[ovs-dev] [PATCH ovn] RFC ovn-northd: bypass ct for allow ACLs
Ihar Hrachyshka
ihrachys at redhat.com
Wed Mar 3 18:21:38 UTC 2021
On Tue, Mar 2, 2021 at 1:38 PM Numan Siddique <numans at ovn.org> wrote:
>
> On Tue, Feb 2, 2021 at 10:09 AM Ihar Hrachyshka <ihrachys at redhat.com> wrote:
> >
> > NB: For now, the patch is for discussion only, pending performance
> > measurements.
> >
> > For allow ACLs, bypass connection tracking by avoiding setting ct hints
> > for matching traffic. Avoid sending all traffic to ct when a stateful
> > ACL is present. Before the patch, this unnecessarily hit performance
> > when mixed ACL action types were used for the same datapath.
> >
> > The patch takes inspiration from a now abandoned patch:
> >
> > "ovn-northd: Support mixing stateless/stateful ACLs with
> > Stateless_Filter." by Dumitru Ceara.
> >
> > Signed-off-by: Ihar Hrachyshka <ihrachys at redhat.com>
>
> Hi Ihar,
>
> Sorry for the delay in the review of this patch. Are you planning to submit it
> as a formal patch ?
>
> If the patch is still not ready as a formal one, can you please repost
> this patch after rebasing ?
Hi,
I was actually collecting some data on performance of the patch before
formally proposing it and am re-sending it today. Thanks for interest.
Ihar
>
>
> Thanks
> Numan
>
> > ---
> > NEWS | 1 +
> > northd/ovn-northd.8.xml | 9 +-
> > northd/ovn-northd.c | 166 +++++++++++++++---------
> > tests/ovn-northd.at | 271 ++++++++++++++++++++++++++++++++++++++++
> > 4 files changed, 384 insertions(+), 63 deletions(-)
> >
> > diff --git a/NEWS b/NEWS
> > index e89c5f408..67e87c476 100644
> > --- a/NEWS
> > +++ b/NEWS
> > @@ -10,6 +10,7 @@ Post-v20.12.0
> > "ovn-installed". This external-id is set by ovn-controller only after all
> > openflow operations corresponding to the OVS interface being added have
> > been processed.
> > + - Bypass connection tracking for ACL "allow" action processing.
> >
> > OVN v20.12.0 - 18 Dec 2020
> > --------------------------
> > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> > index 70065a36d..ff91c0e00 100644
> > --- a/northd/ovn-northd.8.xml
> > +++ b/northd/ovn-northd.8.xml
> > @@ -319,7 +319,9 @@
> > before eventually advancing to ingress table <code>ACLs</code>. If
> > special ports such as route ports or localnet ports can't use ct(), a
> > priority-110 flow is added to skip over stateful ACLs. IPv6 Neighbor
> > - Discovery and MLD traffic also skips stateful ACLs.
> > + Discovery and MLD traffic also skips stateful ACLs. For stateless "allow"
> > + ACLs, a flow is added to bypass setting the hint for connection tracker
> > + processing.
> > </p>
> >
> > <p>
> > @@ -502,10 +504,7 @@
> > <ul>
> > <li>
> > <code>allow</code> ACLs translate into logical flows with
> > - the <code>next;</code> action. If there are any stateful ACLs
> > - on this datapath, then <code>allow</code> ACLs translate to
> > - <code>ct_commit; next;</code> (which acts as a hint for the next tables
> > - to commit the connection to conntrack),
> > + the <code>next;</code> action.
> > </li>
> > <li>
> > <code>allow-related</code> ACLs translate into logical
> > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> > index b2eb93835..f7c17238f 100644
> > --- a/northd/ovn-northd.c
> > +++ b/northd/ovn-northd.c
> > @@ -4802,7 +4802,58 @@ skip_port_from_conntrack(struct ovn_datapath *od, struct ovn_port *op,
> > }
> >
> > static void
> > -build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
> > +build_stateless_filter(struct ovn_datapath *od,
> > + const struct nbrec_acl *acl,
> > + struct hmap *lflows)
> > +{
> > + /* Stateless filters must be applied in both directions so that reply
> > + * traffic bypasses conntrack too.
