The ls_in_pre_stateful priority 120 flow that saves dst IP and Port to
registers is causing a critical dataplane performance impact to
short-lived connections, because it unwildcards megaflows with exact
match on dst IP and L4 ports. Any new connections with a different
client side L4 port will encounter datapath flow miss and upcall to
ovs-vswitchd, which makes typical use cases such as HTTP1.0 based
RESTful API calls suffer big performance degredations.
These fields (dst IP and port) were saved to registers to solve a
problem of LB hairpin use case when different VIPs are sharing
overlapping backend+port [0]. The change [0] might not have as wide
performance impact as it is now because at that time one of the match
condition "REGBIT_CONNTRACK_NAT == 1" was set only for established and
natted traffic, while now the impact is more obvious because
REGBIT_CONNTRACK_NAT is now set for all IP traffic (if any VIP
configured on the LS) since commit [1], after several other indirectly
related optimizations and refactors.
This patch fixes the problem by modifying the priority-120 flows in
ls_in_pre_stateful. Instead of blindly saving dst IP and L4 port for any
traffic with the REGBIT_CONNTRACK_NAT == 1, we now save dst IP and L4
port only for traffic matching the LB VIPs, because these are the ones
that need to be saved for the hairpin purpose. The existed priority-110
flows will match the rest of the traffic just like before but wouldn't
not save dst IP and L4 port, so any server->client traffic would not
unwildcard megaflows with client side L4 ports.
[0] ce0ef8d59850 ("Properly handle hairpin traffic for VIPs with shared
backends.")
[1] 0038579d1928 ("northd: Optimize ct nat for load balancer traffic.")
Signed-off-by: Han Zhou <[email protected]>
---
northd/northd.c | 125 +++++++++++++++++++++++++++-----------------
tests/ovn-northd.at | 87 +++++++++++-------------------
tests/ovn.at | 14 ++---
3 files changed, 113 insertions(+), 113 deletions(-)
diff --git a/northd/northd.c b/northd/northd.c
index 7e2681865..860641936 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -273,15 +273,15 @@ enum ovn_stage {
* | | REGBIT_ACL_HINT_{ALLOW_NEW/ALLOW/DROP/BLOCK} | | |
* | | REGBIT_ACL_LABEL | X | |
* +----+----------------------------------------------+ X | |
- * | R1 | ORIG_DIP_IPV4 (>= IN_STATEFUL) | R | |
+ * | R1 | ORIG_DIP_IPV4 (>= IN_PRE_STATEFUL) | R | |
* +----+----------------------------------------------+ E | |
- * | R2 | ORIG_TP_DPORT (>= IN_STATEFUL) | G | |
+ * | R2 | ORIG_TP_DPORT (>= IN_PRE_STATEFUL) | G | |
* +----+----------------------------------------------+ 0 | |
* | R3 | ACL LABEL | | |
* +----+----------------------------------------------+---+------------------+
* | R4 | UNUSED | | |
- * +----+----------------------------------------------+ X | ORIG_DIP_IPV6 |
- * | R5 | UNUSED | X | (>= IN_STATEFUL) |
+ * +----+----------------------------------------------+ X | ORIG_DIP_IPV6(>= |
+ * | R5 | UNUSED | X | IN_PRE_STATEFUL) |
* +----+----------------------------------------------+ R | |
* | R6 | UNUSED | E | |
