[ovs-dev] [PATCH ovn v5 5/7] northd: Make use of new hairpin actions.
Dumitru Ceara
dceara at redhat.com
Wed Nov 18 09:10:31 UTC 2020
On 11/17/20 3:28 PM, numans at ovn.org wrote:
> From: Numan Siddique <numans at ovn.org>
>
> This patch makes use of the new hairpin OVN actions - chk_lb_hairpin, chk_lb_hairpin_reply
> and ct_snat_to_vip.
>
> Suppose there are 'm' load balancers associated to a logical switch and each load balancer
> has 'n' VIPs and each VIP has 'p' backends then ovn-northd adds (m * ((n * p) + n))
> hairpin logical flows. After this patch, ovn-northd adds just 5 hairpin logical flows.
>
> With this patch number of hairpin related OF flows on a chassis are almost the same as before,
> but in a large scale deployment, this reduces memory consumption and load on ovn-northd and
> SB DB ovsdb-servers.
>
> Signed-off-by: Numan Siddique <numans at ovn.org>
> ---
> northd/ovn-northd.8.xml | 65 +++++++++++-----
> northd/ovn-northd.c | 160 +++++++++++++---------------------------
> tests/ovn-northd.at | 28 +++----
> tests/ovn.at | 2 +-
> 4 files changed, 116 insertions(+), 139 deletions(-)
>
> diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> index b37cecd381..8c0a4a98f5 100644
> --- a/northd/ovn-northd.8.xml
> +++ b/northd/ovn-northd.8.xml
> @@ -718,24 +718,55 @@
> <h3>Ingress Table 12: Pre-Hairpin</h3>
> <ul>
> <li>
> - For all configured load balancer VIPs a priority-2 flow that
> - matches on traffic that needs to be hairpinned, i.e., after load
> - balancing the destination IP matches the source IP, which sets
> - <code>reg0[6] = 1 </code> and executes <code>ct_snat(VIP)</code>
> - to force replies to these packets to come back through OVN.
> + If the logical switch has load balancer(s) configured, then a
> + priorirty-100 flow is added with the match
> + <code>ip && ct.trk&& ct.dnat</code> to check if the
> + packet needs to be hairpinned ( if after load balancing the destination
Nit: s/( if/(if/
> + IP matches the source IP) or not by executing the action
> + <code>reg0[6] = chk_lb_hairpin();</code> and advances the packet to
> + the next table.
> + </li>
> +
> + <li>
> + If the logical switch has load balancer(s) configured, then a
> + priorirty-90 flow is added with the match <code>ip</code> to check if
> + the packet is a reply for a hairpinned connection or not by executing
> + the action <code>reg0[6] = chk_lb_hairpin_reply();</code> and advances
> + the packet to the next table.
> </li>
> +
> <li>
> - For all configured load balancer VIPs a priority-1 flow that
> - matches on replies to hairpinned traffic, i.e., destination IP is VIP,
> - source IP is the backend IP and source L4 port is backend port, which
> - sets <code>reg0[6] = 1 </code> and executes <code>ct_snat;</code>.
> + A priority-0 flow that simply moves traffic to the next table.
> </li>
> + </ul>
> +
> + <h3>Ingress Table 13: Nat-Hairpin</h3>
> + <ul>
> + <li>
> + If the logical switch has load balancer(s) configured, then a
> + priorirty-100 flow is added with the match
> + <code>ip && (ct.new || ct.est) && ct.trk &&
> + ct.dnat && reg0[6] == 1</code> which hairpins the traffic by
> + NATting source IP to the load balancer VIP by executing the action
> + <code>ct_snat_to_vip</code> and advances the packet to the next table.
> + </li>
> +
> + <li>
> + If the logical switch has load balancer(s) configured, then a
> + priorirty-90 flow is added with the match
> + <code>ip && reg0[6] == 1</code> which matches on the replies
> + of hairpinned traffic ( i.e., destination IP is VIP,
Nit: s/( i.e./(i.e./
Otherwise, this patch looks good to me, thanks!
Acked-by: Dumitru Ceara <dceara at redhat.com>
More information about the dev
mailing list