[ovs-dev] [PATCH ovn 5/8] northd: introduce build_lrouter_out_undnat_flow routine

Mon Mar 8 11:17:15 UTC 2021

On Thu, Feb 25, 2021 at 6:20 PM Lorenzo Bianconi
<lorenzo.bianconi at redhat.com> wrote:
>
> Introduce build_lrouter_out_undnat_flow routine as a container for logical
> router per nat configuration in build_lrouter_nat_defrag_and_lb
> routine for S_ROUTER_OUT_UNDNAT table.
>
> Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi at redhat.com>

Hi Lorenzo,

Thanks for the patch series.

I applied the first 4 patches to master.  Patch 5,6 and 7 has
compilation issues when configured
with "--enable-Werror --enable-sparse" -
https://github.com/ovsrobot/ovn/runs/1979185053

Please address them.

Numan

> ---
>  northd/ovn-northd.c | 90 +++++++++++++++++++++++++--------------------
>  1 file changed, 51 insertions(+), 39 deletions(-)
>
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index b0f2ba953..ce2c1dac2 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -11236,6 +11236,54 @@ build_lrouter_in_dnat_flow(struct hmap *lflows, struct ovn_datapath *od,
>      }
>  }
>
> +static void
> +build_lrouter_out_undnat_flow(struct hmap *lflows, struct ovn_datapath *od,
> +                              const struct nbrec_nat *nat, struct ds *match,
> +                              struct ds *actions, bool distributed,
> +                              struct eth_addr mac, bool is_v6)
> +{
> +    /* Egress UNDNAT table: It is for already established connections'
> +    * reverse traffic. i.e., DNAT has already been done in ingress
> +    * pipeline and now the packet has entered the egress pipeline as
> +    * part of a reply. We undo the DNAT here.
> +    *
> +    * Note that this only applies for NAT on a distributed router.
> +    * Undo DNAT on a gateway router is done in the ingress DNAT
> +    * pipeline stage. */
> +    if (!od->l3dgw_port ||
> +        (strcmp(nat->type, "dnat") && strcmp(nat->type, "dnat_and_snat"))) {
> +        return;
> +    }
> +
> +    ds_clear(match);
> +    ds_put_format(match, "ip && ip%s.src == %s && outport == %s",
> +                  is_v6 ? "6" : "4", nat->logical_ip,
> +                  od->l3dgw_port->json_key);
> +    if (!distributed && od->l3redirect_port) {
> +        /* Flows for NAT rules that are centralized are only
> +        * programmed on the gateway chassis. */
> +        ds_put_format(match, " && is_chassis_resident(%s)",
> +                      od->l3redirect_port->json_key);
> +    }
> +    ds_clear(actions);
> +    if (distributed) {
> +        ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
> +                      ETH_ADDR_ARGS(mac));
> +    }
> +
> +    if (!strcmp(nat->type, "dnat_and_snat") &&
> +        lrouter_nat_is_stateless(nat)) {
> +        ds_put_format(actions, "ip%s.src=%s; next;",
> +                      is_v6 ? "6" : "4", nat->external_ip);
> +    } else {
> +        ds_put_format(actions, "ct_dnat;");
> +    }
> +
> +    ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_UNDNAT, 100,
> +                            ds_cstr(match), ds_cstr(actions),
> +                            &nat->header_);
> +}
> +
>  /* NAT, Defrag and load balancing. */
>  static void
>  build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od,
> @@ -11415,45 +11463,9 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od,
>              sset_add(&nat_entries, nat->external_ip);
>          }
>
> -        /* Egress UNDNAT table: It is for already established connections'
> -         * reverse traffic. i.e., DNAT has already been done in ingress
> -         * pipeline and now the packet has entered the egress pipeline as
> -         * part of a reply. We undo the DNAT here.
> -         *
> -         * Note that this only applies for NAT on a distributed router.
> -         * Undo DNAT on a gateway router is done in the ingress DNAT
> -         * pipeline stage. */
> -        if (od->l3dgw_port && (!strcmp(nat->type, "dnat")
> -            || !strcmp(nat->type, "dnat_and_snat"))) {
> -            ds_clear(match);
> -            ds_put_format(match, "ip && ip%s.src == %s"
> -                                  " && outport == %s",
> -                          is_v6 ? "6" : "4",
> -                          nat->logical_ip,
> -                          od->l3dgw_port->json_key);
> -            if (!distributed && od->l3redirect_port) {
> -                /* Flows for NAT rules that are centralized are only
> -                 * programmed on the gateway chassis. */
> -                ds_put_format(match, " && is_chassis_resident(%s)",
> -                              od->l3redirect_port->json_key);
> -            }
> -            ds_clear(actions);
> -            if (distributed) {
> -                ds_put_format(actions, "eth.src = "ETH_ADDR_FMT"; ",
> -                              ETH_ADDR_ARGS(mac));
> -            }
> -
> -            if (!strcmp(nat->type, "dnat_and_snat") && stateless) {
> -                ds_put_format(actions, "ip%s.src=%s; next;",
> -                              is_v6 ? "6" : "4", nat->external_ip);
> -            } else {
> -                ds_put_format(actions, "ct_dnat;");
> -            }
> -
> -            ovn_lflow_add_with_hint(lflows, od, S_ROUTER_OUT_UNDNAT, 100,
> -                                    ds_cstr(match), ds_cstr(actions),
> -                                    &nat->header_);
> -        }
> +        /* S_ROUTER_OUT_UNDNAT */
> +        build_lrouter_out_undnat_flow(lflows, od, nat, match, actions, distributed,
> +                                      mac, is_v6);
>
>          /* Egress SNAT table: Packets enter the egress pipeline with
>           * source ip address that needs to be SNATted to a external ip
> --
> 2.29.2
>
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>