[ovs-git] [ovn-org/ovn] 9653a4: ovn-northd: Don't send the pkt to conntrack if it ...

numansiddique noreply at github.com
Fri Aug 7 11:07:05 UTC 2020 

  Branch: refs/heads/master
  Home:   https://github.com/ovn-org/ovn
  Commit: 9653a4ec597779bf0fb8352437e7faa04f9f4111
      https://github.com/ovn-org/ovn/commit/9653a4ec597779bf0fb8352437e7faa04f9f4111
  Author: Numan Siddique <numans at ovn.org>
  Date:   2020-08-07 (Fri, 07 Aug 2020)

  Changed paths:
    M northd/ovn-northd.8.xml
    M northd/ovn-northd.c

  Log Message:
  -----------
  ovn-northd: Don't send the pkt to conntrack if it is to be routed in egress stage.

If there is a logical port 'P1' with the IP - 10.0.0.3 and a logical port 'P2' with
the IP 20.0.0.3 and if the logical switch of 'P1' has atleast one load balancer
associated with it and atleast one ACL with allow-related action associated with it.
Then for every packet from 'P1' to 'P2' after the TCP connection
is established we see a total of 4 recirculations in the datapath on the chassis
claiming 'P1'. This is because,

In the ingress logical switch pipeline, below logical flows are hit
  - table=9 (ls_in_lb           ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(reg0[2] = 1; next;)
  - table=10(ls_in_stateful     ), priority=100  , match=(reg0[2] == 1), action=(ct_lb;)

And in the egress logical switch pipeline, below logical flows are hit
 - table=0 (ls_out_pre_lb      ), priority=100  , match=(ip), action=(reg0[0] = 1; next;)
 - table=2 (ls_out_pre_stateful), priority=100  , match=(reg0[0] == 1), action=(ct_next;)
 - table=3 (ls_out_lb          ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(reg0[2] = 1; next;)
 - table=7 (ls_out_stateful    ), priority=100  , match=(reg0[2] == 1), action=(ct_lb;)

In the above example, when the packet enters the egress pipeline and since it needs to
enter the router pipeline, we can skip setting reg0[0] if outport is peer port of
logical router port. There is no need to send the packet to conntrack in this case.

This patch handles this case for router ports. Next patch in the series avoids sending to
conntrack with the action - ct_lb if the packet is not destined to the LB VIP.

With the present master for the above example, we see total of 4 recirculations on the
chassis claiming the lport 'P1'. With this patch we see only 2 recirculations.

Acked-by: Dumitru Ceara <dceara at redhat.com>
Signed-off-by: Numan Siddique <numans at ovn.org>


  Commit: 09025d17e05d657959a856499da11b81f9734810
      https://github.com/ovn-org/ovn/commit/09025d17e05d657959a856499da11b81f9734810
  Author: Numan Siddique <numans at ovn.org>
  Date:   2020-08-07 (Fri, 07 Aug 2020)

  Changed paths:
    M lib/actions.c
    M lib/logical-fields.c
    M northd/ovn-northd.c
    M tests/ovn.at
    M tests/system-ovn.at

  Log Message:
  -----------
  ovn-northd: Don't send the pkt to conntrack for NAT if its not destined for LB VIP.

Presently when a logical switch has load balancer(s) associated to it, then the
packet is still sent to conntrack with the action ct_lb on both the ingress
and egress logical switch pipeline even if the destination IP is not LB VIP.

This is because below logical flows are hit:

In the ingress logical switch pipeline:
  - table=9 (ls_in_lb       ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(reg0[2] = 1; next;)
  - table=10(ls_in_stateful ), priority=100  , match=(reg0[2] == 1), action=(ct_lb;)

In the egress logical switch pipeline:
  - table=3 (ls_out_lb      ), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv), action=(reg0[2] = 1; next;)
  - table=7 (ls_out_stateful), priority=100  , match=(reg0[2] == 1), action=(ct_lb;)

This patch avoid unnecessary ct actions by setting the ct_label.natted to 1 when the ct_lb(backends=...) action
is applied for NEW connections and updating the above logical flows to check for this mark:

 - table=9 (ls_in_lb), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct_label.natted == 1),
   action=(reg0[2] = 1; next;)

 - table=3 (ls_out_lb), priority=65535, match=(ct.est && !ct.rel && !ct.new && !ct.inv && ct_label.natted == 1),
   action=(reg0[2] = 1; next;)

Acked-by: Dumitru Ceara <dceara at redhat.com>
Signed-off-by: Numan Siddique <numans at ovn.org>


Compare: https://github.com/ovn-org/ovn/compare/be6294f7fc6e...09025d17e05d

More information about the git mailing list