[ovs-dev] [PATCH ovn v2] northd: Add lflows to send all pkts to conntrack if LB is configured on a lswitch.
Dumitru Ceara
dceara at redhat.com
Fri Sep 11 09:32:40 UTC 2020
On 9/11/20 11:10 AM, numans at ovn.org wrote:
> From: Numan Siddique <numans at ovn.org>
>
> Prior to this patch, if a load balancer is configured on a logical switch but with no
> ACLs with allow-related configured, then in the ingress pipeline only the packets
> with ip.dst = VIP will be sent to conntrack using the zone id of the source logical port.
>
> If the backend of the load balancer, sends an invalid packet (for example invalid tcp
> sequence number), then such packets will be delivered to the source logical port VIF
> without unDNATting. This causes the source to reset the connection.
>
> This patch fixes this issue by sending all the packets to conntrack if a load balancer
> is configured on the logical switch. Because of this, any invalid (ct.inv) packets will
> be dropped in the ingress pipeline itself.
>
> Unfortunately this impacts the performance as now there will be extra recirculations
> because of ct and ct_commit (for new connections) actions.
>
> Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=1870359
> Reported-by: Tim Rozet (trozet at redhat.com)
> Signed-off-by: Numan Siddique <numans at ovn.org>
> ---
> v1 -> v2
> ----
> * Addressed the review comments from Dumitru and Mark.
>
> northd/ovn-northd.8.xml | 41 +++++++++++++++++-----
> northd/ovn-northd.c | 77 +++++++++++++++++++++++++----------------
> 2 files changed, 80 insertions(+), 38 deletions(-)
>
> diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> index a275442a82..a9826e8e9e 100644
> --- a/northd/ovn-northd.8.xml
> +++ b/northd/ovn-northd.8.xml
> @@ -340,15 +340,12 @@
> it contains a priority-110 flow to move IPv6 Neighbor Discovery traffic
> to the next table. If load balancing rules with virtual IP addresses
> (and ports) are configured in <code>OVN_Northbound</code> database for a
> - logical switch datapath, a priority-100 flow is added for each configured
> - virtual IP address <var>VIP</var>. For IPv4 <var>VIPs</var>, the match is
> - <code>ip && ip4.dst == <var>VIP</var></code>. For IPv6
> - <var>VIPs</var>, the match is <code>ip &&
> - ip6.dst == <var>VIP</var></code>. The flow sets an action
> + logical switch datapath, a priority-100 flow is added with the match
> + <code>ip</code> to match on IP packets and sets the action
> <code>reg0[0] = 1; next;</code> to act as a hint for table
> <code>Pre-stateful</code> to send IP packets to the connection tracker
> - for packet de-fragmentation before eventually advancing to ingress table
> - <code>LB</code>.
> + for packet de-fragmentation before eventually advancing to ingress
> + table <code>LB</code>.
> If controller_event has been enabled and load balancing rules with
> empty backends have been added in <code>OVN_Northbound</code>, a 130 flow
> is added to trigger ovn-controller events whenever the chassis receives a
> @@ -356,6 +353,32 @@
> previously created, it will be associated to the empty_lb logical flow
> </p>
>
> + <p>
> + Prior to <code>OVN 20.09</code> we were setting the
> + <code>reg0[0] = 1</code> only if the IP destination matches the load
> + balancer VIP. However this had few issues cases where a logical switch
> + doesn't have any ACLs with <code>allow-related</code> action.
> + To understand the issue lets a take a TCP load balancer -
> + <code>10.0.0.10:80=10.0.0.3:80</code>. If a logical port - p1 with
> + IP - 10.0.0.5 opens a TCP connection with the VIP - 10.0.0.10, then the
> + packet in the ingress pipeline of 'p1' is sent to the p1's conntrack zone
> + id and the packet is load balanced to the backend - 10.0.0.3. For the
> + reply packet from the backend lport, it is not sent to the conntrack of
> + backend lport's zone id. This is fine as long as the packet is valid.
> + Suppose the backend lport sends an invalid TCP packet (like incorrect
> + sequence number), the packet gets delivered to the lport 'p1' without
> + unDNATing the packet to the VIP - 10.0.0.10. And this causes the
> + connection to be reset by the lport p1's VIF.
> + </p>
> +
> + <p>
> + We can't fix this issue by adding a logical flow to drop ct.inv packets
> + in the egress pipeline since it will drop all other connections not
> + destined to the load balancers. To fix this issue, we send all the
> + packets to the conntrack in the ingress pipeline if a load balancer is
> + configured. We can now add a lflow to drop ct.inv packets.
> + </p>
> +
> <p>
> This table also has a priority-110 flow with the match
> <code>eth.dst == <var>E</var></code> for all logical switch
> @@ -430,8 +453,8 @@
> <p>
> This table also contains a priority 0 flow with action
> <code>next;</code>, so that ACLs allow packets by default. If the
> - logical datapath has a statetful ACL, the following flows will
> - also be added:
> + logical datapath has a statetful ACL or a load balancer with VIP
> + configured, the following flows will also be added:
Tiny nit: s/statetful/stateful
With this addressed:
Acked-by: Dumitru Ceara <dceara at redhat.com>
Thanks,
Dumitru
More information about the dev
mailing list