On Mon, Nov 22, 2021 at 11:03 AM Mark Michelson <[email protected]> wrote:
>
> Acked-by: Mark Michelson <[email protected]>
Thanks Dumitru and Mark.
I applied this patch to the main branch with the below changes as the
patch needed some
updates in the ovn-northd.8.xml documentation.
Numan
------------------
diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
index 9b1774005..0adeaa59d 100644
--- a/northd/ovn-northd.8.xml
+++ b/northd/ovn-northd.8.xml
@@ -2545,7 +2545,9 @@ output;
<p>
IPv4: For a configured load balancer IPv4 VIP, a similar flow is
- added with the additional match <code>inport == <var>P</var></code>.
+ added with the additional match <code>inport == <var>P</var></code>
+ if the VIP is reachable from any logical router port of the logical
+ router.
</p>
<p>
@@ -2557,7 +2559,8 @@ output;
<p>
IPv6: For a configured NAT (both DNAT and SNAT) IP address or a
- load balancer IPv6 VIP <var>A</var>, solicited node address
+ load balancer IPv6 VIP <var>A</var> (if the VIP is reachable from any
+ logical router port of the logical router), solicited node address
<var>S</var>, for each router port <var>P</var> with
Ethernet address <var>E</var>, a priority-90 flow matches
<code>inport == <var>P</var> && nd_ns &&
-------------------------
>
> On 11/19/21 06:51, Dumitru Ceara wrote:
> > It's not useful to generate ARP responder flows for VIPs that are not
> > reachable on any port of a logical router port. On scaled
> > ovn-kubernetes deployments the VIP ARP responder Southbound address
> > sets become quite large, wasting resources because they are never
> > used.
> >
> > Stop generating ARP responder flows in these cases and update the tests
> > to reflect this change.
> >
> > Reported-at: https://bugzilla.redhat.com/show_bug.cgi?id=2022403
> > Signed-off-by: Dumitru Ceara <[email protected]>
> > ---
> > V2: Rebase after initial northd I-P.
> > ---
> > northd/northd.c | 87 ++++++++++++++++++++++++++++++++++++++++-----
> > tests/ovn-northd.at | 18 +++++++---
> > 2 files changed, 93 insertions(+), 12 deletions(-)
> >
> > diff --git a/northd/northd.c b/northd/northd.c
> > index 0ff61deec..da5025fd0 100644
> > --- a/northd/northd.c
> > +++ b/northd/northd.c
> > @@ -622,8 +622,10 @@ struct ovn_datapath {
> > */
> > struct sset lb_ips_v4;
> > struct sset lb_ips_v4_routable;
> > + struct sset lb_ips_v4_reachable;
> > struct sset lb_ips_v6;
> > struct sset lb_ips_v6_routable;
> > + struct sset lb_ips_v6_reachable;
> >
> > struct ovn_port **localnet_ports;
> > size_t n_localnet_ports;
> > @@ -918,8 +920,10 @@ init_lb_for_datapath(struct ovn_datapath *od)
> > {
> > sset_init(&od->lb_ips_v4);
> > sset_init(&od->lb_ips_v4_routable);
> > + sset_init(&od->lb_ips_v4_reachable);
> > sset_init(&od->lb_ips_v6);
> > sset_init(&od->lb_ips_v6_routable);
> > + sset_init(&od->lb_ips_v6_reachable);
> >
> > if (od->nbs) {
> > od->has_lb_vip = ls_has_lb_vip(od);
> > @@ -937,8 +941,10 @@ destroy_lb_for_datapath(struct ovn_datapath *od)
> >
> > sset_destroy(&od->lb_ips_v4);
> > sset_destroy(&od->lb_ips_v4_routable);
> > + sset_destroy(&od->lb_ips_v4_reachable);
