The existing OpenFlow table layout left zero free slots between regions: the ingress pipeline occupied tables 8-41, the output implementation tables started immediately at 42, the egress pipeline at 48, and the post-egress auxiliary tables at 64. Adding even a single new ingress stage would cause a collision with the output tables, requiring a cascade of renumbering.
Introduce comfortable gaps between the four table regions so that future stages can be added without disturbing the rest of the layout: Tables 8-41: ingress pipeline (34 stages, unchanged) Tables 42-51: gap (10 free slots) Tables 52-57: output implementation (6 tables) Tables 58-61: gap (4 free slots) Tables 62-77: egress pipeline (16 stages) Tables 78-87: gap (10 free slots) Tables 88-112: post-egress auxiliary tables (25 tables) Tables 113-254: unused (142 free slots) Add BUILD_ASSERT_DECL guards to catch any future overlap at compile time. Assisted-by: Claude Opus 4.6, Claude Code Signed-off-by: Ales Musil <[email protected]> --- controller/lflow.h | 75 ++++++++++++++----------- controller/physical.c | 107 +++++++++++++++++------------------ ovn-architecture.7.xml | 124 ++++++++++++++++++++--------------------- tests/ovn-macros.at | 63 ++++++++++----------- tests/ovn.at | 2 - 5 files changed, 189 insertions(+), 182 deletions(-) diff --git a/controller/lflow.h b/controller/lflow.h index 4bae1dfab..786cf974e 100644 --- a/controller/lflow.h +++ b/controller/lflow.h @@ -63,47 +63,54 @@ struct uuid; * * These are heavily documented in ovn-architecture(7), please update it if * you make any changes. */ -#define OFTABLE_PHY_TO_LOG 0 +#define OFTABLE_PHY_TO_LOG 0 /* Start of LOG_PIPELINE_LEN tables. */ -#define OFTABLE_LOG_INGRESS_PIPELINE 8 -#define OFTABLE_OUTPUT_LARGE_PKT_DETECT 42 -#define OFTABLE_OUTPUT_LARGE_PKT_PROCESS 43 -#define OFTABLE_REMOTE_OUTPUT 44 -#define OFTABLE_REMOTE_VTEP_OUTPUT 45 -#define OFTABLE_LOCAL_OUTPUT 46 -#define OFTABLE_CHECK_LOOPBACK 47 +#define OFTABLE_LOG_INGRESS_PIPELINE 8 +#define OFTABLE_OUTPUT_LARGE_PKT_DETECT 52 +#define OFTABLE_OUTPUT_LARGE_PKT_PROCESS 53 +#define OFTABLE_REMOTE_OUTPUT 54 +#define OFTABLE_REMOTE_VTEP_OUTPUT 55 +#define OFTABLE_LOCAL_OUTPUT 56 +#define OFTABLE_CHECK_LOOPBACK 57 /* Start of the OUTPUT section of the pipeline. */ #define OFTABLE_OUTPUT_INIT OFTABLE_OUTPUT_LARGE_PKT_DETECT /* Start of LOG_PIPELINE_LEN tables. */ -#define OFTABLE_LOG_EGRESS_PIPELINE 48 -#define OFTABLE_SAVE_INPORT 64 -#define OFTABLE_LOG_TO_PHY 65 -#define OFTABLE_MAC_BINDING 66 -#define OFTABLE_MAC_LOOKUP 67 -#define OFTABLE_CHK_LB_HAIRPIN 68 -#define OFTABLE_CHK_LB_HAIRPIN_REPLY 69 -#define OFTABLE_CT_SNAT_HAIRPIN 70 -#define OFTABLE_GET_FDB 71 -#define OFTABLE_LOOKUP_FDB 72 -#define OFTABLE_CHK_IN_PORT_SEC 73 -#define OFTABLE_CHK_IN_PORT_SEC_ND 74 -#define OFTABLE_CHK_OUT_PORT_SEC 75 -#define OFTABLE_ECMP_NH_MAC 76 -#define OFTABLE_ECMP_NH 77 -#define OFTABLE_CHK_LB_AFFINITY 78 -#define OFTABLE_MAC_CACHE_USE 79 -#define OFTABLE_CT_ZONE_LOOKUP 80 -#define OFTABLE_CT_ORIG_NW_DST_LOAD 81 -#define OFTABLE_CT_ORIG_IP6_DST_LOAD 82 -#define OFTABLE_CT_ORIG_TP_DST_LOAD 83 -#define OFTABLE_FLOOD_REMOTE_CHASSIS 84 -#define OFTABLE_CT_STATE_SAVE 85 -#define OFTABLE_CT_ORIG_PROTO_LOAD 86 -#define OFTABLE_GET_REMOTE_FDB 87 -#define OFTABLE_LEARN_REMOTE_FDB 88 +#define OFTABLE_LOG_EGRESS_PIPELINE 62 +#define OFTABLE_SAVE_INPORT 88 +#define OFTABLE_LOG_TO_PHY 89 +#define OFTABLE_MAC_BINDING 90 +#define OFTABLE_MAC_LOOKUP 91 +#define OFTABLE_CHK_LB_HAIRPIN 92 +#define OFTABLE_CHK_LB_HAIRPIN_REPLY 93 +#define OFTABLE_CT_SNAT_HAIRPIN 94 +#define OFTABLE_GET_FDB 95 +#define OFTABLE_LOOKUP_FDB 96 +#define OFTABLE_CHK_IN_PORT_SEC 97 +#define OFTABLE_CHK_IN_PORT_SEC_ND 98 +#define OFTABLE_CHK_OUT_PORT_SEC 99 +#define OFTABLE_ECMP_NH_MAC 100 +#define OFTABLE_ECMP_NH 101 +#define OFTABLE_CHK_LB_AFFINITY 102 +#define OFTABLE_MAC_CACHE_USE 103 +#define OFTABLE_CT_ZONE_LOOKUP 104 +#define OFTABLE_CT_ORIG_NW_DST_LOAD 105 +#define OFTABLE_CT_ORIG_IP6_DST_LOAD 106 +#define OFTABLE_CT_ORIG_TP_DST_LOAD 107 +#define OFTABLE_FLOOD_REMOTE_CHASSIS 108 +#define OFTABLE_CT_STATE_SAVE 109 +#define OFTABLE_CT_ORIG_PROTO_LOAD 110 +#define OFTABLE_GET_REMOTE_FDB 111 +#define OFTABLE_LEARN_REMOTE_FDB 112 + +/* Verify that table regions do not overlap. */ +BUILD_ASSERT_DECL(OFTABLE_LOG_INGRESS_PIPELINE + LOG_PIPELINE_INGRESS_LEN + <= OFTABLE_OUTPUT_LARGE_PKT_DETECT); +BUILD_ASSERT_DECL(OFTABLE_CHECK_LOOPBACK < OFTABLE_LOG_EGRESS_PIPELINE); +BUILD_ASSERT_DECL(OFTABLE_LOG_EGRESS_PIPELINE + LOG_PIPELINE_EGRESS_LEN + <= OFTABLE_SAVE_INPORT); struct lflow_ctx_in { diff --git a/controller/physical.c b/controller/physical.c index 42b42e948..7584d6065 100644 --- a/controller/physical.c +++ b/controller/physical.c @@ -805,7 +805,7 @@ put_redirect_overlay_to_source(const struct sbrec_port_binding *binding, * from ct_label to send the packet back to p1's host. */ - /* Table 45 (LOCAL_OUTPUT), priority 110 + /* Table 56 (LOCAL_OUTPUT), priority 110 * ===================================== * * Each flow matches a logical inport to a nf port and checks if @@ -837,7 +837,7 @@ put_redirect_overlay_to_source(const struct sbrec_port_binding *binding, binding->header_.uuid.parts[0], match, ofpacts_p, &binding->header_.uuid); - /* Table 45 (LOCAL_OUTPUT), priority 110 + /* Table 56 (LOCAL_OUTPUT), priority 110 * In case NF is sending back a response on the port it received the * packet on, instead of forwarding out of the other port (e.g. NF sending * RST to the SYN received), the ct lookup in linked port's zone would @@ -870,7 +870,7 @@ put_redirect_overlay_to_source(const struct sbrec_port_binding *binding, ofpacts_p, &binding->header_.uuid); } - /* Table 45 (LOCAL_OUTPUT), priority 109 + /* Table 56 (LOCAL_OUTPUT), priority 109 * ===================================== * * A flow is installed For each {remote tunnel_id, nf port} combination. It @@ -1314,7 +1314,7 @@ put_replace_router_port_mac_flows(const struct physical_ctx *ctx, } free(cr_peer_name); - /* Table 65, priority 150. + /* Table 89, priority 150. * ======================= * * Implements output to localnet port. @@ -1442,12 +1442,12 @@ put_local_common_flows(uint32_t dp_key, uint32_t port_key = pb->tunnel_key; - /* Table 45, priority 100. + /* Table 56, priority 100. * ======================= * * Implements output to local hypervisor. Each flow matches a * logical output port on the local hypervisor, and resubmits to - * table 46. + * table 57. */ ofpbuf_clear(ofpacts_p); @@ -1457,13 +1457,13 @@ put_local_common_flows(uint32_t dp_key, put_zones_ofpacts(zone_ids, ofpacts_p); - /* Resubmit to table 46. */ + /* Resubmit to table 57. */ put_resubmit(OFTABLE_CHECK_LOOPBACK, ofpacts_p); ofctrl_add_flow(flow_table, OFTABLE_LOCAL_OUTPUT, 100, pb->header_.uuid.parts[0], &match, ofpacts_p, &pb->header_.uuid); - /* Table 46, Priority 100. + /* Table 57, Priority 100. * ======================= * * Drop packets whose logical inport and outport are the same @@ -1480,7 +1480,7 @@ put_local_common_flows(uint32_t dp_key, pb->header_.uuid.parts[0], &match, ofpacts_p, &pb->header_.uuid); - /* Table 46, Priority 1. + /* Table 57, Priority 1. * ======================= * For datapath with network function ports, add a flow to clear only the * required logical registers. @@ -1498,7 +1498,7 @@ put_local_common_flows(uint32_t dp_key, ofpacts_p, &pb->datapath->header_.uuid); } - /* Table 64, Priority 100. + /* Table 88, Priority 100. * ======================= * * If the packet is supposed to hair-pin because the @@ -1507,7 +1507,7 @@ put_local_common_flows(uint32_t dp_key, * - or if "nested_container" flag is set and the destination is the * parent port, * temporarily set the in_port to OFPP_NONE, resubmit to - * table 65 for logical-to-physical translation, then restore + * table 89 for logical-to-physical translation, then restore * the port number. * * If 'parent_pb' is not NULL, then the 'pb' represents a nested @@ -2197,8 +2197,8 @@ consider_port_binding(const struct physical_ctx *ctx, } if (type == LP_VIF) { - /* Table 80, priority 100. - * ======================= + /* Table 104, priority 100. + * ======================== * * Process ICMP{4,6} error packets too big locally generated from the * kernel in order to lookup proper ct_zone. */ @@ -2260,12 +2260,12 @@ consider_port_binding(const struct physical_ctx *ctx, ha_chassis_group_is_active(binding->ha_chassis_group, ctx->active_tunnels, ctx->chassis))) { - /* Table 45, priority 100. + /* Table 56, priority 100. * ======================= * * Implements output to local hypervisor. Each flow matches a * logical output port on the local hypervisor, and resubmits to - * table 46. For ports of type "chassisredirect", the logical + * table 57. For ports of type "chassisredirect", the logical * output port is changed from the "chassisredirect" port to the * underlying distributed port. */ @@ -2306,7 +2306,7 @@ consider_port_binding(const struct physical_ctx *ctx, * go out from the same tunnel inport. */ put_load(ofp_to_u16(OFPP_NONE), MFF_IN_PORT, 0, 16, ofpacts_p); - /* Resubmit to table 46. */ + /* Resubmit to table 57. */ put_resubmit(OFTABLE_CHECK_LOOPBACK, ofpacts_p); } @@ -2509,7 +2509,7 @@ consider_port_binding(const struct physical_ctx *ctx, ofport, flow_table); } - /* Table 65, Priority 100. + /* Table 89, Priority 100. * ======================= * * Deliver the packet to the local vif. */ @@ -2539,7 +2539,7 @@ consider_port_binding(const struct physical_ctx *ctx, ofport, flow_table); } - /* Table 46, priority 160. + /* Table 57, priority 160. * ======================= * * Do not forward local traffic from a localport to a localnet port. @@ -2610,13 +2610,13 @@ consider_port_binding(const struct physical_ctx *ctx, } } - /* Table 43, priority 150. + /* Table 54, priority 150. * ======================= * * Handles packets received from ports of type "localport". These * ports are present on every hypervisor. Traffic that originates at * one should never go over a tunnel to a remote hypervisor, - * so resubmit them to table 45 for local delivery. */ + * so resubmit them to table 56 for local delivery. */ if (type == LP_LOCALPORT) { ofpbuf_clear(ofpacts_p); put_resubmit(OFTABLE_LOCAL_OUTPUT, ofpacts_p); @@ -2644,7 +2644,7 @@ consider_port_binding(const struct physical_ctx *ctx, } } else if (access_type == PORT_LOCALNET && !ctx->always_tunnel) { /* Remote port connected by localnet port */ - /* Table 45, priority 100. + /* Table 56, priority 100. * ======================= * * Implements switching to localnet port. Each flow matches a @@ -2664,7 +2664,7 @@ consider_port_binding(const struct physical_ctx *ctx, put_load(localnet_port->tunnel_key, MFF_LOG_OUTPORT, 0, 32, ofpacts_p); - /* Resubmit to table 45. */ + /* Resubmit to table 56. */ put_resubmit(OFTABLE_LOCAL_OUTPUT, ofpacts_p); ofctrl_add_flow(flow_table, OFTABLE_LOCAL_OUTPUT, 100, binding->header_.uuid.parts[0], @@ -2681,7 +2681,7 @@ consider_port_binding(const struct physical_ctx *ctx, const char *redirect_type = smap_get(&binding->options, "redirect-type"); - /* Table 43, priority 100. + /* Table 54, priority 100. * ======================= * * Handles traffic that needs to be sent to a remote hypervisor. Each @@ -3999,8 +3999,8 @@ physical_run(struct physical_ctx *p_ctx, put_chassis_mac_conj_id_flow(p_ctx->chassis_table, p_ctx->chassis, &ofpacts, flow_table); - /* Set up flows in table 0 for physical-to-logical translation and in table - * 64 for logical-to-physical translation. */ + /* Set up flows in table 0 for physical-to-logical translation and in + * table 88 for logical-to-physical translation. */ const struct sbrec_port_binding *binding; SBREC_PORT_BINDING_TABLE_FOR_EACH (binding, p_ctx->port_binding_table) { consider_port_binding(p_ctx, binding, get_lport_type(binding), @@ -4015,7 +4015,7 @@ physical_run(struct physical_ctx *p_ctx, ofctrl_add_flow(flow_table, OFTABLE_CT_ZONE_LOOKUP, 0, 0, &ct_look_def_match, &ofpacts, hc_uuid); - /* Handle output to multicast groups, in tables 40 and 41. */ + /* Handle output to multicast groups, in tables 54 and 56. */ const struct sbrec_multicast_group *mc; SBREC_MULTICAST_GROUP_TABLE_FOR_EACH (mc, p_ctx->mc_group_table) { consider_mc_group(p_ctx, mc, flow_table); @@ -4031,7 +4031,7 @@ physical_run(struct physical_ctx *p_ctx, * have metadata about the ingress and egress logical ports. * VXLAN encapsulations have metadata about the egress logical port only. * We set MFF_LOG_DATAPATH, MFF_LOG_INPORT, and MFF_LOG_OUTPORT from the - * tunnel key data where possible, then resubmit to table 45 to handle + * tunnel key data where possible, then resubmit to table 56 to handle * packets to the local hypervisor. */ struct chassis_tunnel *tun; HMAP_FOR_EACH (tun, hmap_node, p_ctx->chassis_tunnels) { @@ -4133,7 +4133,7 @@ physical_run(struct physical_ctx *p_ctx, */ add_default_drop_flow(p_ctx, OFTABLE_PHY_TO_LOG, flow_table); - /* Table 41-42, priority 0. + /* Table 52-53, priority 0. * ======================== * * Default resubmit actions for OFTABLE_OUTPUT_LARGE_PKT_* tables. @@ -4159,12 +4159,12 @@ physical_run(struct physical_ctx *p_ctx, ofctrl_add_flow(flow_table, OFTABLE_OUTPUT_LARGE_PKT_PROCESS, 0, 0, &match, &ofpacts, hc_uuid); - /* Table 43, priority 150. + /* Table 54, priority 150. * ======================= * * Handles packets received from a VXLAN tunnel which get resubmitted to * OFTABLE_LOG_INGRESS_PIPELINE due to lack of needed metadata in VXLAN, - * explicitly skip sending back out any tunnels and resubmit to table 43 + * explicitly skip sending back out any tunnels and resubmit to table 56 * for local delivery, except packets which have MLF_ALLOW_LOOPBACK bit * set. */ @@ -4172,13 +4172,13 @@ physical_run(struct physical_ctx *p_ctx, match_set_reg_masked(&match, MFF_LOG_FLAGS - MFF_REG0, MLF_RCV_FROM_RAMP, MLF_RCV_FROM_RAMP | MLF_ALLOW_LOOPBACK); - /* Resubmit to table 45. */ + /* Resubmit to table 56. */ ofpbuf_clear(&ofpacts); put_resubmit(OFTABLE_LOCAL_OUTPUT, &ofpacts); ofctrl_add_flow(flow_table, OFTABLE_REMOTE_OUTPUT, 150, 0, &match, &ofpacts, hc_uuid); - /* Table 43, priority 150. + /* Table 54, priority 150. * ======================= * * Packets that should not be sent to other hypervisors. @@ -4186,13 +4186,13 @@ physical_run(struct physical_ctx *p_ctx, match_init_catchall(&match); match_set_reg_masked(&match, MFF_LOG_FLAGS - MFF_REG0, MLF_LOCAL_ONLY, MLF_LOCAL_ONLY); - /* Resubmit to table 45. */ + /* Resubmit to table 56. */ ofpbuf_clear(&ofpacts); put_resubmit(OFTABLE_LOCAL_OUTPUT, &ofpacts); ofctrl_add_flow(flow_table, OFTABLE_REMOTE_OUTPUT, 150, 0, &match, &ofpacts, hc_uuid); - /* Table 43, Priority 0. + /* Table 54, Priority 0. * ======================= * * Resubmit packets that are not directed at OVN tunnels or part of a @@ -4203,7 +4203,7 @@ physical_run(struct physical_ctx *p_ctx, ofctrl_add_flow(flow_table, OFTABLE_REMOTE_OUTPUT, 0, 0, &match, &ofpacts, hc_uuid); - /* Table 44, Priority 0. + /* Table 55, Priority 0. * ======================= * * Resubmit packets that are not directed to remote VTEP to the local @@ -4214,19 +4214,20 @@ physical_run(struct physical_ctx *p_ctx, ofctrl_add_flow(flow_table, OFTABLE_REMOTE_VTEP_OUTPUT, 0, 0, &match, &ofpacts, hc_uuid); - /* Table 45, priority 0. + /* Table 56, priority 0. * ====================== * * Drop packets that do not match previous flows. */ add_default_drop_flow(p_ctx, OFTABLE_LOCAL_OUTPUT, flow_table); - /* Table 46, Priority 0. + /* Table 57, Priority 0. * ======================= * * Resubmit packets that don't output to the ingress port (already checked - * in table 44) to the logical egress pipeline, clearing the logical - * registers (for consistent behavior with packets that get tunneled). */ + * at higher priority in this table) to the logical egress pipeline, + * clearing the logical registers (for consistent behavior with packets + * that get tunneled). */ match_init_catchall(&match); ofpbuf_clear(&ofpacts); for (int i = 0; i < MFF_N_LOG_REGS; i++) { @@ -4236,25 +4237,25 @@ physical_run(struct physical_ctx *p_ctx, ofctrl_add_flow(flow_table, OFTABLE_CHECK_LOOPBACK, 0, 0, &match, &ofpacts, hc_uuid); - /* Table 64, Priority 0. + /* Table 88, Priority 0. * ======================= * * Resubmit packets that do not have the MLF_ALLOW_LOOPBACK flag set - * to table 65 for logical-to-physical translation. */ + * to table 89 for logical-to-physical translation. */ match_init_catchall(&match); ofpbuf_clear(&ofpacts); put_resubmit(OFTABLE_LOG_TO_PHY, &ofpacts); ofctrl_add_flow(flow_table, OFTABLE_SAVE_INPORT, 0, 0, &match, &ofpacts, hc_uuid); - /* Table 65, priority 0. + /* Table 89, priority 0. * ====================== * * Drop packets that do not match previous flows. */ add_default_drop_flow(p_ctx, OFTABLE_LOG_TO_PHY, flow_table); - /* Table 81, 82 and 83 + /* Table 105, 106 and 107 * Match on ct.trk and ct.est | ct.new and store the ct_nw_dst, ct_ip6_dst, * ct_tp_dst and ct_proto in the registers. */ uint32_t ct_state_est = OVS_CS_F_TRACKED | OVS_CS_F_ESTABLISHED; @@ -4265,9 +4266,9 @@ physical_run(struct physical_ctx *p_ctx, /* Add the flows: * match = (ct.trk && ct.est), action = (<reg_result> = ct_tp_dst) - * table = 83 + * table = 107 * match = (ct.trk && ct.new), action = (<reg_result> = ct_tp_dst) - * table = 83 + * table = 107 */ match_set_ct_state_masked(&match, ct_state_est, ct_state_est); put_move(MFF_CT_TP_DST, 0, MFF_LOG_RESULT_REG, 0, 16, &ofpacts); @@ -4281,9 +4282,9 @@ physical_run(struct physical_ctx *p_ctx, /* Add the flows: * match = (ct.trk && ct.est), action = (<reg_result> = ct_proto) - * table = 86 + * table = 110 * match = (ct.trk && ct.new), action = (<reg_result> = ct_proto) - * table = 86 + * table = 110 */ ofpbuf_clear(&ofpacts); put_move(MFF_CT_NW_PROTO, 0, MFF_LOG_RESULT_REG, 0, 8, &ofpacts); @@ -4295,9 +4296,9 @@ physical_run(struct physical_ctx *p_ctx, &match_new, &ofpacts, hc_uuid); /* Add the flows: * match = (ct.trk && ct.est && ip4), action = (<reg_result> = ct_nw_dst) - * table = 81 + * table = 105 * match = (ct.trk && ct.new && ip4), action = (<reg_result> = ct_nw_dst) - * table = 81 + * table = 105 */ ofpbuf_clear(&ofpacts); match_set_dl_type(&match, htons(ETH_TYPE_IP)); @@ -4312,9 +4313,9 @@ physical_run(struct physical_ctx *p_ctx, /* Add the flows: * match = (ct.trk && ct.est && ip6), action = (<reg_result> = ct_ip6_dst) - * table = 82 + * table = 106 * match = (ct.trk && ct.new && ip6), action = (<reg_result> = ct_ip6_dst) - * table = 82 + * table = 106 */ ofpbuf_clear(&ofpacts); match_set_dl_type(&match, htons(ETH_TYPE_IPV6)); @@ -4333,7 +4334,7 @@ physical_run(struct physical_ctx *p_ctx, /* Add the flow: * match = (1), action = (reg4[0..7] = ct_state[0..7]) - * table = 85, priority = UINT16_MAX - 1 + * table = 109, priority = UINT16_MAX - 1 */ match_init_catchall(&match); ofpbuf_clear(&ofpacts); @@ -4343,7 +4344,7 @@ physical_run(struct physical_ctx *p_ctx, /* Add the flow: * match = (!ct.trk), action = (reg4[0..7] = 0) - * table = 85, priority = UINT16_MAX + * table = 109, priority = UINT16_MAX */ match_init_catchall(&match); ofpbuf_clear(&ofpacts); diff --git a/ovn-architecture.7.xml b/ovn-architecture.7.xml index 522a56a8a..c49c83dd6 100644 --- a/ovn-architecture.7.xml +++ b/ovn-architecture.7.xml @@ -1237,8 +1237,8 @@ output port field, and since they do not carry a logical output port field in