> > + */
> > + ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL,
> > + acl->priority + OVN_ACL_PRI_OFFSET,
> > + acl->match,
> > + "next;",
> > + &acl->header_);
> > + ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL,
> > + acl->priority + OVN_ACL_PRI_OFFSET,
> > + acl->match,
> > + "next;",
> > + &acl->header_);
> > +}
> > +
> > +static bool
> > +acl_is_stateless(const struct nbrec_acl *acl)
> > +{
> > + return !strcmp(acl->action, "allow");
> > +}
> > +
> > +static void
> > +build_stateless_filters(struct ovn_datapath *od, struct hmap *port_groups,
> > + struct hmap *lflows)
> > +{
> > + for (size_t i = 0; i < od->nbs->n_acls; i++) {
> > + const struct nbrec_acl *acl = od->nbs->acls[i];
> > + if (acl_is_stateless(acl)) {
> > + build_stateless_filter(od, acl, lflows);
> > + }
> > + }
> > +
> > + struct ovn_port_group *pg;
> > + HMAP_FOR_EACH (pg, key_node, port_groups) {
> > + if (ovn_port_group_ls_find(pg, &od->nbs->header_.uuid)) {
> > + for (size_t i = 0; i < pg->nb_pg->n_acls; i++) {
> > + const struct nbrec_acl *acl = pg->nb_pg->acls[i];
> > + if (acl_is_stateless(acl)) {
> > + build_stateless_filter(od, acl, lflows);
> > + }
> > + }
> > + }
> > + }
> > +}
> > +
> > +static void
> > +build_pre_acls(struct ovn_datapath *od, struct hmap *port_groups,
> > + struct hmap *lflows)
> > {
> > bool has_stateful = has_stateful_acl(od);
> >
> > @@ -4832,6 +4883,8 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
> > 110, lflows);
> > }
> >
> > + build_stateless_filters(od, port_groups, lflows);
> > +
> > /* Ingress and Egress Pre-ACL Table (Priority 110).
> > *
> > * Not to do conntrack on ND and ICMP destination
> > @@ -5252,70 +5305,67 @@ consider_acl(struct hmap *lflows, struct ovn_datapath *od,
> > bool ingress = !strcmp(acl->direction, "from-lport") ? true :false;
> > enum ovn_stage stage = ingress ? S_SWITCH_IN_ACL : S_SWITCH_OUT_ACL;
> >
> > - if (!strcmp(acl->action, "allow")
> > - || !strcmp(acl->action, "allow-related")) {
> > + if (!strcmp(acl->action, "allow")) {
> > /* If there are any stateful flows, we must even commit "allow"
> > * actions. This is because, while the initiater's
> > * direction may not have any stateful rules, the server's
> > * may and then its return traffic would not have an
> > * associated conntrack entry and would return "+invalid". */
> > - if (!has_stateful) {
> > - struct ds actions = DS_EMPTY_INITIALIZER;
> > - build_acl_log(&actions, acl, meter_groups);
> > - ds_put_cstr(&actions, "next;");
> > - ovn_lflow_add_with_hint(lflows, od, stage,
> > - acl->priority + OVN_ACL_PRI_OFFSET,
> > - acl->match, ds_cstr(&actions),
> > - &acl->header_);
> > - ds_destroy(&actions);
> > - } else {
> > - struct ds match = DS_EMPTY_INITIALIZER;
> > - struct ds actions = DS_EMPTY_INITIALIZER;
> > + struct ds actions = DS_EMPTY_INITIALIZER;
> > + build_acl_log(&actions, acl, meter_groups);
> > + ds_put_cstr(&actions, "next;");
> > + ovn_lflow_add_with_hint(lflows, od, stage,
> > + acl->priority + OVN_ACL_PRI_OFFSET,
> > + acl->match, ds_cstr(&actions),
> > + &acl->header_);
> > + ds_destroy(&actions);
> > + } else if (!strcmp(acl->action, "allow-related")) {
> > + struct ds match = DS_EMPTY_INITIALIZER;
> > + struct ds actions = DS_EMPTY_INITIALIZER;
> >
> > - /* Commit the connection tracking entry if it's a new
> > - * connection that matches this ACL. After this commit,
> > - * the reply traffic is allowed by a flow we create at
> > - * priority 65535, defined earlier.
> > - *
> > - * It's also possible that a known connection was marked for
> > - * deletion after a policy was deleted, but the policy was
> > - * re-added while that connection is still known. We catch
> > - * that case here and un-set ct_label.blocked (which will be done
> > - * by ct_commit in the "stateful" stage) to indicate that the
> > - * connection should be allowed to resume.
