[ovs-git] [ovn-org/ovn] f9cab1: Allow explicit setting of the SNAT zone on a gatew...
noreply at github.com
Tue Nov 17 19:15:14 UTC 2020
Author: Mark Michelson <mmichels at redhat.com>
Date: 2020-11-17 (Tue, 17 Nov 2020)
Allow explicit setting of the SNAT zone on a gateway router.
In certain situations, OVN may coexist with other applications on a
host. Traffic from OVN and the other applications may then go out a
shared gateway. If OVN traffic and the other application traffic use
different conntrack zones for SNAT, then it is possible for the shared
gateway to assign conflicting source IP:port combinations. By sharing
the same conntrack zone, there will be no conflicting assignments.
In this commit, we introduce options:snat-ct-zone for northbound logical
routers. By setting this option, users can explicitly set the conntrack
zone for the logical router so that it will match the zone used by
non-OVN traffic on the host.
The biggest side effects of this patch are:
1) southbound datapath changes now result in recalculating CT zones in
ovn-controller. This can result in recomputing physical flows in more
situations than previously.
2) The table 65 flow to transition between datapaths is no longer
associated with a port binding. This is because the flow refers to
the peer datapath's CT zones, which can now be updated due to changes
on that datapath. The flow therefore may need to be updated either
due to the port binding being changed or the peer datapath being
Signed-off-by: Mark Michelson <mmichels at redhat.com>
Acked-by: Numan Siddique <numans at ovn.org>
More information about the git