the tunnel key, when a packet is received from ramp switch VXLAN tunnel by an OVN hypervisor, the packet is resubmitted to table 8 - to determine the output port(s); when the packet reaches table 42, - these packets are resubmitted to table 43 for local delivery by + to determine the output port(s); when the packet reaches table 54, + these packets are resubmitted to table 56 for local delivery by checking a MLF_RCV_FROM_RAMP flag, which is set when the packet arrives from a ramp tunnel. </p> @@ -1336,20 +1336,20 @@ output port is known. These pieces of information are obtained from the tunnel encapsulation metadata (see <code>Tunnel Encapsulations</code> for encoding details). Then the actions resubmit - to table 45 to enter the logical egress pipeline. + to table 62 to enter the logical egress pipeline. </p> </li> <li> <p> - OpenFlow tables 8 through 39 execute the logical ingress pipeline from + OpenFlow tables 8 through 41 execute the logical ingress pipeline from the <code>Logical_Flow</code> table in the OVN Southbound database. These tables are expressed entirely in terms of logical concepts like logical ports and logical datapaths. A big part of <code>ovn-controller</code>'s job is to translate them into equivalent OpenFlow (in particular it translates the table numbers: - <code>Logical_Flow</code> tables 0 through 29 become OpenFlow tables 8 - through 39). + <code>Logical_Flow</code> tables 0 through 33 become OpenFlow tables 8 + through 41). </p> <p> @@ -1391,9 +1391,9 @@ <dl> <dt><code>output:</code></dt> <dd> - Implemented by resubmitting the packet to table 40. If the pipeline + Implemented by resubmitting the packet to table 52. If the pipeline executes more than one <code>output</code> action, then each one is - separately resubmitted to table 40. This can be used to send + separately resubmitted to table 52. This can be used to send multiple copies of the packet to multiple ports. (If the packet was not modified between the <code>output</code> actions, and some of the copies are destined to the same hypervisor, then using a logical @@ -1405,10 +1405,10 @@ <dd> <p> Implemented by storing arguments into OpenFlow fields, then - resubmitting to table 66, which <code>ovn-controller</code> + resubmitting to table 90, which <code>ovn-controller</code> populates with flows generated from the <code>MAC_Binding</code> table in the OVN Southbound database. If there is a match in table - 66, then its actions store the bound MAC in the Ethernet + 90, then its actions store the bound MAC in the Ethernet destination address field. </p> @@ -1440,10 +1440,10 @@ <dd> <p> Implemented by storing arguments into OpenFlow fields, then - resubmitting to table 67, which <code>ovn-controller</code> + resubmitting to table 91, which <code>ovn-controller</code> populates with flows generated from the <code>MAC_Binding</code> table in the OVN Southbound database. If there is a match in table - 67, then its actions set the logical flow flag <code>MLF_LOOKUP_MAC</code>. + 91, then its actions set the logical flow flag <code>MLF_LOOKUP_MAC</code>. </p> <p> @@ -1457,13 +1457,13 @@ <li> <p> - OpenFlow tables 40 through 44 implement the <code>output</code> action - in the logical ingress pipeline. Specifically, table 40 serves as an - entry point to egress pipeline. Table 40 detects IP packets that are - too big for a corresponding interface. Table 41 produces ICMPv4 + OpenFlow tables 52 through 57 implement the <code>output</code> action + in the logical ingress pipeline. Specifically, table 52 serves as an + entry point to egress pipeline. Table 52 detects IP packets that are + too big for a corresponding interface. Table 53 produces ICMPv4 Fragmentation Needed (or ICMPv6 Too Big) errors and deliver them back - to the offending port. table 42 handles packets to remote hypervisors, - table 43 handles packets to the local hypervisor, and table 44 checks + to the offending port. Table 54 handles packets to remote hypervisors, + table 56 handles packets to the local hypervisor, and table 57 checks whether packets whose logical ingress and egress port are the same should be discarded. </p> @@ -1471,28 +1471,28 @@ <p> Logical patch ports are a special case. Logical patch ports do not have a physical location and effectively reside on every hypervisor. - Thus, flow table 43, for output to ports on the local hypervisor, + Thus, flow table 56, for output to ports on the local hypervisor, naturally implements output to unicast logical patch ports too. However, applying the same logic to a logical patch port that is part of a logical multicast group yields packet duplication, because each hypervisor that contains a logical port in the multicast group will also output the packet to the logical patch port. Thus, multicast - groups implement output to logical patch ports