> > - */
> > - ds_put_format(&match, REGBIT_ACL_HINT_ALLOW_NEW " == 1 && (%s)",
> > - acl->match);
> > - ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
> > - build_acl_log(&actions, acl, meter_groups);
> > - ds_put_cstr(&actions, "next;");
> > - ovn_lflow_add_with_hint(lflows, od, stage,
> > - acl->priority + OVN_ACL_PRI_OFFSET,
> > - ds_cstr(&match),
> > - ds_cstr(&actions),
> > - &acl->header_);
> > -
> > - /* Match on traffic in the request direction for an established
> > - * connection tracking entry that has not been marked for
> > - * deletion. There is no need to commit here, so we can just
> > - * proceed to the next table. We use this to ensure that this
> > - * connection is still allowed by the currently defined
> > - * policy. Match untracked packets too. */
> > - ds_clear(&match);
> > - ds_clear(&actions);
> > - ds_put_format(&match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)",
> > - acl->match);
> > + /* Commit the connection tracking entry if it's a new
> > + * connection that matches this ACL. After this commit,
> > + * the reply traffic is allowed by a flow we create at
> > + * priority 65535, defined earlier.
> > + *
> > + * It's also possible that a known connection was marked for
> > + * deletion after a policy was deleted, but the policy was
> > + * re-added while that connection is still known. We catch
> > + * that case here and un-set ct_label.blocked (which will be done
> > + * by ct_commit in the "stateful" stage) to indicate that the
> > + * connection should be allowed to resume.
> > + */
> > + ds_put_format(&match, REGBIT_ACL_HINT_ALLOW_NEW " == 1 && (%s)",
> > + acl->match);
> > + ds_put_cstr(&actions, REGBIT_CONNTRACK_COMMIT" = 1; ");
> > + build_acl_log(&actions, acl, meter_groups);
> > + ds_put_cstr(&actions, "next;");
> > + ovn_lflow_add_with_hint(lflows, od, stage,
> > + acl->priority + OVN_ACL_PRI_OFFSET,
> > + ds_cstr(&match),
> > + ds_cstr(&actions),
> > + &acl->header_);
> > +
> > + /* Match on traffic in the request direction for an established
> > + * connection tracking entry that has not been marked for
> > + * deletion. There is no need to commit here, so we can just
> > + * proceed to the next table. We use this to ensure that this
> > + * connection is still allowed by the currently defined
> > + * policy. Match untracked packets too. */
> > + ds_clear(&match);
> > + ds_clear(&actions);
> > + ds_put_format(&match, REGBIT_ACL_HINT_ALLOW " == 1 && (%s)",
> > + acl->match);
> >
> > - build_acl_log(&actions, acl, meter_groups);
> > - ds_put_cstr(&actions, "next;");
> > - ovn_lflow_add_with_hint(lflows, od, stage,
> > - acl->priority + OVN_ACL_PRI_OFFSET,
> > - ds_cstr(&match), ds_cstr(&actions),
> > - &acl->header_);
> > + build_acl_log(&actions, acl, meter_groups);
> > + ds_put_cstr(&actions, "next;");
> > + ovn_lflow_add_with_hint(lflows, od, stage,
> > + acl->priority + OVN_ACL_PRI_OFFSET,
> > + ds_cstr(&match), ds_cstr(&actions),
> > + &acl->header_);
> >
> > - ds_destroy(&match);
> > - ds_destroy(&actions);
> > - }
> > + ds_destroy(&match);
> > + ds_destroy(&actions);
> > } else if (!strcmp(acl->action, "drop")
> > || !strcmp(acl->action, "reject")) {
> > struct ds match = DS_EMPTY_INITIALIZER;
> > @@ -6586,7 +6636,7 @@ build_lswitch_lflows_pre_acl_and_acl(struct ovn_datapath *od,
> > struct hmap *lbs)
> > {
> > if (od->nbs) {
> > - build_pre_acls(od, lflows);
> > + build_pre_acls(od, port_groups, lflows);