> > sset_destroy(&od->lb_ips_v6);
> > sset_destroy(&od->lb_ips_v6_routable);
> > + sset_destroy(&od->lb_ips_v6_reachable);
> > }
> >
> > /* A group of logical router datapaths which are connected - either
> > @@ -3909,6 +3915,38 @@ build_lrouter_lb_ips(struct ovn_datapath *od, const
> > struct ovn_northd_lb *lb)
> > }
> > }
> >
> > +static bool lrouter_port_ipv4_reachable(const struct ovn_port *op,
> > + ovs_be32 addr);
> > +static bool lrouter_port_ipv6_reachable(const struct ovn_port *op,
> > + const struct in6_addr *addr);
> > +static void
> > +build_lrouter_lb_reachable_ips(struct ovn_datapath *od,
> > + const struct ovn_northd_lb *lb)
> > +{
> > + for (size_t i = 0; i < lb->n_vips; i++) {
> > + if (IN6_IS_ADDR_V4MAPPED(&lb->vips[i].vip)) {
> > + ovs_be32 vip_ip4 = in6_addr_get_mapped_ipv4(&lb->vips[i].vip);
> > + struct ovn_port *op;
> > +
> > + LIST_FOR_EACH (op, dp_node, &od->port_list) {
> > + if (lrouter_port_ipv4_reachable(op, vip_ip4)) {
> > + sset_add(&od->lb_ips_v4_reachable,
> > lb->vips[i].vip_str);
> > + break;
> > + }
> > + }
> > + } else {
> > + struct ovn_port *op;
> > +
> > + LIST_FOR_EACH (op, dp_node, &od->port_list) {
> > + if (lrouter_port_ipv6_reachable(op, &lb->vips[i].vip)) {
> > + sset_add(&od->lb_ips_v6_reachable,
> > lb->vips[i].vip_str);
> > + break;
> > + }
> > + }
> > + }
> > + }
> > +}
> > +
> > static void
> > build_lrouter_lbs(struct hmap *datapaths, struct hmap *lbs)
> > {
> > @@ -3939,6 +3977,36 @@ build_lrouter_lbs(struct hmap *datapaths, struct
> > hmap *lbs)
> > }
> > }
> >
> > +static void
> > +build_lrouter_lbs_reachable_ips(struct hmap *datapaths, struct hmap *lbs)
> > +{
> > + struct ovn_datapath *od;
> > +
> > + HMAP_FOR_EACH (od, key_node, datapaths) {
> > + if (!od->nbr) {
> > + continue;
> > + }
> > +
> > + for (size_t i = 0; i < od->nbr->n_load_balancer; i++) {
> > + struct ovn_northd_lb *lb =
> > + ovn_northd_lb_find(lbs,
> > +
> > &od->nbr->load_balancer[i]->header_.uuid);
> > + build_lrouter_lb_reachable_ips(od, lb);
> > + }
> > +
> > + for (size_t i = 0; i < od->nbr->n_load_balancer_group; i++) {
> > + const struct nbrec_load_balancer_group *lbg =
> > + od->nbr->load_balancer_group[i];
> > + for (size_t j = 0; j < lbg->n_load_balancer; j++) {
> > + struct ovn_northd_lb *lb =
> > + ovn_northd_lb_find(lbs,
> > +
> > &lbg->load_balancer[j]->header_.uuid);
> > + build_lrouter_lb_reachable_ips(od, lb);
> > + }
> > + }
> > + }
> > +}
> > +
> > static bool
> > ovn_port_add_tnlid(struct ovn_port *op, uint32_t tunnel_key)
> > {
> > @@ -12060,7 +12128,7 @@ build_lrouter_ipv4_ip_input(struct ovn_port *op,
> > &op->nbrp->header_, lflows);
> > }
> >
> > - if (sset_count(&op->od->lb_ips_v4)) {
> > + if (sset_count(&op->od->lb_ips_v4_reachable)) {
> > ds_clear(match);
> > if (is_l3dgw_port(op)) {
> > ds_put_format(match, "is_chassis_resident(%s)",
> > @@ -12075,7 +12143,7 @@ build_lrouter_ipv4_ip_input(struct ovn_port *op,
> > free(lb_ips_v4_as);
> > }
> >
> > - if (sset_count(&op->od->lb_ips_v6)) {
> > + if (sset_count(&op->od->lb_ips_v6_reachable)) {
> > ds_clear(match);
