[ovs-discuss] [OVN] [was Re: logical_flow priorities between --src-ip routes and directly connected routes]
Han Zhou
hzhou at ovn.org
Mon May 11 04:25:31 UTC 2020
On Sat, May 9, 2020 at 4:53 PM Girish Moodalbail <gmoodalbail at gmail.com>
wrote:
>
> (edited the subject line.. sorry about not adding the necessary tags
initially)
>
> On Fri, May 8, 2020 at 12:50 AM Girish Moodalbail <gmoodalbail at gmail.com>
wrote:
>>
>> Hello all,
>>
>> In certain cases, the logical_flow priorities in lr_in_ip_routing will
be such that one cannot forward the packets to the directly connected
logical switch. Let me explain using the logical topology below:
>>
>> +-----------+ +-----------+
>> | l3gateway | | l3gateway |
>> | node1 | | node2 |
>> +----^------+ +------^----+
>> 100.64.0.2 100.64.0.3
>> | |
>> +----+----------------------------------+-----+
>> | join switch |
>> +----------------------^----------------------+
>> |
>> +----------------------+----------------------+ +----------------+
>> | logical_router(lr1) | | ls3 |
>> | src-ip=192.168.1.0/24 nexthop=100.64.0.2 +------+ 172.16.0.0/23 |
>> | src-ip=192.168.2.0/24 nexthop=100.64.0.3 | | |
>> +---------^-------------------------^---------+ +----------------+
>> | |
>> | |
>> +--------+-------+ +-----+----------+
>> | ls1 | | ls2 |
>> | 192.168.1.0/24 | | 192.168.2.0/24 |
>> +----------------+ +----------------+
>>
>>
>> We have 3 logical switches -- ls1, ls2, and ls3 directly connected to
the distributed router. On this router, we have added policy-based routing
based on the source IP. We steer all the packets from ls1 towards l3gateway
on node1 and all the packets from ls2 towards l3gateway on node2.
>>
>> Note that the prefix-length of the `ls3` router is little larger than
that for ls1 and ls2.
>>
>> If you look at the logical flows that represent the static routes in
`lr_in_ip_routing` table for the distributed router, you will see that the
packets destined to ls3 will matched last, that is after the source-ip
based routing. As a result, packets from LS1 and LS2 destined to LS3 will
never get forwarded to LS3 because they will hit the source-ip based routes
first due to longest-prefix match. The order of routes will be
>>
>> 1. ip4.dst == 192.168.1.0/24
>> 2. ip4.dst == 192.168.2.0/24
>> 3. ip4.dst == 100.64.0.0/24
>> 4. src-ip == 192.168.1.0/24
>> 5. src-ip == 192.168.2.0/24
>> 6. ip4.dst == 172.16.0.0/23
>>
>> Is this by design? One would think that the directly connected routes
should get higher priority before we start checking the source-ip based
routes.
>>
>> To workaround the problem, I am thinking of putting an another logical
router between the lr1 and ls3, like this:
>> lr1 <---- peer -----> lr2 <----> ls3
>> (some /30 CIDR) (172.16.0.0/23)
>>
>> Regards
>> ~Girish
>>
>>
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
I agree with you. I think that even dst routes should take priority over
src routes (or the other way around). It seems not quite meaningful to
compare prefix length between src routes and dst routes. Not sure if
someone has different opinion with certain use cases.
Thanks,
Han
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.openvswitch.org/pipermail/ovs-discuss/attachments/20200510/af2c9f9e/attachment.html>
More information about the discuss
mailing list