[ovs-git] [openvswitch/ovs] 795d7f: OVN: Enable E-W Traffic, Vlan backed DVR

ankursharm noreply at github.com
Fri Jul 5 18:08:06 UTC 2019


  Branch: refs/heads/master
  Home:   https://github.com/openvswitch/ovs
  Commit: 795d7f24ce0e2ed5454e193a059451d237289542
      https://github.com/openvswitch/ovs/commit/795d7f24ce0e2ed5454e193a059451d237289542
  Author: Ankur Sharma <ankur.sharma at nutanix.com>
  Date:   2019-07-05 (Fri, 05 Jul 2019)

  Changed paths:
    M ovn/controller/binding.c
    M ovn/controller/chassis.c
    M ovn/controller/chassis.h
    M ovn/controller/ovn-controller.8.xml
    M ovn/controller/ovn-controller.c
    M ovn/controller/ovn-controller.h
    M ovn/controller/physical.c
    M ovn/ovn-architecture.7.xml
    M ovn/ovn-sb.xml
    M tests/ovn.at

  Log Message:
  -----------
  OVN: Enable E-W Traffic, Vlan backed DVR

Background:
[1] https://mail.openvswitch.org/pipermail/ovs-dev/2018-October/353066.html
[2] https://docs.google.com/document/d/1uoQH478wM1OZ16HrxzbOUvk5LvFnfNEWbkPT6Zmm9OU/edit?usp=sharing

Key difference between an overlay logical switch and
vlan backed logical switch is that for vlan logical switches
packets are not encapsulated.

Hence, if a distributed router port is connected to vlan backed
logical switch, then router port mac as source mac could be
seen from multiple hypervisors. Same <mac,vlan> pairs coming
from multiple ports from a top of the rack switch (TOR) perspective
could be seen as a security threat and it could send alarms, drop
the packets or block the ports etc.

This patch addresses the same by introducing the concept of chassis mac.
A chassis mac is CMS provisioned unique mac per chassis. For any routed packet
(i.e source mac is router port mac) going on the wire on a vlan type
logical switch, we will replace its source mac with chassis mac.

This replacing of source mac with chassis mac will happen in table=65
of the logical switch datapath. A flow is added at priority 150, which
matches the source mac and replaces it with chassis mac if the value
is a router port mac.

Example flow:
cookie=0x0, duration=67765.830s, table=65, n_packets=0, n_bytes=0,
idle_age=65534, hard_age=65534, priority=150,reg15=0x1,metadata=0x4,
dl_src=00:00:01:01:02:03 actions=mod_dl_src:aa:bb:cc:dd:ee:ff,
mod_vlan_vid:1000,output:16

Here, 00:00:01:01:02:03 is router port mac and aa:bb:cc:dd:ee:ff
is chassis mac.

Acked-by: Numan Siddique <nusiddiq at redhat.com>
Signed-off-by: Ankur Sharma <ankur.sharma at nutanix.com>
Signed-off-by: Ben Pfaff <blp at ovn.org>




More information about the git mailing list