* +----+----------------------------------------------+ G | |
@@ -5899,43 +5899,17 @@ build_pre_stateful(struct ovn_datapath *od,
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 0, "1", "next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 0, "1", "next;");
- const char *ct_lb_action = features->ct_no_masked_label
- ? "ct_lb_mark"
- : "ct_lb";
- const char *lb_protocols[] = {"tcp", "udp", "sctp"};
- struct ds actions = DS_EMPTY_INITIALIZER;
- struct ds match = DS_EMPTY_INITIALIZER;
-
- for (size_t i = 0; i < ARRAY_SIZE(lb_protocols); i++) {
- ds_clear(&match);
- ds_clear(&actions);
- ds_put_format(&match, REGBIT_CONNTRACK_NAT" == 1 && ip4 && %s",
- lb_protocols[i]);
- ds_put_format(&actions, REG_ORIG_DIP_IPV4 " = ip4.dst; "
- REG_ORIG_TP_DPORT " = %s.dst; %s;",
- lb_protocols[i], ct_lb_action);
- ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 120,
- ds_cstr(&match), ds_cstr(&actions));
-
- ds_clear(&match);
- ds_clear(&actions);
- ds_put_format(&match, REGBIT_CONNTRACK_NAT" == 1 && ip6 && %s",
- lb_protocols[i]);
- ds_put_format(&actions, REG_ORIG_DIP_IPV6 " = ip6.dst; "
- REG_ORIG_TP_DPORT " = %s.dst; %s;",
- lb_protocols[i], ct_lb_action);
- ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 120,
- ds_cstr(&match), ds_cstr(&actions));
- }
+ /* Note: priority-120 flows are added in build_lb_rules_pre_stateful(). */
- ds_clear(&actions);
- ds_put_format(&actions, "%s;", ct_lb_action);
+ const char *ct_lb_action = features->ct_no_masked_label
+ ? "ct_lb_mark;"
+ : "ct_lb;";
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_STATEFUL, 110,
- REGBIT_CONNTRACK_NAT" == 1", ds_cstr(&actions));
+ REGBIT_CONNTRACK_NAT" == 1", ct_lb_action);
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 110,
- REGBIT_CONNTRACK_NAT" == 1", ds_cstr(&actions));
+ REGBIT_CONNTRACK_NAT" == 1", ct_lb_action);
/* If REGBIT_CONNTRACK_DEFRAG is set as 1, then the packets should be
* sent to conntrack for tracking and defragmentation. */
@@ -5945,8 +5919,6 @@ build_pre_stateful(struct ovn_datapath *od,
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_STATEFUL, 100,
REGBIT_CONNTRACK_DEFRAG" == 1", "ct_next;");
- ds_destroy(&actions);
- ds_destroy(&match);
}
static void
@@ -6841,22 +6813,16 @@ build_qos(struct ovn_datapath *od, struct hmap *lflows)
{
}
static void
-build_lb_rules(struct hmap *lflows, struct ovn_northd_lb *lb, bool ct_lb_mark,
- struct ds *match, struct ds *action,
- const struct shash *meter_groups)
+build_lb_rules_pre_stateful(struct hmap *lflows, struct ovn_northd_lb *lb,
+ bool ct_lb_mark, struct ds *match,
+ struct ds *action)
{
for (size_t i = 0; i < lb->n_vips; i++) {
struct ovn_lb_vip *lb_vip = &lb->vips[i];
- struct ovn_northd_lb_vip *lb_vip_nb = &lb->vips_nb[i];
- const char *ip_match = NULL;
-
ds_clear(action);
ds_clear(match);
+ const char *ip_match = NULL;
- /* Make sure that we clear the REGBIT_CONNTRACK_COMMIT flag. Otherwise
- * the load balanced packet will be committed again in
- * S_SWITCH_IN_STATEFUL. */
- ds_put_format(action, REGBIT_CONNTRACK_COMMIT" = 0; ");
/* Store the original destination IP to be used when generating
* hairpin flows.
