[ovs-dev] [PATCH ovn v5 5/7] northd: Make use of new hairpin actions.

Dumitru Ceara dceara at redhat.com
Wed Nov 18 09:10:31 UTC 2020


On 11/17/20 3:28 PM, numans at ovn.org wrote:
> From: Numan Siddique <numans at ovn.org>
> 
> This patch makes use of the new hairpin OVN actions - chk_lb_hairpin, chk_lb_hairpin_reply
> and ct_snat_to_vip.
> 
> Suppose there are 'm' load balancers associated to a logical switch and each load balancer
> has 'n' VIPs and each VIP has 'p' backends then ovn-northd adds (m * ((n * p) + n))
> hairpin logical flows. After this patch, ovn-northd adds just 5 hairpin logical flows.
> 
> With this patch number of hairpin related OF flows on a chassis are almost the same as before,
> but in a large scale deployment, this reduces memory consumption and load on ovn-northd and
> SB DB ovsdb-servers.
> 
> Signed-off-by: Numan Siddique <numans at ovn.org>
> ---
>  northd/ovn-northd.8.xml |  65 +++++++++++-----
>  northd/ovn-northd.c     | 160 +++++++++++++---------------------------
>  tests/ovn-northd.at     |  28 +++----
>  tests/ovn.at            |   2 +-
>  4 files changed, 116 insertions(+), 139 deletions(-)
> 
> diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> index b37cecd381..8c0a4a98f5 100644
> --- a/northd/ovn-northd.8.xml
> +++ b/northd/ovn-northd.8.xml
> @@ -718,24 +718,55 @@
>      <h3>Ingress Table 12: Pre-Hairpin</h3>
>      <ul>
>        <li>
> -        For all configured load balancer VIPs a priority-2 flow that
> -        matches on traffic that needs to be hairpinned, i.e., after load
> -        balancing the destination IP matches the source IP, which sets
> -        <code>reg0[6] = 1 </code> and executes <code>ct_snat(VIP)</code>
> -        to force replies to these packets to come back through OVN.
> +        If the logical switch has load balancer(s) configured, then a
> +        priorirty-100 flow is added with the match
> +        <code>ip && ct.trk&& ct.dnat</code> to check if the
> +        packet needs to be hairpinned ( if after load balancing the destination

Nit: s/( if/(if/

> +        IP matches the source IP) or not by executing the action
> +        <code>reg0[6] = chk_lb_hairpin();</code> and advances the packet to
> +        the next table.
> +      </li>
> +
> +      <li>
> +        If the logical switch has load balancer(s) configured, then a
> +        priorirty-90 flow is added with the match <code>ip</code> to check if
> +        the packet is a reply for a hairpinned connection or not by executing
> +        the action <code>reg0[6] = chk_lb_hairpin_reply();</code> and advances
> +        the packet to the next table.
>        </li>
> +
>        <li>
> -        For all configured load balancer VIPs a priority-1 flow that
> -        matches on replies to hairpinned traffic, i.e., destination IP is VIP,
> -        source IP is the backend IP and source L4 port is backend port, which
> -        sets <code>reg0[6] = 1 </code> and executes <code>ct_snat;</code>.
> +        A priority-0 flow that simply moves traffic to the next table.
>        </li>
> +    </ul>
> +
> +    <h3>Ingress Table 13: Nat-Hairpin</h3>
> +    <ul>
> +      <li>
> +         If the logical switch has load balancer(s) configured, then a
> +         priorirty-100 flow is added with the match
> +         <code>ip && (ct.new || ct.est) && ct.trk &&
> +         ct.dnat && reg0[6] == 1</code> which hairpins the traffic by
> +         NATting source IP to the load balancer VIP by executing the action
> +         <code>ct_snat_to_vip</code> and advances the packet to the next table.
> +      </li>
> +
> +      <li>
> +         If the logical switch has load balancer(s) configured, then a
> +         priorirty-90 flow is added with the match
> +         <code>ip && reg0[6] == 1</code> which matches on the replies
> +         of hairpinned traffic ( i.e., destination IP is VIP,

Nit: s/( i.e./(i.e./

Otherwise, this patch looks good to me, thanks!

Acked-by: Dumitru Ceara <dceara at redhat.com>



More information about the dev mailing list