On Wed, Sep 15, 2021 at 8:07 PM Vladislav Odintsov <[email protected]> wrote:
>
> A packet going from HW VTEP device to VIF port when arrives to
> hypervisor chassis should go through LS ingress pipeline to l2_lkp
> stage without any match. In l2_lkp stage an output port is
> determined and then packet passed to LS egress pipeline for futher
> processing and to VIF port delivery.
>
> Prior to this commit a packet, which was received from HW VTEP
> device was dropped in an LS ingress datapath, where stateful services
> were defined (ACLs, LBs).
>
> To fix this issue we add a special flag-bit which can be used in LS
> pipelines, to check whether the packet came from HW VTEP devices.
> In ls_in_pre_acl and ls_in_pre_lb we add new flow with priority 110
> to skip such packets.
>
> Signed-off-by: Vladislav Odintsov <[email protected]>
This needs a rebase.
Thanks
Numan
> ---
> Please note: I've got no experience in DDLog and have no ability to
> extensively
> test these changes.
> Just local ./configure --with-ddlog=...; make; make check was run
> It seems, that only irrelevant to these changes tests were
> failed.
> ---
> northd/ovn-northd.c | 14 ++++++++++++++
> northd/ovn_northd.dl | 33 +++++++++++++++++++++++++++++++--
> tests/ovn-northd.at | 2 ++
> 3 files changed, 47 insertions(+), 2 deletions(-)
>
> diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
> index 0ee2ba221..2a795d9e1 100644
> --- a/northd/ovn-northd.c
> +++ b/northd/ovn-northd.c
> @@ -236,6 +236,7 @@ enum ovn_stage {
> #define REGBIT_LKUP_FDB "reg0[11]"
> #define REGBIT_HAIRPIN_REPLY "reg0[12]"
> #define REGBIT_ACL_LABEL "reg0[13]"
> +#define REGBIT_FROM_RAMP "reg0[14]"
>
> #define REG_ORIG_DIP_IPV4 "reg1"
> #define REG_ORIG_DIP_IPV6 "xxreg1"
> @@ -5175,6 +5176,11 @@ build_lswitch_input_port_sec_op(
> if (queue_id) {
> ds_put_format(actions, "set_queue(%s); ", queue_id);
> }
> +
> + if (!strcmp(op->nbsp->type, "vtep")) {
> + ds_put_format(actions, REGBIT_FROM_RAMP" = 1; ");
> + }
> +
> ds_put_cstr(actions, "next;");
> ovn_lflow_add_with_lport_and_hint(lflows, op->od,
> S_SWITCH_IN_PORT_SEC_L2,
> 50, ds_cstr(match), ds_cstr(actions),
> @@ -5422,6 +5428,10 @@ build_pre_acls(struct ovn_datapath *od, struct hmap
> *port_groups,
> "nd || nd_rs || nd_ra || mldv1 || mldv2 || "
> "(udp && udp.src == 546 && udp.dst == 547)", "next;");
>
> + /* Do not send coming from RAMP switch packets to conntrack. */
> + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
> + REGBIT_FROM_RAMP" == 1", "next;");
> +
> /* Ingress and Egress Pre-ACL Table (Priority 100).