*/
@@ -6887,6 +6853,67 @@ build_lb_rules(struct hmap *lflows, struct ovn_northd_lb
*lb, bool ct_lb_mark,
ds_put_format(action, REG_ORIG_TP_DPORT " = %"PRIu16"; ",
lb_vip->vip_port);
}
+ ds_put_format(action, "%s;", ct_lb_mark ? "ct_lb_mark" : "ct_lb");
+
+ ds_put_format(match, "%s.dst == %s", ip_match, lb_vip->vip_str);
+ if (lb_vip->vip_port) {
+ ds_put_format(match, " && %s.dst == %d", proto, lb_vip->vip_port);
+ }
+
+ struct ovn_lflow *lflow_ref = NULL;
+ uint32_t hash = ovn_logical_flow_hash(
+ ovn_stage_get_table(S_SWITCH_IN_PRE_STATEFUL),
+ ovn_stage_get_pipeline(S_SWITCH_IN_PRE_STATEFUL), 120,
+ ds_cstr(match), ds_cstr(action));
+
+ for (size_t j = 0; j < lb->n_nb_ls; j++) {
+ struct ovn_datapath *od = lb->nb_ls[j];
+
+ if (!ovn_dp_group_add_with_reference(lflow_ref, od)) {
+ lflow_ref = ovn_lflow_add_at_with_hash(
+ lflows, od, S_SWITCH_IN_PRE_STATEFUL, 120,
+ ds_cstr(match), ds_cstr(action),
+ NULL, NULL, &lb->nlb->header_,
+ OVS_SOURCE_LOCATOR, hash);
+ }
+ }
+ }
+}
+
+static void
+build_lb_rules(struct hmap *lflows, struct ovn_northd_lb *lb, bool ct_lb_mark,
+ struct ds *match, struct ds *action,
+ const struct shash *meter_groups)
+{
+ for (size_t i = 0; i < lb->n_vips; i++) {
+ struct ovn_lb_vip *lb_vip = &lb->vips[i];
+ struct ovn_northd_lb_vip *lb_vip_nb = &lb->vips_nb[i];
+ const char *ip_match = NULL;
+ if (IN6_IS_ADDR_V4MAPPED(&lb_vip->vip)) {
+ ip_match = "ip4";
+ } else {
+ ip_match = "ip6";
+ }
+
+ const char *proto = NULL;
+ if (lb_vip->vip_port) {
+ proto = "tcp";
+ if (lb->nlb->protocol) {
+ if (!strcmp(lb->nlb->protocol, "udp")) {
+ proto = "udp";
+ } else if (!strcmp(lb->nlb->protocol, "sctp")) {
+ proto = "sctp";
+ }
+ }
+ }
+
+ ds_clear(action);
+ ds_clear(match);
+
+ /* Make sure that we clear the REGBIT_CONNTRACK_COMMIT flag. Otherwise
+ * the load balanced packet will be committed again in
+ * S_SWITCH_IN_STATEFUL. */
+ ds_put_format(action, REGBIT_CONNTRACK_COMMIT" = 0; ");
/* New connections in Ingress table. */
const char *meter = NULL;
@@ -10170,6 +10197,8 @@ build_lswitch_flows_for_lb(struct ovn_northd_lb *lb,
struct hmap *lflows,
* a higher priority rule for load balancing below also commits the
* connection, so it is okay if we do not hit the above match on
* REGBIT_CONNTRACK_COMMIT. */
+ build_lb_rules_pre_stateful(lflows, lb, features->ct_no_masked_label,
+ match, action);
build_lb_rules(lflows, lb, features->ct_no_masked_label,
match, action, meter_groups);
}
diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
index 157f9f60c..19ae0a362 100644
--- a/tests/ovn-northd.at
+++ b/tests/ovn-northd.at
@@ -1227,7 +1227,7 @@ check ovn-nbctl --wait=sb ls-lb-add sw0 lb1
AT_CAPTURE_FILE([sbflows])
OVS_WAIT_FOR_OUTPUT(
[ovn-sbctl dump-flows sw0 | tee sbflows | grep 'priority=120.*backends' |
sed 's/table=..//'], 0, [dnl
- (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10; reg2[[0..15]] = 80;
ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
])
AS_BOX([Delete the Load_Balancer_Health_Check])
@@ -1237,7 +1237,7 @@ wait_row_count Service_Monitor 0
AT_CAPTURE_FILE([sbflows2])
OVS_WAIT_FOR_OUTPUT(
[ovn-sbctl dump-flows sw0 | tee sbflows2 | grep 'priority=120.*backends' |
sed 's/table=..//'], [0],
-[ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10;
reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+[ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
])
AS_BOX([Create the Load_Balancer_Health_Check again.])
