Native OVN BGP-EVPN only advertises addresses of ports that are directly
attached to an EVPN-enabled Logical Switch (VIFs and router ports). A
distributed dnat_and_snat NAT entry -- i.e. an OpenStack-style floating
IP -- exists only as a NAT rule on the Logical Router and has no port on
the provider Logical Switch, so its external_ip/external_mac never reach
Advertised_MAC_Binding and the FIP stays unreachable from the EVPN
fabric. This was raised on ovs-dev as an RFC and acknowledged as a
missing case rather than an intentional restriction.
This series closes that gap:
1. northd populates Advertised_MAC_Binding on the provider Logical
Switch that carries the NAT's distributed gateway port, using the
NAT's external_ip/external_mac.
2. ovn-controller injects those MACs into the EVPN advertise FDB so
FRR can emit the Type-2 MAC+IP route.
It is gated by a new 'nat' token of the Logical Switch
dynamic-routing-redistribute option, independent of 'ip': 'ip' keeps
advertising VIF/router-port addresses, 'nat' opts in to floating IPs.
This mirrors the 'nat' token of the Logical_Router
dynamic-routing-redistribute option (same NAT entries, advertised as
EVPN Type-5 routes), and honors the per-NAT dynamic-routing-advertise
opt-out.
Testing:
- tests/ovn-northd.at: new test for the 'nat' gating, independence from
'ip', NAT add/remove, and the localnet requirement (a distributed FIP
is only "distributed" when the provider LS has a localnet port).
Inc-proc graph dump updated.
- Validated on a Kube-OVN / OVN 26.03.90 lab: with
dynamic-routing-redistribute=fdb,ip,nat an OpenStack FIP appears in
Advertised_MAC_Binding on the provider LS router port and is reachable
from the EVPN gateway (ping, 0% loss), alongside a direct-attach VM.
Notes for review:
- en_advertised_mac_binding_sync now uses a recompute handler for the
northd input instead of a noop, because the node reads per-datapath
EVPN settings (VNI, redistribute tokens). A targeted incremental
handler could replace the full recompute later.
- Distributed FIPs are advertised on the provider-LS router port binding
(dgp->peer); locality vs. the workload chassis is a possible follow-up.
- The user-facing documentation for the new 'nat' token is in ovn-nb.xml.
A matching addition to the dynamic-routing architecture.rst guide is
left for a follow-up.
Changes since v2:
- Drop the Documentation/.../architecture.rst hunk; the 'nat' token is
already documented in ovn-nb.xml and NEWS. v1/v2 failed the 0-day
robot because its apply base did not contain that (recently added)
file; no code change.
Changes since v1:
- Recorded a base-commit (kept).
Chanyeol Yoon (2):
northd: Advertise distributed NAT IPs/MACs over EVPN.
controller: Add Advertised_MAC_Binding to EVPN FDB.
NEWS | 6 ++
controller/neighbor.c | 38 +++++++++++
lib/ovn-util.c | 3 +
lib/ovn-util.h | 3 +-
northd/en-advertised-route-sync.c | 101 +++++++++++++++++++++++++++---
northd/inc-proc-northd.c | 14 +++--
ovn-nb.xml | 14 +++++
tests/ovn-inc-proc-graph-dump.at | 3 +-
tests/ovn-northd.at | 93 +++++++++++++++++++++++++++
9 files changed, 259 insertions(+), 16 deletions(-)
base-commit: 655f7bfd84aec6afad7447693022a1180789b930
--
2.54.0 (Apple Git-156)
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