> > build_pre_lb(od, lflows, meter_groups, lbs);
> > build_pre_stateful(od, lflows);
> > build_acl_hints(od, lflows);
> > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> > index 8597ca1b9..402c7e8b1 100644
> > --- a/tests/ovn-northd.at
> > +++ b/tests/ovn-northd.at
> > @@ -2337,6 +2337,277 @@ sed 's/reg8\[[0..15\]] == [[0-9]]*/reg8\[[0..15\]] == <cleared>/' | sort], [0],
> >
> > AT_CLEANUP
> >
> > +AT_SETUP([ovn -- ACL allow omit conntrack - Logical_Switch])
> > +ovn_start
> > +
> > +ovn-nbctl ls-add ls
> > +ovn-nbctl lsp-add ls lsp1
> > +ovn-nbctl lsp-set-addresses lsp1 00:00:00:00:00:01
> > +ovn-nbctl lsp-add ls lsp2
> > +ovn-nbctl lsp-set-addresses lsp2 00:00:00:00:00:02
> > +
> > +ovn-nbctl acl-add ls from-lport 3 "tcp" allow-related
> > +ovn-nbctl acl-add ls from-lport 2 "udp" allow-related
> > +ovn-nbctl acl-add ls from-lport 1 "ip" drop
> > +ovn-nbctl --wait=sb sync
> > +
> > +flow_eth='eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02'
> > +flow_ip='ip.ttl==64 && ip4.src == 42.42.42.1 && ip4.dst == 66.66.66.66'
> > +flow_tcp='tcp && tcp.dst == 80'
> > +flow_udp='udp && udp.dst == 80'
> > +
> > +# TCP packets should go to conntrack.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# tcp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0
> > +ct_next(ct_state=new|trk) {
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > +};
> > +])
> > +
> > +# UDP packets should go to conntrack.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_udp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# udp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80
> > +ct_next(ct_state=new|trk) {
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > +};
> > +])
> > +
> > +# Allow stateless for TCP.
> > +ovn-nbctl acl-add ls from-lport 1 tcp allow
> > +ovn-nbctl --wait=sb sync
> > +
> > +# TCP packets should not go to conntrack anymore.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}"
> > +AT_CHECK([ovn-trace --minimal ls "${flow}"], [0], [dnl
> > +# tcp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0
> > +output("lsp2");
> > +])
> > +
> > +# UDP packets still go to conntrack.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_udp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# udp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80
> > +ct_next(ct_state=new|trk) {
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > +};
> > +])
> > +
> > +# Add a load balancer.
> > +ovn-nbctl lb-add lb-tcp 66.66.66.66:80 42.42.42.2:8080 tcp
> > +ovn-nbctl lb-add lb-udp 66.66.66.66:80 42.42.42.2:8080 udp
> > +ovn-nbctl ls-lb-add ls lb-tcp
> > +ovn-nbctl ls-lb-add ls lb-udp
> > +
> > +# Remove stateless for TCP.
> > +ovn-nbctl acl-del ls
> > +ovn-nbctl --wait=sb sync
> > +
> > +# TCP packets should go to conntrack.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# tcp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0
> > +ct_next(ct_state=new|trk) {
> > + ct_lb {
> > + reg0[[6]] = 0;
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > + };
> > +};
> > +])
> > +
> > +# UDP packets should go to conntrack.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_udp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# udp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80
> > +ct_next(ct_state=new|trk) {
> > + ct_lb {
> > + reg0[[6]] = 0;
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > + };
> > +};
> > +])
> > +
> > +# Allow stateless for TCP.