@@ -1249,7 +1249,7 @@ check ovn-nbctl --wait=sb sync
ovn-sbctl dump-flows sw0 | grep backends | grep priority=120 > lflows.txt
AT_CHECK([cat lflows.txt | sed 's/table=..//'], [0], [dnl
- (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10; reg2[[0..15]] = 80;
ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
])
AS_BOX([Get the uuid of both the service_monitor])
@@ -1259,7 +1259,7 @@ sm_sw1_p1=$(fetch_column Service_Monitor _uuid
logical_port=sw1-p1)
AT_CAPTURE_FILE([sbflows3])
OVS_WAIT_FOR_OUTPUT(
[ovn-sbctl dump-flows sw0 | tee sbflows 3 | grep 'priority=120.*backends' |
sed 's/table=..//'], [0],
-[ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10;
reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+[ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
])
AS_BOX([Set the service monitor for sw1-p1 to offline])
@@ -1270,7 +1270,7 @@ check ovn-nbctl --wait=sb sync
AT_CAPTURE_FILE([sbflows4])
OVS_WAIT_FOR_OUTPUT(
[ovn-sbctl dump-flows sw0 | tee sbflows4 | grep 'priority=120.*backends' |
sed 's/table=..//'], [0],
-[ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10;
reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80);)
+[ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb(backends=10.0.0.3:80);)
])
AS_BOX([Set the service monitor for sw0-p1 to offline])
@@ -1285,7 +1285,7 @@ OVS_WAIT_FOR_OUTPUT(
AT_CAPTURE_FILE([sbflows6])
OVS_WAIT_FOR_OUTPUT(
- [ovn-sbctl dump-flows sw0 | tee sbflows6 | grep "ip4.dst == 10.0.0.10 &&
tcp.dst == 80" | grep priority=120 | sed 's/table=..//'], [0], [dnl
+ [ovn-sbctl dump-flows sw0 | tee sbflows6 | grep "ip4.dst == 10.0.0.10 &&
tcp.dst == 80" | grep priority=120 | grep ls_in_lb | sed 's/table=..//'], [0],
[dnl
(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(drop;)
])
@@ -1299,7 +1299,7 @@ check ovn-nbctl --wait=sb sync
AT_CAPTURE_FILE([sbflows7])
OVS_WAIT_FOR_OUTPUT(
[ovn-sbctl dump-flows sw0 | tee sbflows7 | grep backends | grep priority=120
| sed 's/table=..//'], 0,
-[ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10;
reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+[ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
])
AS_BOX([Set the service monitor for sw1-p1 to error])
@@ -1309,8 +1309,8 @@ check ovn-nbctl --wait=sb sync
ovn-sbctl dump-flows sw0 | grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" \
| grep priority=120 > lflows.txt
-AT_CHECK([cat lflows.txt | sed 's/table=..//'], [0], [dnl
- (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10; reg2[[0..15]] = 80;
ct_lb(backends=10.0.0.3:80);)
+AT_CHECK([cat lflows.txt | grep ls_in_lb | sed 's/table=..//'], [0], [dnl
+ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg0[[1]] = 0; ct_lb(backends=10.0.0.3:80);)
])
AS_BOX([Add one more vip to lb1])
@@ -1336,8 +1336,8 @@ AT_CAPTURE_FILE([sbflows9])
OVS_WAIT_FOR_OUTPUT(
[ovn-sbctl dump-flows sw0 | tee sbflows9 | grep backends | grep priority=120
| sed 's/table=..//' | sort],
0,
-[ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10;
reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80);)
- (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40
&& tcp.dst == 1000), action=(reg0[[1]] = 0; reg1 = 10.0.0.40; reg2[[0..15]] =
1000; ct_lb(backends=10.0.0.3:1000);)
+[ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb(backends=10.0.0.3:80);)
+ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40
&& tcp.dst == 1000), action=(reg0[[1]] = 0; ct_lb(backends=10.0.0.3:1000);)
])
AS_BOX([Set the service monitor for sw1-p1 to online])
@@ -1350,8 +1350,8 @@ AT_CAPTURE_FILE([sbflows10])
OVS_WAIT_FOR_OUTPUT(
[ovn-sbctl dump-flows sw0 | tee sbflows10 | grep backends | grep
priority=120 | sed 's/table=..//' | sort],
0,
-[ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10;
reg2[[0..15]] = 80; ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
- (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40
&& tcp.dst == 1000), action=(reg0[[1]] = 0; reg1 = 10.0.0.40; reg2[[0..15]] =
1000; ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
+[ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40
&& tcp.dst == 1000), action=(reg0[[1]] = 0;
ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
])
AS_BOX([Associate lb1 to sw1])
@@ -1360,8 +1360,8 @@ AT_CAPTURE_FILE([sbflows11])
OVS_WAIT_FOR_OUTPUT(
[ovn-sbctl dump-flows sw1 | tee sbflows11 | grep backends | grep
priority=120 | sed 's/table=..//' | sort],
0, [dnl
- (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10; reg2[[0..15]] = 80;
ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
- (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40
&& tcp.dst == 1000), action=(reg0[[1]] = 0; reg1 = 10.0.0.40; reg2[[0..15]] =
1000; ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
+ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb(backends=10.0.0.3:80,20.0.0.3:80);)
+ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.40
&& tcp.dst == 1000), action=(reg0[[1]] = 0;
ct_lb(backends=10.0.0.3:1000,20.0.0.3:80);)
])
AS_BOX([Now create lb2 same as lb1 but udp protocol.])
@@ -1417,7 +1417,7 @@ ovn-sbctl set service_monitor $sm_sw1_p1 status=offline
AT_CAPTURE_FILE([sbflows12])
OVS_WAIT_FOR_OUTPUT(
- [ovn-sbctl dump-flows sw0 | tee sbflows12 | grep "ip4.dst == 10.0.0.10 &&
tcp.dst == 80" | grep priority=120 | sed 's/table=..//'], [0], [dnl
+ [ovn-sbctl dump-flows sw0 | tee sbflows12 | grep "ip4.dst == 10.0.0.10 &&
tcp.dst == 80" | grep priority=120 | grep ls_in_lb | sed 's/table=..//'], [0],
[dnl
(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg0 = 0; reject { outport <-> inport;
next(pipeline=egress,table=5);};)
])
@@ -3889,18 +3889,14 @@ check_stateful_flows() {
table=? (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)
table=? (ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1),
action=(ct_next;)
table=? (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& tcp), action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& udp), action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& tcp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& udp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;)
+ table=? (ls_in_pre_stateful ), priority=120 , match=(ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark;)
+ table=? (ls_in_pre_stateful ), priority=120 , match=(ip4.dst == 10.0.0.20
&& tcp.dst == 80), action=(reg1 = 10.0.0.20; reg2[[0..15]] = 80; ct_lb_mark;)
])
AT_CHECK([grep "ls_in_lb" sw0flows | sort | sed 's/table=../table=??/'],
[0], [dnl
table=??(ls_in_lb ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10;
reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.4:8080);)
- table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.20 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.20;
reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.40:8080);)
+ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb_mark(backends=10.0.0.4:8080);)
+ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.20 && tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb_mark(backends=10.0.0.40:8080);)
])
AT_CHECK([grep "ls_in_stateful" sw0flows | sort | sed
's/table=../table=??/'], [0], [dnl
@@ -3961,12 +3957,6 @@ AT_CHECK([grep "ls_in_pre_stateful" sw0flows | sort |
sed 's/table=./table=?/'],
table=? (ls_in_pre_stateful ), priority=0 , match=(1), action=(next;)
table=? (ls_in_pre_stateful ), priority=100 , match=(reg0[[0]] == 1),
action=(ct_next;)
table=? (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& tcp), action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& udp), action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& tcp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;)
- table=? (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& udp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;)
])
AT_CHECK([grep "ls_in_lb" sw0flows | sort | sed 's/table=../table=??/'], [0],
[dnl
@@ -6415,7 +6405,7 @@ AT_CHECK([grep -e "ls_in_acl" lsflows | sed
's/table=../table=??/' | sort], [0],
AT_CHECK([grep -e "ls_in_lb" lsflows | sed 's/table=../table=??/' | sort],
[0], [dnl
table=??(ls_in_lb ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
10.0.0.2), action=(reg0[[1]] = 0; reg1 = 10.0.0.2;
ct_lb_mark(backends=10.0.0.10);)
+ table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
