffic for local FIP")
> 
> Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2020-January/049714.html
> Reported-by: Daniel Alvarez Sanchez <dalvarez at redhat.com>
> Signed-off-by: Numan Siddique <numans at ovn.org>
> ---
>  northd/ovn-northd.8.xml | 191 +++++++++--------------------
>  northd/ovn-northd.c     | 264 ++++++----------------------------------
>  tests/ovn-northd.at     |   8 +-
>  3 files changed, 99 insertions(+), 364 deletions(-)
> 

Hi Numan,

The patch looks ok to me and it passes unit tests.

Hi Daniel,
As this is quite a significant change it might be nice if you could also
try it out on your setup.

Otherwise:

Acked-by: Dumitru Ceara <dceara at redhat.com>

Regards,
Dumitru

More information about the dev mailing list