[ovs-dev] [PATCH ovn 3/3] northd: support HW VTEP with stateful datapath

Vladislav Odintsov odivlad at gmail.com
Fri Sep 17 15:03:02 UTC 2021


Hi,

done: https://patchwork.ozlabs.org/project/ovn/patch/20210917150104.6143-1-odivlad@gmail.com/

Regards,
Vladislav Odintsov

> On 17 Sep 2021, at 17:44, Numan Siddique <numans at ovn.org> wrote:
> 
> On Wed, Sep 15, 2021 at 8:07 PM Vladislav Odintsov <odivlad at gmail.com <mailto:odivlad at gmail.com>> wrote:
>> 
>> A packet going from HW VTEP device to VIF port when arrives to
>> hypervisor chassis should go through LS ingress pipeline to l2_lkp
>> stage without any match. In l2_lkp stage an output port is
>> determined and then packet passed to LS egress pipeline for futher
>> processing and to VIF port delivery.
>> 
>> Prior to this commit a packet, which was received from HW VTEP
>> device was dropped in an LS ingress datapath, where stateful services
>> were defined (ACLs, LBs).
>> 
>> To fix this issue we add a special flag-bit which can be used in LS
>> pipelines, to check whether the packet came from HW VTEP devices.
>> In ls_in_pre_acl and ls_in_pre_lb we add new flow with priority 110
>> to skip such packets.
>> 
>> Signed-off-by: Vladislav Odintsov <odivlad at gmail.com>
> 
> This needs a rebase.
> 
> Thanks
> Numan
> 
>> ---
>> Please note: I've got no experience in DDLog and have no ability to extensively
>>             test these changes.
>>             Just local ./configure --with-ddlog=...; make; make check was run
>>             It seems, that only irrelevant to these changes tests were failed.
>> ---
>> northd/ovn-northd.c  | 14 ++++++++++++++
>> northd/ovn_northd.dl | 33 +++++++++++++++++++++++++++++++--
>> tests/ovn-northd.at  |  2 ++
>> 3 files changed, 47 insertions(+), 2 deletions(-)
>> 
>> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
>> index 0ee2ba221..2a795d9e1 100644
>> --- a/northd/ovn-northd.c
>> +++ b/northd/ovn-northd.c
>> @@ -236,6 +236,7 @@ enum ovn_stage {
>> #define REGBIT_LKUP_FDB           "reg0[11]"
>> #define REGBIT_HAIRPIN_REPLY      "reg0[12]"
>> #define REGBIT_ACL_LABEL          "reg0[13]"
>> +#define REGBIT_FROM_RAMP          "reg0[14]"
>> 
>> #define REG_ORIG_DIP_IPV4         "reg1"
>> #define REG_ORIG_DIP_IPV6         "xxreg1"
>> @@ -5175,6 +5176,11 @@ build_lswitch_input_port_sec_op(
>>     if (queue_id) {
>>         ds_put_format(actions, "set_queue(%s); ", queue_id);
>>     }
>> +
>> +    if (!strcmp(op->nbsp->type, "vtep")) {
>> +        ds_put_format(actions, REGBIT_FROM_RAMP" = 1; ");
>> +    }
>> +
>>     ds_put_cstr(actions, "next;");
>>     ovn_lflow_add_with_lport_and_hint(lflows, op->od, S_SWITCH_IN_PORT_SEC_L2,
>>                                       50, ds_cstr(match), ds_cstr(actions),
>> @@ -5422,6 +5428,10 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *port_groups,
>>                       "nd || nd_rs || nd_ra || mldv1 || mldv2 || "
>>                       "(udp && udp.src == 546 && udp.dst == 547)", "next;");
>> 
>> +        /* Do not send coming from RAMP switch packets to conntrack. */
>> +        ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
>> +                      REGBIT_FROM_RAMP" == 1", "next;");
>> +
>>         /* Ingress and Egress Pre-ACL Table (Priority 100).
>>          *
>>          * Regardless of whether the ACL is "from-lport" or "to-lport",
>> @@ -5526,6 +5536,10 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows,
>>     ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110,
>>                   "eth.src == $svc_monitor_mac", "next;");
>> 
>> +    /* Do not send coming from RAMP switch packets to conntrack. */
>> +    ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110,
>> +                  REGBIT_FROM_RAMP" == 1", "next;");
>> +
>>     /* Allow all packets to go to next tables by default. */
>>     ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;");
>>     ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;");
>> diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl
>> index d91f8111f..5b4ae980a 100644
>> --- a/northd/ovn_northd.dl
>> +++ b/northd/ovn_northd.dl
>> @@ -1622,6 +1622,7 @@ function rEGBIT_ACL_HINT_BLOCK()   : string = "reg0[10]"
>> function rEGBIT_LKUP_FDB()         : string = "reg0[11]"
>> function rEGBIT_HAIRPIN_REPLY()    : string = "reg0[12]"
>> function rEGBIT_ACL_LABEL()        : string = "reg0[13]"