10.0.0.2), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.10);)
])
AT_CHECK([grep -e "ls_in_stateful" lsflows | sed 's/table=../table=??/' |
sort], [0], [dnl
@@ -6468,7 +6458,7 @@ AT_CHECK([grep -e "ls_in_acl" lsflows | sed
's/table=../table=??/' | sort], [0],
AT_CHECK([grep -e "ls_in_lb" lsflows | sed 's/table=../table=??/' | sort],
[0], [dnl
table=??(ls_in_lb ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
10.0.0.2), action=(reg0[[1]] = 0; reg1 = 10.0.0.2;
ct_lb_mark(backends=10.0.0.10);)
+ table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
10.0.0.2), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.10);)
])
AT_CHECK([grep -e "ls_in_stateful" lsflows | sed 's/table=../table=??/' |
sort], [0], [dnl
@@ -6521,7 +6511,7 @@ AT_CHECK([grep -e "ls_in_acl" lsflows | sed
's/table=../table=??/' | sort], [0],
AT_CHECK([grep -e "ls_in_lb" lsflows | sed 's/table=../table=??/' | sort],
[0], [dnl
table=??(ls_in_lb ), priority=0 , match=(1), action=(next;)
- table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
10.0.0.2), action=(reg0[[1]] = 0; reg1 = 10.0.0.2;
ct_lb_mark(backends=10.0.0.10);)
+ table=??(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
10.0.0.2), action=(reg0[[1]] = 0; ct_lb_mark(backends=10.0.0.10);)
])
AT_CHECK([grep -e "ls_in_stateful" lsflows | sed 's/table=../table=??/' |
sort], [0], [dnl
@@ -7480,14 +7470,9 @@ check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl
table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0
== 66.66.66.66 && ct_mark.natted == 1), action=(next;)
table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0
== 66.66.66.66), action=(ct_lb_mark(backends=42.42.42.2);)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& tcp), action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& udp), action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& tcp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& udp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;)
+ table=6 (ls_in_pre_stateful ), priority=120 , match=(ip4.dst ==
66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;)
table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
- table=11(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
66.66.66.66), action=(reg0[[1]] = 0; reg1 = 66.66.66.66;
ct_lb_mark(backends=42.42.42.2);)
+ table=11(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);)
table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
])
@@ -7497,14 +7482,9 @@ check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl
table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0
== 66.66.66.66 && ct_label.natted == 1), action=(next;)
table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0
== 66.66.66.66), action=(ct_lb(backends=42.42.42.2);)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& tcp), action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& udp), action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& tcp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& udp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb;)
+ table=6 (ls_in_pre_stateful ), priority=120 , match=(ip4.dst ==
66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb;)
table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb;)
- table=11(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
66.66.66.66), action=(reg0[[1]] = 0; reg1 = 66.66.66.66;
ct_lb(backends=42.42.42.2);)
+ table=11(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
66.66.66.66), action=(reg0[[1]] = 0; ct_lb(backends=42.42.42.2);)
table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb;)
])
@@ -7514,14 +7494,9 @@ check ovn-nbctl --wait=sb sync
AT_CHECK([ovn-sbctl lflow-list | grep -e natted -e ct_lb], [0], [dnl
table=6 (lr_in_dnat ), priority=110 , match=(ct.est && ip4 && reg0
== 66.66.66.66 && ct_mark.natted == 1), action=(next;)
table=6 (lr_in_dnat ), priority=110 , match=(ct.new && ip4 && reg0
== 66.66.66.66), action=(ct_lb_mark(backends=42.42.42.2);)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& tcp), action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4
