[ovs-discuss] [OVN] OVN NB "NAT" to accept CIDRs in logical_ip

Numan Siddique numans at ovn.org
Fri Jul 16 14:32:27 UTC 2021 

On Wed, Jul 14, 2021 at 4:02 PM Rodolfo Alonso Hernandez
<ralonsoh at redhat.com> wrote:
>
> Hello all:
>
> First of all, a bit of context. This question/request is related to [1]. The problem we have in OpenStack is that we are trying to create a VIP but not with a /32 IP address but with a CIDR.
>
> Since [2][3], is it possible to define VIPs in Neutron using OVN by creating an unassigned port. This port will provide the VIP. When this VIP is set to a bound port as "allowed_address_pairs", we set the LSP port type to "virtual".
>
> In Neutron we can assign a CIDR to a port as an "allowed_address_pairs". For example:
> $ openstack port show port10 | grep allowed_address_pairs
> allowed_address_pairs   | ip_address='1.2.3.0/24', mac_address='fa:16:3e:7d:ca:e4'
>
> The problem is that OVN, to set the virtual LSP chassis and thus create the OpenFlow rules in the selected OVS, is expecting an ARP from the exact IP address that matches with the VIP IP address. Any other IP address in the CIDR '1.2.3.0/24' (following the example provided), won't trigger the rule creation.
>
> Is there any mechanism to provide support for a virtual CIDR instead of a VIP? If not, are there any plans for this?

Hi Rodolfo,

As you know we have the logical port of type  - virtual to support the
use case where VIP is an IP.

Suppose if a logical port 'P' is created with address -
'50:54:00:00:00:03 10.0.0.3', ovn-northd adds
the below logical flow in the "lr_in_arp_resolve" logical router
pipeline (if the logical switch of
port 'P' is connected to the logical router),

  - table=14(lr_in_arp_resolve  ), priority=100  , match=(outport ==
"lr0-sw0" && reg0 == 10.0.0.3), action=(eth.dst = 50:54:00:00:00:03;
next;)


If the logical port 'P' is of type virtual, then ovn-northd modifies
the above logical flow to set the eth.dst to that of the virtual
parent.

In the issue you mentioned above,  since neutron doesn't set the
logical port 'P' as virtual, the eth.dst of the logical port 'P' is
used
and the packet gets dropped because the port 'P' is down.

I'm not sure if we can provide support for a virtual CIDR.

I think the problem would be solved if ovn-northd adds the above
arp_resolve flow only if the logical port is "UP".
Since the logical port 'P' would not be set as virtual and since it is
not bound to any VM, this could work.

But this would cause some latency as ovn-northd need to add this
logical flow after the logical port is UP.
Probably we can make use of the existing "lsp_is_up" config option for this.


Thanks
Numan

> Thank you in advance.
> Rodolfo Alonso (ralonsoh at redhat.com).
>
> [1]https://bugzilla.redhat.com/show_bug.cgi?id=1970907
> [2]https://github.com/ovn-org/ovn/commit/054f4c85c413e20d893e10ba053ec52ac15db49c
> [3]https://review.opendev.org/c/openstack/networking-ovn/+/676223
> _______________________________________________
> discuss mailing list
> discuss at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-discuss

More information about the discuss mailing list