in table 42. + groups implement output to logical patch ports in table 54. </p> <p> - Each flow in table 42 matches on a logical output port for unicast or + Each flow in table 54 matches on a logical output port for unicast or multicast logical ports that include a logical port on a remote hypervisor. Each flow's actions implement sending a packet to the port it matches. For unicast logical output ports on remote hypervisors, the actions set the tunnel key to the correct value, then send the packet on the tunnel port to the correct hypervisor. (When the remote hypervisor receives the packet, table 0 there will recognize it as a - tunneled packet and pass it along to table 43.) For multicast logical + tunneled packet and pass it along to table 56.) For multicast logical output ports, the actions send one copy of the packet to each remote hypervisor, in the same way as for unicast destinations. If a multicast group includes a logical port or ports on the local - hypervisor, then its actions also resubmit to table 43. Table 42 also + hypervisor, then its actions also resubmit to table 56. Table 54 also includes: </p> @@ -1500,7 +1500,7 @@ <li> A higher-priority rule to match packets received from ramp switch tunnels, based on flag MLF_RCV_FROM_RAMP, and resubmit these packets - to table 43 for local delivery. Packets received from ramp switch + to table 56 for local delivery. Packets received from ramp switch tunnels reach here because of a lack of logical output port field in the tunnel key and thus these packets needed to be submitted to table 8 to determine the output port. @@ -1508,7 +1508,7 @@ <li> A higher-priority rule to match packets received from ports of type <code>localport</code>, based on the logical input port, and resubmit - these packets to table 43 for local delivery. Ports of type + these packets to table 56 for local delivery. Ports of type <code>localport</code> exist on every hypervisor and by definition their traffic should never go out through a tunnel. </li> @@ -1523,48 +1523,48 @@ packets, the packets only need to be delivered to local ports. </li> <li> - A fallback flow that resubmits to table 43 if there is no other + A fallback flow that resubmits to table 56 if there is no other match. </li> </ul> <p> - Flows in table 43 resemble those in table 42 but for logical ports that + Flows in table 56 resemble those in table 54 but for logical ports that reside locally rather than remotely. For unicast logical output ports - on the local hypervisor, the actions just resubmit to table 44. For + on the local hypervisor, the actions just resubmit to table 57. For multicast output ports that include one or more logical ports on the local hypervisor, for each such logical port <var>P</var>, the actions change the logical output port to <var>P</var>, then resubmit to table - 44. + 57. </p> <p> A special case is that when a localnet port exists on the datapath, remote port is connected by switching to the localnet port. In this - case, instead of adding a flow in table 42 to reach the remote port, a - flow is added in table 43 to switch the logical outport to the localnet - port, and resubmit to table 43 as if it were unicasted to a logical + case, instead of adding a flow in table 54 to reach the remote port, a + flow is added in table 56 to switch the logical outport to the localnet + port, and resubmit to table 56 as if it were unicasted to a logical port on the local hypervisor. </p> <p> - Table 44 matches and drops packets for which the logical input and + Table 57 matches and drops packets for which the logical input and output ports are the same and the MLF_ALLOW_LOOPBACK flag is not set. It also drops MLF_LOCAL_ONLY packets directed to a localnet port, provided they aren't RAs sent from a gateway or distributed router which is checked via the presence of the bitflag - MLF_OVERRIDE_LOCAL_ONLY. It resubmits other packets to table 46. + MLF_OVERRIDE_LOCAL_ONLY. It resubmits other packets to table 62. </p> </li> <li> <p> - OpenFlow tables 45 through 62 execute the logical egress pipeline from + OpenFlow tables 62 through 77 execute the logical egress pipeline from the <code>Logical_Flow</code> table in the OVN Southbound database. The egress pipeline can perform a final stage of validation before packet delivery. Eventually, it may execute an <code>output</code> action, which <code>ovn-controller</code> implements by resubmitting to - table 64. A packet for which the pipeline never executes + table 88. A packet for which the pipeline never executes <code>output</code> is effectively dropped (although it may have been transmitted through a tunnel across a physical network). </p> @@ -1577,21 +1577,21 @@ <li> <p> - Table 64 bypasses OpenFlow loopback when MLF_ALLOW_LOOPBACK is set. - Logical loopback was handled in table 44, but