On 4/14/25 4:34 PM, Rukomoinikova Aleksandra wrote: > Hi, Dumitru > > gentle ping for this patch =) >
Hi Alexandra, Sorry for the delay. It's on my list of things to review this week. Regards, Dumitru > On 08.04.2025 23:46, Alexandra Rukomoinikova wrote: >> [0] Removed support for using load balancers in conjunction with stateless >> ACL. >> This commit removes the ability to use load balancers alongside stateless >> ACL. >> If a load balancer is created, the datapath is no longer fully stateless. >> Therefore, to avoid traffic being directed to the contract, it is recommended >> to refrain from creating a load balancer entirely. >> >> Commit [0] ensures the separation of stateful and stateless scenarios >> in the absence of load balancers, without altering the functionality >> of load balancers themselves. >> >> When a logical switch is configured with stateless ACL and a load balancer, >> the check for the `REGBIT_CONNTRACK_NAT` flag in the `pre_lb` stage of >> the ingress pipeline becomes redundant. Traffic directed to the load balancer >> must be processed through the conntrack. >> >> To ensure proper load balancer operation, a rule must be added to match >> the load balancer's VIP address and its protocol (if applicable). This rule >> is added to the datapath group and does not negatively impact performance. >> Packets matching this rule would still be directed to the contract via >> lower-priority rules in the absence of stateless ACL. However, with >> stateless ACL, >> this rule enables load balancing when the client balances traffic to itself. >> >> In the egress pipeline, the stateless register should only be set if no >> load balancers are present on the datapath. This maintains a clear separation >> between Stateful and Stateless modes when using ACL. >> If a user creates a load balancer on a logical switch, they should be aware >> that the traffic will no longer be fully stateless. >> >> Also in case of lb configured with stateless ACLs we no longer take into >> account >> ct.inv packets in egress. They will be dropped further, at the hypervisor >> level. >> >> [0] - ovn-org@a0f82ef. >> >> Signed-off-by: Alexandra Rukomoinikova <arukomoinikova@k2.cloud> >> --- >> v2 --> v3: >> fixed Dumitru comments in v2. >> corrected hairpin case >> fixed failed tests _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