>> +function rEGBIT_FROM_RAMP()        : string = "reg0[14]"
>> 
>> function rEG_ORIG_DIP_IPV4()       : string = "reg1"
>> function rEG_ORIG_DIP_IPV6()       : string = "xxreg1"
>> @@ -2058,6 +2059,16 @@ for (&Switch(._uuid = ls_uuid, .has_stateful_acl = true)) {
>>          .io_port          = None,
>>          .controller_meter = None);
>> 
>> +    /* Do not send coming from RAMP switch packets to conntrack. */
>> +    Flow(.logical_datapath = ls_uuid,
>> +         .stage            = s_SWITCH_IN_PRE_ACL(),
>> +         .priority         = 110,
>> +         .__match          = i"${rEGBIT_FROM_RAMP()} == 1",
>> +         .actions          = i"next;",
>> +         .stage_hint       = 0,
>> +         .io_port          = None,
>> +         .controller_meter = None);
>> +
>>     /* Ingress and Egress Pre-ACL Table (Priority 100).
>>      *
>>      * Regardless of whether the ACL is "from-lport" or "to-lport",
>> @@ -2124,6 +2135,16 @@ for (&Switch(._uuid = ls_uuid)) {
>>          .io_port          = None,
>>          .controller_meter = None);
>> 
>> +    /* Do not send coming from RAMP switch packets to conntrack. */
>> +    Flow(.logical_datapath = ls_uuid,
>> +         .stage            = s_SWITCH_IN_PRE_LB(),
>> +         .priority         = 110,
>> +         .__match          = i"${rEGBIT_FROM_RAMP()} == 1",
>> +         .actions          = i"next;",
>> +         .stage_hint       = 0,
>> +         .io_port          = None,
>> +         .controller_meter = None);
>> +
>>     /* Allow all packets to go to next tables by default. */
>>     Flow(.logical_datapath = ls_uuid,
>>          .stage            = s_SWITCH_IN_PRE_LB(),
>> @@ -3370,10 +3391,18 @@ for (&SwitchPort(.lsp = lsp, .sw = sw, .json_name = json_name, .ps_eth_addresses
>>             } else {
>>                 i"inport == ${json_name} && eth.src == {${ps_eth_addresses.join(\" \")}}"
>>             } in
>> -        var actions = match (pbinding.options.get("qdisc_queue_id")) {
>> +        var actions = {
>> +            var ramp = if (lsp.__type == "vtep") {
>> +                i"${rEGBIT_FROM_RAMP()} = 1; "
>> +            } else {
>> +                i""
>> +            };
>> +            var queue = match (pbinding.options.get("qdisc_queue_id")) {
>>                 None -> i"next;",
>>                 Some{id} -> i"set_queue(${id}); next;"
>> -            } in
>> +            };
>> +            i"${ramp}${queue}"
>> +        } in
>>         Flow(.logical_datapath = sw._uuid,
>>              .stage            = s_SWITCH_IN_PORT_SEC_L2(),
>>              .priority         = 50,
>> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
>> index 26bb940aa..655e29b61 100644
>> --- a/tests/ovn-northd.at
>> +++ b/tests/ovn-northd.at
>> @@ -3589,6 +3589,7 @@ check_stateful_flows() {
>>   table=6 (ls_in_pre_lb       ), priority=110  , match=(eth.dst == $svc_monitor_mac), action=(next;)
>>   table=6 (ls_in_pre_lb       ), priority=110  , match=(ip && inport == "sw0-lr0"), action=(next;)
>>   table=6 (ls_in_pre_lb       ), priority=110  , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;)
>> +  table=6 (ls_in_pre_lb       ), priority=110  , match=(reg0[[14]] == 1), action=(next;)
>> ])
>> 
>>     AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl
>> @@ -3652,6 +3653,7 @@ AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort], [0], [dnl
>>   table=6 (ls_in_pre_lb       ), priority=110  , match=(eth.dst == $svc_monitor_mac), action=(next;)
>>   table=6 (ls_in_pre_lb       ), priority=110  , match=(ip && inport == "sw0-lr0"), action=(next;)
>>   table=6 (ls_in_pre_lb       ), priority=110  , match=(nd || nd_rs || nd_ra || mldv1 || mldv2), action=(next;)
>> +  table=6 (ls_in_pre_lb       ), priority=110  , match=(reg0[[14]] == 1), action=(next;)
>> ])
>> 
>> AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl
>> --
>> 2.30.0
>> 
>> _______________________________________________
>> dev mailing list
>> dev at openvswitch.org <mailto:dev at openvswitch.org>
>> https://mail.openvswitch.org/mailman/listinfo/ovs-dev <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>
>> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org <mailto:dev at openvswitch.org>
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev <https://mail.openvswitch.org/mailman/listinfo/ovs-dev>


More information about the dev mailing list