OpenFlow by default also + Table 88 bypasses OpenFlow loopback when MLF_ALLOW_LOOPBACK is set. + Logical loopback was handled in table 57, but OpenFlow by default also prevents loopback to the OpenFlow ingress port. Thus, when - MLF_ALLOW_LOOPBACK is set, OpenFlow table 64 saves the OpenFlow ingress - port, sets it to zero, resubmits to table 65 for logical-to-physical + MLF_ALLOW_LOOPBACK is set, OpenFlow table 88 saves the OpenFlow ingress + port, sets it to zero, resubmits to table 89 for logical-to-physical transformation, and then restores the OpenFlow ingress port, effectively disabling OpenFlow loopback prevents. When - MLF_ALLOW_LOOPBACK is unset, table 64 flow simply resubmits to table - 65. + MLF_ALLOW_LOOPBACK is unset, table 88 flow simply resubmits to table + 89. </p> </li> <li> <p> - OpenFlow table 65 performs logical-to-physical translation, the + OpenFlow table 89 performs logical-to-physical translation, the opposite of table 0. It matches the packet's logical egress port. Its actions output the packet to the port attached to the OVN integration bridge that represents that logical port. If the logical egress port @@ -1613,17 +1613,17 @@ <p> Consider a packet sent from one virtual machine or container to another VM or container that resides on a different subnet. The packet will - traverse tables 0 to 65 as described in the previous section + traverse tables 0 to 89 as described in the previous section <code>Architectural Physical Life Cycle of a Packet</code>, using the logical datapath representing the logical switch that the sender is - attached to. At table 42, the packet will use the fallback flow that - resubmits locally to table 43 on the same hypervisor. In this case, - all of the processing from table 0 to table 65 occurs on the hypervisor + attached to. At table 54, the packet will use the fallback flow that + resubmits locally to table 56 on the same hypervisor. In this case, + all of the processing from table 0 to table 89 occurs on the hypervisor where the sender resides. </p> <p> - When the packet reaches table 65, the logical egress port is a + When the packet reaches table 89, the logical egress port is a logical patch port. <code>ovn-controller</code> implements output to the logical patch is packet by cloning and resubmitting directly to the first OpenFlow flow table in the ingress pipeline, @@ -1634,22 +1634,22 @@ <p> The packet re-enters the ingress pipeline in order to traverse tables - 8 to 65 again, this time using the logical datapath representing the + 8 to 89 again, this time using the logical datapath representing the logical router. The processing continues as described in the previous section <code>Architectural Physical Life Cycle of a Packet</code>. - When the packet reaches table 65, the logical egress port will once + When the packet reaches table 89, the logical egress port will once again be a logical patch port. In the same manner as described above, this logical patch port will cause the packet to be resubmitted to - OpenFlow tables 8 to 65, this time using the logical datapath + OpenFlow tables 8 to 89, this time using the logical datapath representing the logical switch that the destination VM or container is attached to. </p> <p> - The packet traverses tables 8 to 65 a third and final time. If the + The packet traverses tables 8 to 89 a third and final time. If the destination VM or container resides on a remote hypervisor, then table - 39 will send the packet on a tunnel port from the sender's hypervisor - to the remote hypervisor. Finally table 65 will output the packet + 54 will send the packet on a tunnel port from the sender's hypervisor + to the remote hypervisor. Finally table 89 will output the packet directly to the destination VM or container. </p> @@ -1675,9 +1675,9 @@ When a hypervisor processes a packet on a logical datapath representing a logical switch, and the logical egress port is a <code>l3gateway</code> port representing connectivity to a gateway - router, the packet will match a flow in table 42 that sends the + router, the packet will match a flow in table 54 that sends the packet on a tunnel port to the chassis where the gateway router - resides. This processing in table 42 is done in the same manner as + resides. This processing in table 54 is done in the same manner as for VIFs. </p> @@ -1770,21 +1770,21 @@ chassis, one additional mechanism is required. When a packet leaves the ingress pipeline and the logical egress port is the distributed gateway port, one of two different sets of actions is - required at table 42: + required at table 54: </p> <ul> <li> If the packet can be handled locally on the sender's hypervisor (e.g. one-to-one NAT traffic), then the packet should just be - resubmitted locally to table 43, in the normal manner for + resubmitted locally