> >
> > if (is_l3dgw_port(op)) {
> > @@ -13859,22 +13927,24 @@ sync_address_sets(struct northd_input *input_data,
> > continue;
> > }
> >
> > - if (sset_count(&od->lb_ips_v4)) {
> > + if (sset_count(&od->lb_ips_v4_reachable)) {
> > char *ipv4_addrs_name = lr_lb_address_set_name(od, AF_INET);
> > - const char **ipv4_addrs = sset_array(&od->lb_ips_v4);
> > + const char **ipv4_addrs = sset_array(&od->lb_ips_v4_reachable);
> >
> > sync_address_set(ovnsb_txn, ipv4_addrs_name, ipv4_addrs,
> > - sset_count(&od->lb_ips_v4), &sb_address_sets);
> > + sset_count(&od->lb_ips_v4_reachable),
> > + &sb_address_sets);
> > free(ipv4_addrs_name);
> > free(ipv4_addrs);
> > }
> >
> > - if (sset_count(&od->lb_ips_v6)) {
> > + if (sset_count(&od->lb_ips_v6_reachable)) {
> > char *ipv6_addrs_name = lr_lb_address_set_name(od, AF_INET6);
> > - const char **ipv6_addrs = sset_array(&od->lb_ips_v6);
> > + const char **ipv6_addrs = sset_array(&od->lb_ips_v6_reachable);
> >
> > sync_address_set(ovnsb_txn, ipv6_addrs_name, ipv6_addrs,
> > - sset_count(&od->lb_ips_v6), &sb_address_sets);
> > + sset_count(&od->lb_ips_v6_reachable),
> > + &sb_address_sets);
> > free(ipv6_addrs_name);
> > free(ipv6_addrs);
> > }
> > @@ -14660,6 +14730,7 @@ ovnnb_db_run(struct northd_input *input_data,
> > build_ports(input_data, ovnsb_txn, sbrec_chassis_by_name,
> > sbrec_chassis_by_hostname,
> > &data->datapaths, &data->ports);
> > + build_lrouter_lbs_reachable_ips(&data->datapaths, &data->lbs);
> > build_ovn_lr_lbs(&data->datapaths, &data->lbs);
> > build_ovn_lb_svcs(input_data, ovnsb_txn, &data->ports, &data->lbs);
> > build_ipam(&data->datapaths, &data->ports);
> > diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> > index 85b47a18f..1e947a6c8 100644
> > --- a/tests/ovn-northd.at
> > +++ b/tests/ovn-northd.at
> > @@ -1670,7 +1670,7 @@ ovn_start
> > ovn-sbctl chassis-add ch geneve 127.0.0.1
> >
> > ovn-nbctl lr-add lr
> > -ovn-nbctl lrp-add lr lrp-public 00:00:00:00:01:00 43.43.43.1/24
> > +ovn-nbctl lrp-add lr lrp-public 00:00:00:00:01:00 43.43.43.1/24 4343::1/64
> > ovn-nbctl lrp-add lr lrp 00:00:00:00:00:01 42.42.42.1/24
> >
> > ovn-nbctl ls-add ls
> > @@ -1693,21 +1693,25 @@ ovn-nbctl lb-add lb3 "192.168.2.5:8080"
> > "10.0.0.6:8080"
> > ovn-nbctl lb-add lb4 "192.168.2.6:8080" "10.0.0.7:8080"
> > ovn-nbctl lb-add lb5 "[[fe80::200:ff:fe00:101]]:8080"
> > "[[fe02::200:ff:fe00:101]]:8080"
> > ovn-nbctl lb-add lb5 "[[fe80::200:ff:fe00:102]]:8080"
> > "[[fe02::200:ff:fe00:102]]:8080"
> > +ovn-nbctl lb-add lb6 "43.43.43.43:8080" "10.0.0.8:8080" udp
> > +ovn-nbctl lb-add lb7 "[[4343::4343]]:8080" "[[10::10]]:8080" udp
> >
> > ovn-nbctl lr-lb-add lr lb1
> > ovn-nbctl lr-lb-add lr lb2
> > ovn-nbctl lr-lb-add lr lb3
> > ovn-nbctl lr-lb-add lr lb4
> > ovn-nbctl lr-lb-add lr lb5
> > +ovn-nbctl lr-lb-add lr lb6
> > +ovn-nbctl lr-lb-add lr lb7
> >
> > ovn-nbctl --wait=sb sync
> > lr_key=$(fetch_column sb:datapath_binding tunnel_key external_ids:name=lr)
> > lb_as_v4="_rtr_lb_${lr_key}_ip4"
> > lb_as_v6="_rtr_lb_${lr_key}_ip6"
> >
> > -# Check generated VIP address sets.