> > +ovn-nbctl acl-add ls from-lport 1 tcp allow
> > +ovn-nbctl --wait=sb sync
> > +
> > +# TCP packets should go to conntrack for load balancing.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# tcp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0
> > +ct_next(ct_state=new|trk) {
> > + ct_lb {
> > + reg0[[6]] = 0;
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > + };
> > +};
> > +])
> > +
> > +# UDP packets still go to conntrack.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_udp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# udp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80
> > +ct_next(ct_state=new|trk) {
> > + ct_lb {
> > + reg0[[6]] = 0;
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > + };
> > +};
> > +])
> > +
> > +AT_CLEANUP
> > +
> > +AT_SETUP([ovn -- ACL allow omit conntrack - Port_Group])
> > +ovn_start
> > +
> > +ovn-nbctl ls-add ls
> > +ovn-nbctl lsp-add ls lsp1
> > +ovn-nbctl lsp-set-addresses lsp1 00:00:00:00:00:01
> > +ovn-nbctl lsp-add ls lsp2
> > +ovn-nbctl lsp-set-addresses lsp2 00:00:00:00:00:02
> > +
> > +ovn-nbctl pg-add pg lsp1 lsp2
> > +ovn-nbctl acl-add pg from-lport 3 "tcp" allow-related
> > +ovn-nbctl acl-add pg from-lport 2 "udp" allow-related
> > +ovn-nbctl acl-add pg from-lport 1 "ip" drop
> > +ovn-nbctl --wait=sb sync
> > +
> > +flow_eth='eth.src == 00:00:00:00:00:01 && eth.dst == 00:00:00:00:00:02'
> > +flow_ip='ip.ttl==64 && ip4.src == 42.42.42.1 && ip4.dst == 66.66.66.66'
> > +flow_tcp='tcp && tcp.dst == 80'
> > +flow_udp='udp && udp.dst == 80'
> > +
> > +# TCP packets should go to conntrack.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# tcp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0
> > +ct_next(ct_state=new|trk) {
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > +};
> > +])
> > +
> > +# UDP packets should go to conntrack.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_udp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# udp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80
> > +ct_next(ct_state=new|trk) {
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > +};
> > +])
> > +
> > +# Allow stateless for TCP.
> > +ovn-nbctl acl-add pg from-lport 1 tcp allow
> > +ovn-nbctl --wait=sb sync
> > +
> > +# TCP packets should not go to conntrack anymore.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}"
> > +AT_CHECK([ovn-trace --minimal ls "${flow}"], [0], [dnl
> > +# tcp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0
> > +output("lsp2");
> > +])
> > +
> > +# UDP packets still go to conntrack.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_udp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# udp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80
> > +ct_next(ct_state=new|trk) {
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > +};
> > +])
> > +
> > +# Add a load balancer.
> > +ovn-nbctl lb-add lb-tcp 66.66.66.66:80 42.42.42.2:8080 tcp
> > +ovn-nbctl lb-add lb-udp 66.66.66.66:80 42.42.42.2:8080 udp
> > +ovn-nbctl ls-lb-add ls lb-tcp
> > +ovn-nbctl ls-lb-add ls lb-udp
> > +
> > +# Remove stateless for TCP.
> > +ovn-nbctl acl-del pg
> > +ovn-nbctl --wait=sb sync
> > +
> > +# TCP packets should go to conntrack.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# tcp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0
> > +ct_next(ct_state=new|trk) {
> > + ct_lb {
> > + reg0[[6]] = 0;
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > + };
> > +};
> > +])
> > +
> > +# UDP packets should go to conntrack.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_udp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# udp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80
> > +ct_next(ct_state=new|trk) {
> > + ct_lb {
> > + reg0[[6]] = 0;
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > + };
> > +};
> > +])
> > +
> > +# Allow stateless for TCP.
> > +ovn-nbctl acl-add pg from-lport 1 tcp allow
> > +ovn-nbctl --wait=sb sync
> > +
> > +# TCP packets should go to conntrack for load balancing.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_tcp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# tcp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80,tcp_flags=0
> > +ct_next(ct_state=new|trk) {
> > + ct_lb {
> > + reg0[[6]] = 0;
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > + };
> > +};
> > +])
> > +
> > +# UDP packets still go to conntrack.
> > +flow="inport == \"lsp1\" && ${flow_eth} && ${flow_ip} && ${flow_udp}"
> > +AT_CHECK([ovn-trace --ct new --ct new --minimal ls "${flow}"], [0], [dnl
> > +# udp,reg14=0x1,vlan_tci=0x0000,dl_src=00:00:00:00:00:01,dl_dst=00:00:00:00:00:02,nw_src=42.42.42.1,nw_dst=66.66.66.66,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=80
> > +ct_next(ct_state=new|trk) {
> > + ct_lb {
> > + reg0[[6]] = 0;
> > + ct_next(ct_state=new|trk) {
> > + output("lsp2");
> > + };
> > + };
> > +};
> > +])
> > +
> > +AT_CLEANUP
> > +
> > AT_SETUP([ovn -- check BFD config propagation to SBDB])
> > AT_KEYWORDS([northd-bfd])
> > ovn_start
> > --
> > 2.29.2
> >
> > _______________________________________________
> > dev mailing list
> > dev at openvswitch.org
> > https://mail.openvswitch.org/mailman/listinfo/ovs-dev
> >
>
More information about the dev
mailing list