On 11/7/22 12:31, Dumitru Ceara wrote: > On 11/2/22 16:57, Lorenzo Bianconi wrote: >> Rely on the following new actions in order to introduce affinity timeout >> support to load-balancer sessions: >> - commit_lb_aff >> - chk_lb_aff >> >> Introduce the following tables in switch and router pipelines >> respectively: >> - S_SWITCH_IN_LB_AFF_CHECK >> - S_SWITCH_IN_LB_AFF_LEARN >> - S_ROUTER_IN_LB_AFF_CHECK >> - S_ROUTER_IN_LB_AFF_LEARN >> >> In this way OVN is able to dnat connections received from the same client >> to a given load-balancer to the same backend if received in the affinity >> timeslot. >> Please note load-balancer affinity support has scalability limitation >> since we need to create a new logical flow per backend. >> >> Acked-by: Mark Michelson <[email protected]> >> Signed-off-by: Lorenzo Bianconi <[email protected]> >> --- > > Hi Lorenzo, > > Thanks for this new revision. > > I think there's still a problem when we use LB affinity in combination > with the hairpin_snat_ip option. > > I set up a simple topology (VM1 <-> LS (LB) <-> LR). > > ovn-nbctl lr-add rtr > ovn-nbctl lrp-add rtr rtr-ls 00:00:00:00:01:00 42.42.42.1/24 4242::1/64 > ovn-nbctl ls-add ls > > ovn-nbctl lsp-add ls ls-rtr > ovn-nbctl lsp-set-addresses ls-rtr 00:00:00:00:01:00 > ovn-nbctl lsp-set-type ls-rtr router > ovn-nbctl lsp-set-options ls-rtr router-port=rtr-ls > ovn-nbctl lsp-add ls vm1 > ovn-nbctl lsp-set-addresses vm1 00:00:00:00:00:01 > ip netns add vm1 > ovs-vsctl add-port br-int vm1 -- set interface vm1 type=internal > ip link set vm1 netns vm1 > ip netns exec vm1 ip link set vm1 address 00:00:00:00:00:01 > ip netns exec vm1 ip addr add 42.42.42.2/24 dev vm1 > ip netns exec vm1 ip link set vm1 up > ip netns exec vm1 ip r a default via 42.42.42.1 > ovs-vsctl set Interface vm1 external_ids:iface-id=vm1 > ovn-nbctl lsp-add ls vm2 > ovn-nbctl lsp-set-addresses vm2 00:00:00:00:00:02 > > ovn-nbctl lb-add lb-test 66.66.66.66:666 42.42.42.2:4242 tcp > ovn-nbctl ls-lb-add ls lb-test > ovn-nbctl set load_balancer lb-test options:affinity_timeout=60 > ovn-nbctl set load_balancer lb-test options:hairpin_snat_ip="66.66.66.100" > > I started a nc listener on vm1: > > ip netns exec vm1 nc -k -l -v 0.0.0.0 4242 > > Then I try to access the LB service from the backend itself (VM1): > while sleep 1; do ip netns exec vm1 nc -z -v 66.66.66.66 666; done > > The first connection succeeds, the affinity flow gets created in table > 78, but subsequent connections fail. That's because the hairpin TCP SYN > packet is not SNAT-ed anymore: > > 12:29:58.578150 00:00:00:00:00:01 > 00:00:00:00:01:00, ethertype IPv4 > (0x0800), length 74: (tos 0x0, ttl 64, id 37159, offset 0, flags [DF], > proto TCP (6), length 60) > > 42.42.42.2.43156 > 66.66.66.66.666: Flags [S], cksum 0xd8de > (incorrect -> 0x23bd), seq 3216328469, win 29200, options [mss > 1460,sackOK,TS val 1691730611 ecr 0,nop,wscale 7], length 0 > > 12:29:58.578381 00:00:00:00:01:00 > 00:00:00:00:00:01, ethertype IPv4 > (0x0800), length 74: (tos 0x0, ttl 63, id 37159, offset 0, flags [DF], > proto TCP (6), length 60) > > 42.42.42.2.43156 > 42.42.42.2.4242: Flags [S], cksum 0x461d > (correct), seq 3216328469, win 29200, options [mss 1460,sackOK,TS val > 1691730611 ecr 0,nop,wscale 7], length 0 <<< This should use > hairpin_snat_ip as source IP. > > Could you please check why this is happening? > > If possible, it would be great if you could add a system test for this too. >
Also, an ovn-northd.at test is failing, the grep matches more than expected now. It needs some minor adjustments: 1002: check install_ls_lb_from_router option -- ovn-northd -- parallelization=yes FAILED (ovn-northd.at:7802) 1003: check install_ls_lb_from_router option -- ovn-northd -- parallelization=no FAILED (ovn-northd.at:7802) Thanks, Dumitru _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
