Re: [ovs-dev] [PATCH ovn] nb: Add Load_Balancer.options:neighbor_responder knob.

Wed, 18 May 2022 10:53:55 -0700 

I applied this to main.

On 5/11/22 14:48, Mark Michelson wrote:

Thanks for this Dumitru.

Acked-by: Mark Michelson <[email protected]>

On 4/28/22 11:33, Dumitru Ceara wrote:

This allows CMS to tweak the way logical routers reply to ARP/ND packets
targeting load balancer VIPs.  By default a router only replies for VIPs
that are reachable locally (they're part of a subnet configured on the
router).  There are cases though when it's desirable for routers to
reply for all VIPs.

Reported-at: https://github.com/ovn-org/ovn/issues/124
Reported-by: Tom Parrott <[email protected]>
Signed-off-by: Dumitru Ceara <[email protected]>
---
  NEWS                |  4 ++++
  northd/northd.c     | 20 ++++++++++++++++++++
  ovn-nb.xml          |  9 +++++++++
  tests/ovn-northd.at | 10 ++++++++--
  4 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/NEWS b/NEWS
index dbe89e9cf..ed735c32c 100644
--- a/NEWS
+++ b/NEWS
@@ -7,6 +7,10 @@ Post v22.03.0
    - Support NAT for logical routers with multiple distributed gateway ports. 
    - Add global option (NB_Global.options:default_acl_drop) to enable
      implicit drop behavior on logical switches with ACLs applied.
+  - Add NB.Load_Balancer.options:neighbor_responder to allow the CMS to
+    explicitly request routers to reply to any ARP/ND request for a VIP
+    (when set to "all") and only for reachable VIPs (when set to "reachable" 
+    or by default).
  OVN v22.03.0 - 11 Mar 2022
  --------------------------
diff --git a/northd/northd.c b/northd/northd.c
index a56666297..f01bd2cf7 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -3920,6 +3920,26 @@ static void
  build_lrouter_lb_reachable_ips(struct ovn_datapath *od,
                                 const struct ovn_northd_lb *lb)
  {
+    const char *neighbor_responder_mode =
+        smap_get_def(&lb->nlb->options, "neighbor_responder", "reachable"); 
+
+    /* If configured to reply to neighbor requests for all VIPs force them 
+     * all to be considered "reachable".
+     */
+    if (!strcmp(neighbor_responder_mode, "all")) {
+        for (size_t i = 0; i < lb->n_vips; i++) {
+            if (IN6_IS_ADDR_V4MAPPED(&lb->vips[i].vip)) {
+                sset_add(&od->lb_ips_v4_reachable, lb->vips[i].vip_str);
+            } else {
+                sset_add(&od->lb_ips_v6_reachable, lb->vips[i].vip_str);
+            }
+        }
+        return;
+    }
+
+    /* Otherwise, a VIP is reachable if there's at least one router
+     * subnet that includes it.
+     */
      for (size_t i = 0; i < lb->n_vips; i++) {
          if (IN6_IS_ADDR_V4MAPPED(&lb->vips[i].vip)) {
              ovs_be32 vip_ip4 = in6_addr_get_mapped_ipv4(&lb->vips[i].vip); 
diff --git a/ovn-nb.xml b/ovn-nb.xml
index 9010240a8..756c2a378 100644
--- a/ovn-nb.xml
+++ b/ovn-nb.xml
@@ -1856,6 +1856,15 @@
          more information about what flows are added for IP routes, please 
          see the <code>ovn-northd</code> manpage section on IP Routing.
        </column>
+
+      <column name="options" key="neighbor_responder">
+        If set to <code>all</code>, then routers on which the load balancer 
+        is applied reply to ARP/neighbor discovery requests for all VIPs
+        of the load balancer.  If set to <code>reachable</code>, then routers +        on which the load balancer is applied reply to ARP/neighbor discovery +        requests only for VIPs that are part of a router's subnet. The default +        value of this option, if not specified, is <code>reachable</code>. 
+      </column>
      </group>
    </table>
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 69ad85533..8e256de2e 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -1708,6 +1708,10 @@ ovn-nbctl lb-add lb5 "[[fe80::200:ff:fe00:101]]:8080" "[[fe02::200:ff:fe00:101]]   ovn-nbctl lb-add lb5 "[[fe80::200:ff:fe00:102]]:8080" "[[fe02::200:ff:fe00:102]]:8080" 
  ovn-nbctl lb-add lb6 "43.43.43.43:8080" "10.0.0.8:8080" udp
  ovn-nbctl lb-add lb7 "[[4343::4343]]:8080" "[[10::10]]:8080" udp
+ovn-nbctl lb-add lb8 "44.44.44.44:8080" "10.0.0.8:8080" udp
+ovn-nbctl set Load_Balancer lb8 options:neighbor_responder=all
+ovn-nbctl lb-add lb9 "[[4444::4444]]:8080" "[[10::10]]:8080" udp
+ovn-nbctl set Load_Balancer lb9 options:neighbor_responder=all
  ovn-nbctl lr-lb-add lr lb1
  ovn-nbctl lr-lb-add lr lb2
@@ -1716,6 +1720,8 @@ ovn-nbctl lr-lb-add lr lb4
  ovn-nbctl lr-lb-add lr lb5
  ovn-nbctl lr-lb-add lr lb6
  ovn-nbctl lr-lb-add lr lb7
+ovn-nbctl lr-lb-add lr lb8
+ovn-nbctl lr-lb-add lr lb9
  ovn-nbctl --wait=sb sync
  lr_key=$(fetch_column sb:datapath_binding tunnel_key external_ids:name=lr) 
@@ -1723,8 +1729,8 @@ lb_as_v4="_rtr_lb_${lr_key}_ip4"
  lb_as_v6="_rtr_lb_${lr_key}_ip6"
  # Check generated VIP address sets (only reachable IPs).
-check_column '43.43.43.43' Address_Set addresses name=${lb_as_v4}
-check_column '4343::4343 fe80::200:ff:fe00:101 fe80::200:ff:fe00:102' Address_Set addresses name=${lb_as_v6} +check_column '43.43.43.43 44.44.44.44' Address_Set addresses name=${lb_as_v4} +check_column '4343::4343 4444::4444 fe80::200:ff:fe00:101 fe80::200:ff:fe00:102' Address_Set addresses name=${lb_as_v6} 
  # Ingress router port ETH address is stored in lr_in_admission.
  AT_CHECK([ovn-sbctl lflow-list | grep -E "lr_in_admission.*xreg0\[[0..47\]]" | sort], [0], [dnl 





_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Reply via email to