[ovs-git] [ovn-org/ovn] ce0ef8: Properly handle hairpin traffic for VIPs with shar...

Dumitru Ceara noreply at github.com
Wed Feb 24 18:14:05 UTC 2021


  Branch: refs/heads/master
  Home:   https://github.com/ovn-org/ovn
  Commit: ce0ef8d59850255795ce5eb972821b8eb18945e5
      https://github.com/ovn-org/ovn/commit/ce0ef8d59850255795ce5eb972821b8eb18945e5
  Author: Dumitru Ceara <dceara at redhat.com>
  Date:   2021-02-24 (Wed, 24 Feb 2021)

  Changed paths:
    M controller/lflow.c
    M include/ovn/logical-fields.h
    M lib/lb.c
    M lib/lb.h
    M northd/ovn-northd.8.xml
    M northd/ovn-northd.c
    M ovn-sb.xml
    M tests/ofproto-macros.at
    M tests/ovn-northd.at
    M tests/ovn.at
    M tests/system-ovn.at

  Log Message:
  -----------
  Properly handle hairpin traffic for VIPs with shared backends.

If two load balancer VIPs share the same backend, both sets of hairpin
reply learn() flows should be generated.  In order to ensure that,
also match on the original destination IP and port tuple.  These are
now stored in OVS registers by ovn-northd in stage ls-in-stateful.

An alternative solution would be to add an additional match on
ct_nw_dst() and ct_tp_dst() in the hairpin detection flows but it's
better to avoid that because these matches are usually not offloadable
to hardware.

To ensure backwards compatibility though, if ovn-controller detects
that ovn-northd doesn't store the original destination tuple
information in OVS registers, ovn-controller falls back to using
ct_nw_dst() and ct_tp_dst().

Reported-by: Tim Rozet <trozet at redhat.com>
Reported-at: https://bugzilla.redhat.com/1931599
Fixes: 022ea339c8e2 ("lflow: Use learn() action to generate LB hairpin reply flows.")
Acked-by: Numan Siddique <numans at ovn.org>
Signed-off-by: Dumitru Ceara <dceara at redhat.com>
Signed-off-by: Numan Siddique <numans at ovn.org>


  Commit: e1f896fb8e1b505f09160052fc98e6a403fc27e5
      https://github.com/ovn-org/ovn/commit/e1f896fb8e1b505f09160052fc98e6a403fc27e5
  Author: Dumitru Ceara <dceara at redhat.com>
  Date:   2021-02-24 (Wed, 24 Feb 2021)

  Changed paths:
    M controller/lflow.c
    M tests/ovn.at

  Log Message:
  -----------
  lflow: Avoid matching on conntrack original tuple if possible.

Matching on ct_nw_dst()/ct_ipv6_dst()/ct_tp_dst() creates openflows
that often are not offloadable to hardware.  This was used for
detecting load balancer hairpin sessions.

However, it can be avoided if ovn-northd stores the original
destination tuple in OVS registers.  For backwards compatibility,
during upgrade, fall back to matching on the conntrack original tuple.

Acked-by: Numan Siddique <numans at ovn.org>
Signed-off-by: Dumitru Ceara <dceara at redhat.com>
Signed-off-by: Numan Siddique <numans at ovn.org>


  Commit: 110e670462a9ae580d40d14181c388fc2f0b1e1c
      https://github.com/ovn-org/ovn/commit/110e670462a9ae580d40d14181c388fc2f0b1e1c
  Author: Dumitru Ceara <dceara at redhat.com>
  Date:   2021-02-24 (Wed, 24 Feb 2021)

  Changed paths:
    M northd/ovn-northd.8.xml
    M northd/ovn-northd.c
    M tests/ovn-northd.at

  Log Message:
  -----------
  northd: Avoid matching on ct.dnat flags for load balancers.

Matching on ct.dnat creates openflows that often are not offloadable
to hardware.  ovn-northd uses ct.dnat only for load balancer hairpin
traffic handling and it turns out we don't really need to match on
ct.dnat.

Acked-by: Numan Siddique <numans at ovn.org>
Signed-off-by: Dumitru Ceara <dceara at redhat.com>
Signed-off-by: Numan Siddique <numans at ovn.org>


Compare: https://github.com/ovn-org/ovn/compare/c6c61b4e3462...110e670462a9


More information about the git mailing list