&& udp), action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& tcp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;)
- table=6 (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6
&& udp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;)
+ table=6 (ls_in_pre_stateful ), priority=120 , match=(ip4.dst ==
66.66.66.66), action=(reg1 = 66.66.66.66; ct_lb_mark;)
table=6 (ls_in_pre_stateful ), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
- table=11(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
66.66.66.66), action=(reg0[[1]] = 0; reg1 = 66.66.66.66;
ct_lb_mark(backends=42.42.42.2);)
+ table=11(ls_in_lb ), priority=110 , match=(ct.new && ip4.dst ==
66.66.66.66), action=(reg0[[1]] = 0; ct_lb_mark(backends=42.42.42.2);)
table=2 (ls_out_pre_stateful), priority=110 , match=(reg0[[2]] == 1),
action=(ct_lb_mark;)
])
@@ -7692,11 +7667,11 @@ AT_CAPTURE_FILE([S1flows])
AT_CHECK([grep "ls_in_lb" S0flows | sort], [0], [dnl
table=11(ls_in_lb ), priority=0 , match=(1), action=(next;)
- table=11(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10;
reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.2:80);)
+ table=11(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb_mark(backends=10.0.0.2:80);)
])
AT_CHECK([grep "ls_in_lb" S1flows | sort], [0], [dnl
table=11(ls_in_lb ), priority=0 , match=(1), action=(next;)
- table=11(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 172.16.0.10;
reg2[[0..15]] = 80; ct_lb_mark(backends=10.0.0.2:80);)
+ table=11(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
172.16.0.10 && tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb_mark(backends=10.0.0.2:80);)
])
ovn-sbctl get datapath S0 _uuid > dp_uuids
diff --git a/tests/ovn.at b/tests/ovn.at
index bba2c9c1d..0875fecc2 100644
--- a/tests/ovn.at
+++ b/tests/ovn.at
@@ -23586,13 +23586,8 @@ OVS_WAIT_FOR_OUTPUT(
[ovn-sbctl dump-flows > sbflows
ovn-sbctl dump-flows sw0 | grep ct_lb_mark | grep priority=120 | sed
's/table=..//'], 0,
[dnl
- (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 &&
sctp), action=(reg1 = ip4.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;)
- (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && tcp),
action=(reg1 = ip4.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;)
- (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip4 && udp),
action=(reg1 = ip4.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;)
- (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 &&
sctp), action=(xxreg1 = ip6.dst; reg2[[0..15]] = sctp.dst; ct_lb_mark;)
- (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && tcp),
action=(xxreg1 = ip6.dst; reg2[[0..15]] = tcp.dst; ct_lb_mark;)
- (ls_in_pre_stateful ), priority=120 , match=(reg0[[2]] == 1 && ip6 && udp),
action=(xxreg1 = ip6.dst; reg2[[0..15]] = udp.dst; ct_lb_mark;)
- (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg0[[1]] = 0; reg1 = 10.0.0.10; reg2[[0..15]] = 80;
ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80;
hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");)
+ (ls_in_pre_stateful ), priority=120 , match=(ip4.dst == 10.0.0.10 &&
tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark;)
+ (ls_in_lb ), priority=120 , match=(ct.new && ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg0[[1]] = 0;
ct_lb_mark(backends=10.0.0.3:80,20.0.0.3:80;
hash_fields="ip_dst,ip_src,tcp_dst,tcp_src");)
])
AT_CAPTURE_FILE([sbflows2])
@@ -23633,8 +23628,9 @@ AT_CAPTURE_FILE([sbflows3])
ovn-sbctl dump-flows sw0 > sbflows3
AT_CHECK(
[grep "ip4.dst == 10.0.0.10 && tcp.dst == 80" sbflows3 | grep priority=120 |\
- sed 's/table=../table=??/'], [0],
- [ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst
== 10.0.0.10 && tcp.dst == 80), action=(drop;)
+ sed 's/table=../table=??/'], [0], [dnl
+ table=??(ls_in_pre_stateful ), priority=120 , match=(ip4.dst == 10.0.0.10
&& tcp.dst == 80), action=(reg1 = 10.0.0.10; reg2[[0..15]] = 80; ct_lb_mark;)
+ table=??(ls_in_lb ), priority=120 , match=(ct.new && ip4.dst ==
10.0.0.10 && tcp.dst == 80), action=(drop;)
])
AT_CAPTURE_FILE([sbflows4])
--
2.30.2
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