> > -check_column '192.168.2.1 192.168.2.4 192.168.2.5 192.168.2.6' Address_Set
> > addresses name=${lb_as_v4}
> > -check_column 'fe80::200:ff:fe00:101 fe80::200:ff:fe00:102' Address_Set
> > addresses name=${lb_as_v6}
> > +# Check generated VIP address sets (only reachable IPs).
> > +check_column '43.43.43.43' Address_Set addresses name=${lb_as_v4}
> > +check_column '4343::4343 fe80::200:ff:fe00:101 fe80::200:ff:fe00:102'
> > Address_Set addresses name=${lb_as_v6}
> >
> > # Ingress router port ETH address is stored in lr_in_admission.
> > AT_CHECK([ovn-sbctl lflow-list | grep -E
> > "lr_in_admission.*xreg0\[[0..47\]]" | sort], [0], [dnl
> > @@ -1758,6 +1762,9 @@ action=(eth.dst = eth.src; eth.src = xreg0[[0..47]];
> > arp.op = 2; /* ARP reply */
> > match=(inport == "lrp-public" && arp.op == 1 && arp.tpa == 43.43.43.1 &&
> > arp.spa == 43.43.43.0/24), dnl
> > action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP
> > reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa;
> > outport = inport; flags.loopback = 1; output;)
> > table=3 (lr_in_ip_input ), priority=90 , dnl
> > +match=(inport == "lrp-public" && ip6.dst == {4343::1, ff02::1:ff00:1} &&
> > nd_ns && nd.target == 4343::1), dnl
> > +action=(nd_na_router { eth.src = xreg0[[0..47]]; ip6.src = nd.target;
> > nd.tll = xreg0[[0..47]]; outport = inport; flags.loopback = 1; output; };)
> > + table=3 (lr_in_ip_input ), priority=90 , dnl
> > match=(inport == "lrp-public" && ip6.dst == {fe80::200:ff:fe00:100,
> > ff02::1:ff00:100} && nd_ns && nd.target == fe80::200:ff:fe00:100), dnl
> > action=(nd_na_router { eth.src = xreg0[[0..47]]; ip6.src = nd.target;
> > nd.tll = xreg0[[0..47]]; outport = inport; flags.loopback = 1; output; };)
> > table=3 (lr_in_ip_input ), priority=90 , dnl
> > @@ -1827,6 +1834,9 @@ action=(eth.dst = eth.src; eth.src = xreg0[[0..47]];
> > arp.op = 2; /* ARP reply */
> > match=(inport == "lrp-public" && arp.op == 1 && arp.tpa == 43.43.43.1 &&
> > arp.spa == 43.43.43.0/24), dnl
> > action=(eth.dst = eth.src; eth.src = xreg0[[0..47]]; arp.op = 2; /* ARP
> > reply */ arp.tha = arp.sha; arp.sha = xreg0[[0..47]]; arp.tpa <-> arp.spa;
> > outport = inport; flags.loopback = 1; output;)
> > table=3 (lr_in_ip_input ), priority=90 , dnl
> > +match=(inport == "lrp-public" && ip6.dst == {4343::1, ff02::1:ff00:1} &&
> > nd_ns && nd.target == 4343::1 && is_chassis_resident("cr-lrp-public")), dnl
> > +action=(nd_na_router { eth.src = xreg0[[0..47]]; ip6.src = nd.target;
> > nd.tll = xreg0[[0..47]]; outport = inport; flags.loopback = 1; output; };)
> > + table=3 (lr_in_ip_input ), priority=90 , dnl
> > match=(inport == "lrp-public" && ip6.dst == {fe80::200:ff:fe00:100,
> > ff02::1:ff00:100} && nd_ns && nd.target == fe80::200:ff:fe00:100 &&
> > is_chassis_resident("cr-lrp-public")), dnl
> > action=(nd_na_router { eth.src = xreg0[[0..47]]; ip6.src = nd.target;
> > nd.tll = xreg0[[0..47]]; outport = inport; flags.loopback = 1; output; };)
> > table=3 (lr_in_ip_input ), priority=90 , dnl
> >
>
> _______________________________________________
> dev mailing list
> [email protected]
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
