On 5/29/26 4:51 PM, Naveen Yerramneni wrote:
> Add vtap mode to the Network_Function_Group mode enum. In vtap mode,
> traffic is mirrored to the network function while continuing to flow
> to the original destination, enabling passive monitoring.
>
> - Add 'vtap' to mode enum in Network_Function_Group table
> - Make outport optional in Network_Function table (vtap only uses inport)
>
> Signed-off-by: Naveen Yerramneni <[email protected]>
> Acked-by: Sragdhara Datta Chaudhuri <[email protected]>
> Acked-by: Aditya Mehakare <[email protected]>
> ---
Hi Naveen, Sragdhara,
Thanks for the new revision!
> ovn-nb.ovsschema | 7 +++--
> ovn-nb.xml | 75 ++++++++++++++++++++++++++++++++++++------------
> 2 files changed, 60 insertions(+), 22 deletions(-)
>
> diff --git a/ovn-nb.ovsschema b/ovn-nb.ovsschema
> index e5945b831..ac01ba986 100644
> --- a/ovn-nb.ovsschema
> +++ b/ovn-nb.ovsschema
> @@ -1,7 +1,7 @@
> {
> "name": "OVN_Northbound",
> "version": "7.18.0",
We need to bump the version to 7.19.0 because the changes are not only
cosmetic.
> - "cksum": "1537030958 45190",
> + "cksum": "369914400 45257",
> "tables": {
> "NB_Global": {
> "columns": {
> @@ -208,7 +208,7 @@
> "outport": {"type": {"key": {"type": "uuid",
> "refTable":
> "Logical_Switch_Port",
> "refType": "strong"},
> - "min": 1, "max": 1}},
> + "min": 0, "max": 1}},
> "inport": {"type": {"key": {"type": "uuid",
> "refTable":
> "Logical_Switch_Port",
> "refType": "strong"},
> @@ -245,7 +245,8 @@
> "refType": "strong"},
> "min": 0, "max": 1}},
> "mode": {"type": {"key": {"type": "string",
> - "enum": ["set", ["inline"]]}}},
> + "enum": ["set", ["inline",
> + "vtap"]]}}},
> "id": {
> "type": {"key": {"type": "integer",
> "minInteger": 1,
> diff --git a/ovn-nb.xml b/ovn-nb.xml
> index 442657018..41b2917a9 100644
> --- a/ovn-nb.xml
> +++ b/ovn-nb.xml
> @@ -6528,14 +6528,16 @@ or
> title="network function group">
> <p>
> Each row contains a list of <ref table="Network_Function"/>. Traffic
> - redirection is achieved by referencing a
> - <code>Network_Function_Group</code> from an <ref table="ACL"/>. Health
> - monitoring of each <code>Network_Function</code> is performed based on
> - parameters defined in <ref table="Network_Function_Health_Check"/>.
> - Traffic matching the ACL is redirected to one of the active
> - <code>Network_Functions</code>. If all are detected as down, traffic is
> - redirected to one of the <code>Network_Functions</code> regardless of
> - status.
> + redirection/mirroring is achieved by referencing a
> + <code>Network_Function_Group</code> from an <ref table="ACL"/>. For
> + <code>inline</code> mode, health monitoring of each
> + <code>Network_Function</code> is performed based on parameters defined
> + in <ref table="Network_Function_Health_Check"/>. Health monitoring is
> + not applicable for <code>vtap</code> mode; a vtap network function is
> + always considered active as long as its port is bound.
> + Traffic matching the ACL is redirected (inline) or mirrored (vtap) to
> + one of the active <code>Network_Functions</code>. If all are detected
> + as down, the fallback method is applied.
> </p>
>
> <column name="name">
> @@ -6551,8 +6553,9 @@ or
> Fallback setting when no active network functions are available.
> <p>
> Supports following fallback mechanisms.
> - If not specified, fail-close will be applied when no active Network
> - Functions are available.
> + If not specified: for <code>inline</code> mode, fail-close is applied
> + when no active Network Functions are available; for <code>vtap</code>
> + mode, fallback is always fail-open.
> </p>
>
> <dl>
> @@ -6580,13 +6583,34 @@ or
>
> <column name="network_function_active">
> Current active Network_Function. This column is populated by northd
> - based on health monitoring status.
> + based on health monitoring status for <code>inline</code> mode. For
> + <code>vtap</code> mode, health monitoring is not applicable; northd
> + sets the active network function based on port binding status.
> </column>
>
> <column name="mode">
> - Traffic forwarding mode, with default and only value as "inline". The
> - "inline" mode means that the network function is directly in the path
> - of traffic, with traffic being redirected through it.
> + Network Function insertion mode.
> + <p>
> + Supports following modes.
> + </p>
> +
> + <dl>
> + <dt><code>inline</code></dt>
> + <dd>
> + <p>
> + In this mode, traffic redirection happens inline through active
> + Network Function ports.
> + </p>
> + </dd>
> +
> + <dt><code>vtap</code></dt>
> + <dd>
> + <p>
> + In this mode, traffic is mirrored to active Network Function
> + port.
> + </p>
> + </dd>
> + </dl>
> </column>
>
> <group title="Common Columns">
> @@ -6598,8 +6622,11 @@ or
>
> <table name="Network_Function" title="network function">
> <p>
> - Each row represents one network function entity. This contains a pair
> - of logical_switch_ports. Traffic that matches the ACL is redirected to
> + Each row represents one network function entity. This contains a single
> + logical switch port when deployed in vtap mode and pair of logical
> switch
> + ports when deployed in inline mode.
> +
> + In inline mode, traffic that matches the ACL is redirected to
> <code>inport</code> for from-lport ACLs and to <code>outport</code>
> for to-lport ACLs. Once the traffic is received on the other port, it
> continues through the standard OVN pipeline.
> @@ -6612,6 +6639,9 @@ or
> 1. The Network Function MUST NOT modify the packet headers.
> 2. The Network Function is not supported when used in conjunction
> with
> Load Balancer.
> +
> + In vtap mode, traffic that matches the ACL is mirrored to
> + <code>inport</code> in all cases.
> </p>
>
> <column name="name">
> @@ -6625,17 +6655,24 @@ or
>
> <column name="inport">
> <ref table="Logical_Switch_Port"/> where request traffic for
> from-lport
> - ACL and response traffic for to-lport ACL is redirected.
> + ACL and response traffic for to-lport ACL is redirected when
> + network function is deployed in inline mode. In vtap mode, traffic
> + matching both to-lport and from-lport ACLs is mirrored to the inport.
> </column>
>
> <column name="outport">
> <ref table="Logical_Switch_Port"/> where request traffic for to-lport
> ACL
> - and response traffic for from-lport ACL is redirected.
> + and response traffic for from-lport ACL is redirected when
> + network function is deployed in inline mode.
> + This is not applicable when network function is deployed in vtap mode.
> </column>
>
> <column name="health_check">
> <ref table="Network_Function_Health_Check"/> associated with this
> network
> - function.
> + function. Health check is applicable only for <code>inline</code> mode.
> + It is not applicable when the network function is deployed in
> + <code>vtap</code> mode; this column should be left unset for vtap
> + network functions.
> </column>
>
> <group title="Common Columns">
It's a bit weird that we're documenting stuff that will be added later
in the series but I guess it's how we did it in the past too. So, let's
leave it as is.
Regards,
Dumitru
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
