Hi, Han, Numan:
While testing a use case in our ovn-k8s cluster we ran into an issue where
wecouldn't effectively use stateless ACL on the OVN interface. Turns out we
will track
all the packets here, since there will be a some VIPs configured on the logical
switch and...
if (od->has_lb_vip) {
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB,
100, "ip", REGBIT_CONNTRACK_NAT" = 1; next;");...
even though pre_acl skips stateless flows. One option is to just try an
excludethe flows in pre_lb with hints from pre_acl, but that alone won't work
since
pre_lb precedes pre_acl in egress.
So, wanted to check if the following will work: - Use info from pre_acl to
exclude stateless flows when we track for vip- Switch pre_lb and pre_acl in
egress.
I tested this with our ovn-k8s cicd, manual stateless rules and using a
specificuse case (RoCE with stateless rules) and it worked, but not sure if i
am missinganything by switching pre acl and lb in egress.
I can send the official patch, but just as an FYI, following is the change i
amlooking at as a proof of concept:
diff --git a/northd/northd.c b/northd/northd.c
index 98ef97f90..022b20660 100644
--- a/northd/northd.c
+++ b/northd/northd.c
@@ -128,8 +128,8 @@ enum ovn_stage {
PIPELINE_STAGE(SWITCH, IN, L2_UNKNOWN, 25, "ls_in_l2_unknown") \
\
/* Logical switch egress stages. */ \
- PIPELINE_STAGE(SWITCH, OUT, PRE_LB, 0, "ls_out_pre_lb") \
- PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 1, "ls_out_pre_acl") \
+ PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 0, "ls_out_pre_acl") \
+ PIPELINE_STAGE(SWITCH, OUT, PRE_LB, 1, "ls_out_pre_lb") \
PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") \
PIPELINE_STAGE(SWITCH, OUT, ACL_HINT, 3, "ls_out_acl_hint") \
PIPELINE_STAGE(SWITCH, OUT, ACL, 4, "ls_out_acl") \
@@ -5839,6 +5839,54 @@ build_empty_lb_event_flow(struct ovn_lb_vip *lb_vip,
return true;
}
static void
build_pre_lb(struct ovn_datapath *od, struct hmap *lflows)
{
@@ -5904,12 +5952,17 @@ build_pre_lb(struct ovn_datapath *od, struct hmap
*lflows)
* To fix this issue, we send all the packets to the conntrack in the
* ingress pipeline if a load balancer is configured. We can now
* add a lflow to drop ct.inv packets.
+ *
+ * Skip stateless rules from being tracked.
+ * stateless flows should not have REGBIT_CONNTRACK_DEFRAG+ * set in
build pre_acls, so we can use that as an hint here.
*/
if (od->has_lb_vip) {
ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB,
- 100, "ip", REGBIT_CONNTRACK_NAT" = 1; next;");
+ 100, REGBIT_CONNTRACK_DEFRAG" == 1",
REGBIT_CONNTRACK_NAT" = 1; next;");
ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB,
- 100, "ip", REGBIT_CONNTRACK_NAT" = 1; next;");
+ 100, REGBIT_CONNTRACK_DEFRAG" == 1",
REGBIT_CONNTRACK_NAT" = 1; next;");
}
}
thanks,
-venu
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