to table 56, in the normal manner for distributed logical patch ports. </li> <li> However, if the packet needs to be handled on the chassis associated with the distributed gateway port (e.g. one-to-many - SNAT traffic or non-NAT traffic), then table 42 must send the + SNAT traffic or non-NAT traffic), then table 54 must send the packet on a tunnel port to that chassis. </li> </ul> @@ -1796,11 +1796,11 @@ egress port to the type <code>chassisredirect</code> logical port is simply a way to indicate that although the packet is destined for the distributed gateway port, it needs to be redirected to a - different chassis. At table 42, packets with this logical egress - port are sent to a specific chassis, in the same way that table 42 + different chassis. At table 54, packets with this logical egress + port are sent to a specific chassis, in the same way that table 54 directs packets whose logical egress port is a VIF or a type <code>l3gateway</code> port to different chassis. Once the packet - arrives at that chassis, table 43 resets the logical egress port to + arrives at that chassis, table 56 resets the logical egress port to the value representing the distributed gateway port. For each distributed gateway port, there is one type <code>chassisredirect</code> port, in addition to the distributed diff --git a/tests/ovn-macros.at b/tests/ovn-macros.at index 8744ff6b3..c4f80642d 100644 --- a/tests/ovn-macros.at +++ b/tests/ovn-macros.at @@ -1617,36 +1617,37 @@ m4_define([OVN_SKIP_MEM_LEAK],[ m4_define([OFTABLE_PHY_TO_LOG], [0]) m4_define([OFTABLE_LOG_INGRESS_PIPELINE], [8]) -m4_define([OFTABLE_OUTPUT_LARGE_PKT_DETECT], [42]) -m4_define([OFTABLE_OUTPUT_LARGE_PKT_PROCESS], [43]) -m4_define([OFTABLE_REMOTE_OUTPUT], [44]) -m4_define([OFTABLE_REMOTE_VTEP_OUTPUT], [45]) -m4_define([OFTABLE_LOCAL_OUTPUT], [46]) -m4_define([OFTABLE_LOG_EGRESS_PIPELINE], [48]) -m4_define([OFTABLE_SAVE_INPORT], [64]) -m4_define([OFTABLE_LOG_TO_PHY], [65]) -m4_define([OFTABLE_MAC_BINDING], [66]) -m4_define([OFTABLE_MAC_LOOKUP], [67]) -m4_define([OFTABLE_CHK_LB_HAIRPIN], [68]) -m4_define([OFTABLE_CHK_LB_HAIRPIN_REPLY], [69]) -m4_define([OFTABLE_CT_SNAT_HAIRPIN], [70]) -m4_define([OFTABLE_GET_FDB], [71]) -m4_define([OFTABLE_LOOKUP_FDB], [72]) -m4_define([OFTABLE_CHK_IN_PORT_SEC], [73]) -m4_define([OFTABLE_CHK_IN_PORT_SEC_ND], [74]) -m4_define([OFTABLE_CHK_OUT_PORT_SEC], [75]) -m4_define([OFTABLE_ECMP_NH_MAC], [76]) -m4_define([OFTABLE_ECMP_NH], [77]) -m4_define([OFTABLE_CHK_LB_AFFINITY], [78]) -m4_define([OFTABLE_MAC_CACHE_USE], [79]) -m4_define([OFTABLE_CT_ZONE_LOOKUP], [80]) -m4_define([OFTABLE_CT_ORIG_NW_DST_LOAD], [81]) -m4_define([OFTABLE_CT_ORIG_IP6_DST_LOAD], [82]) -m4_define([OFTABLE_CT_ORIG_TP_DST_LOAD], [83]) -m4_define([OFTABLE_FLOOD_REMOTE_CHASSIS], [84]) -m4_define([OFTABLE_CT_STATE_SAVE], [85]) -m4_define([OFTABLE_CT_ORIG_PROTO_LOAD], [86]) -m4_define([OFTABLE_GET_REMOTE_FDB], [87]) -m4_define([OFTABLE_LEARN_REMOTE_FDB], [88]) +m4_define([OFTABLE_OUTPUT_LARGE_PKT_DETECT], [52]) +m4_define([OFTABLE_OUTPUT_LARGE_PKT_PROCESS], [53]) +m4_define([OFTABLE_REMOTE_OUTPUT], [54]) +m4_define([OFTABLE_REMOTE_VTEP_OUTPUT], [55]) +m4_define([OFTABLE_LOCAL_OUTPUT], [56]) +m4_define([OFTABLE_CHECK_LOOPBACK], [57]) +m4_define([OFTABLE_LOG_EGRESS_PIPELINE], [62]) +m4_define([OFTABLE_SAVE_INPORT], [88]) +m4_define([OFTABLE_LOG_TO_PHY], [89]) +m4_define([OFTABLE_MAC_BINDING], [90]) +m4_define([OFTABLE_MAC_LOOKUP], [91]) +m4_define([OFTABLE_CHK_LB_HAIRPIN], [92]) +m4_define([OFTABLE_CHK_LB_HAIRPIN_REPLY], [93]) +m4_define([OFTABLE_CT_SNAT_HAIRPIN], [94]) +m4_define([OFTABLE_GET_FDB], [95]) +m4_define([OFTABLE_LOOKUP_FDB], [96]) +m4_define([OFTABLE_CHK_IN_PORT_SEC], [97]) +m4_define([OFTABLE_CHK_IN_PORT_SEC_ND], [98]) +m4_define([OFTABLE_CHK_OUT_PORT_SEC], [99]) +m4_define([OFTABLE_ECMP_NH_MAC], [100]) +m4_define([OFTABLE_ECMP_NH], [101]) +m4_define([OFTABLE_CHK_LB_AFFINITY], [102]) +m4_define([OFTABLE_MAC_CACHE_USE], [103]) +m4_define([OFTABLE_CT_ZONE_LOOKUP], [104]) +m4_define([OFTABLE_CT_ORIG_NW_DST_LOAD], [105]) +m4_define([OFTABLE_CT_ORIG_IP6_DST_LOAD], [106]) +m4_define([OFTABLE_CT_ORIG_TP_DST_LOAD], [107]) +m4_define([OFTABLE_FLOOD_REMOTE_CHASSIS], [108]) +m4_define([OFTABLE_CT_STATE_SAVE], [109]) +m4_define([OFTABLE_CT_ORIG_PROTO_LOAD], [110]) +m4_define([OFTABLE_GET_REMOTE_FDB], [111]) +m4_define([OFTABLE_LEARN_REMOTE_FDB], [112]) m4_define([OFTABLE_SAVE_INPORT_HEX], [m4_eval(OFTABLE_SAVE_INPORT, 16)]) diff --git a/tests/ovn.at b/tests/ovn.at index 1009dd55c..272346dd7 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -43702,8 +43702,6 @@ OVN_FOR_EACH_NORTHD([ AT_SETUP([requested-tnl-key-recompute]) AT_KEYWORDS([requested-tnl-key-recompute]) -m4_define([OFTABLE_LOG_TO_PHY], [65]) - ovn_start net_add n1 -- 2.54.0 _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