> *
> * Regardless of whether the ACL is "from-lport" or "to-lport",
> @@ -5526,6 +5536,10 @@ build_pre_lb(struct ovn_datapath *od, struct hmap
> *lflows,
> ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110,
> "eth.src == $svc_monitor_mac", "next;");
>
> + /* Do not send coming from RAMP switch packets to conntrack. */
> + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110,
> + REGBIT_FROM_RAMP" == 1", "next;");
> +
> /* Allow all packets to go to next tables by default. */
> ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;");
> ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;");
> diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl
> index d91f8111f..5b4ae980a 100644
> --- a/northd/ovn_northd.dl
> +++ b/northd/ovn_northd.dl
> @@ -1622,6 +1622,7 @@ function rEGBIT_ACL_HINT_BLOCK() : string = "reg0[10]"
> function rEGBIT_LKUP_FDB() : string = "reg0[11]"
> function rEGBIT_HAIRPIN_REPLY() : string = "reg0[12]"
> function rEGBIT_ACL_LABEL() : string = "reg0[13]"
> +function rEGBIT_FROM_RAMP() : string = "reg0[14]"
>
> function rEG_ORIG_DIP_IPV4() : string = "reg1"
> function rEG_ORIG_DIP_IPV6() : string = "xxreg1"
> @@ -2058,6 +2059,16 @@ for (&Switch(._uuid = ls_uuid, .has_stateful_acl =
> true)) {
> .io_port = None,
> .controller_meter = None);
>
> + /* Do not send coming from RAMP switch packets to conntrack. */
> + Flow(.logical_datapath = ls_uuid,
> + .stage = s_SWITCH_IN_PRE_ACL(),
> + .priority = 110,
> + .__match = i"${rEGBIT_FROM_RAMP()} == 1",
> + .actions = i"next;",
> + .stage_hint = 0,
> + .io_port = None,
> + .controller_meter = None);
> +
> /* Ingress and Egress Pre-ACL Table (Priority 100).
> *
> * Regardless of whether the ACL is "from-lport" or "to-lport",
> @@ -2124,6 +2135,16 @@ for (&Switch(._uuid = ls_uuid)) {
> .io_port = None,
> .controller_meter = None);
>
> + /* Do not send coming from RAMP switch packets to conntrack. */
> + Flow(.logical_datapath = ls_uuid,
> + .stage = s_SWITCH_IN_PRE_LB(),
> + .priority = 110,
> + .__match = i"${rEGBIT_FROM_RAMP()} == 1",
> + .actions = i"next;",
> + .stage_hint = 0,
> + .io_port = None,
> + .controller_meter = None);
> +
> /* Allow all packets to go to next tables by default. */
> Flow(.logical_datapath = ls_uuid,
> .stage = s_SWITCH_IN_PRE_LB(),
> @@ -3370,10 +3391,18 @@ for (&SwitchPort(.lsp = lsp, .sw = sw, .json_name =
> json_name, .ps_eth_addresses
> } else {
> i"inport == ${json_name} && eth.src ==
> {${ps_eth_addresses.join(\" \")}}"
> } in
> - var actions = match (pbinding.options.get("qdisc_queue_id")) {
> + var actions = {
> + var ramp = if (lsp.__type == "vtep") {
> + i"${rEGBIT_FROM_RAMP()} = 1; "
> + } else {
> + i""
> + };
> + var queue = match (pbinding.options.get("qdisc_queue_id")) {
> None -> i"next;",
> Some{id} -> i"set_queue(${id}); next;"
> - } in
> + };
> + i"${ramp}${queue}"
> + } in
> Flow(.logical_datapath = sw._uuid,
> .stage = s_SWITCH_IN_PORT_SEC_L2(),
> .priority = 50,
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index 26bb940aa..655e29b61 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -3589,6 +3589,7 @@ check_stateful_flows() {
> table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
> table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport ==
> "sw0-lr0"), action=(next;)
> table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra
> || mldv1 || mldv2), action=(next;)
> + table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1),
> action=(next;)
> ])
>
> AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl
> @@ -3652,6 +3653,7 @@ AT_CHECK([grep "ls_in_pre_lb" sw0flows | sort], [0],
> [dnl
> table=6 (ls_in_pre_lb ), priority=110 , match=(eth.dst ==
> $svc_monitor_mac), action=(next;)
> table=6 (ls_in_pre_lb ), priority=110 , match=(ip && inport ==
> "sw0-lr0"), action=(next;)
> table=6 (ls_in_pre_lb ), priority=110 , match=(nd || nd_rs || nd_ra
> || mldv1 || mldv2), action=(next;)
> + table=6 (ls_in_pre_lb ), priority=110 , match=(reg0[[14]] == 1),
> action=(next;)
> ])
>
> AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort], [0], [dnl
> --
> 2.30.0
>
> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
