The patch being submitted here was originally submitted as part of a series intending to fix connectivity issues with OpenStack floating IPs. You can find that original patch here:
https://mail.openvswitch.org/pipermail/ovs-dev/2021-March/381318.html Following that discussion, there were concerns about: 1) The validity of the use case being fixed. Specifically, it was asked if it was valid to configure an unreachable address on a logical router as either a DNAT external IP or a load balancer VIP. 2) Whether this change was reverting to a premise that caused a flow explosion in ovn-kubernetes. In the end, the suggestion was made to flood ARPs destined for unreachable IPs instead of unicasting them. However, Dumitru did note that: "The downside is that we *might* hit the OVS resubmit limit for ARPs targeting such FIPs on scaled setups but, I guess, that's a different story." Unfortunately, that is now happening in OpenStack instances that have lots of gateway router ports connected to a single "public" logical switch that receives ARPs via its localnet port. Traffic destined for unreachable floating IPs never arrives because ARP requests hit the resubmit limit in OVN. Since the ARP requests never receive a response, the traffic can never reach the intended target. Going back to the original concerns about this patch: Regarding (1), yes, it's valid. OpenStack has relied on being able to place IPs not in a router port's subnet on that router port for a long time. It's actually the basis behind why they refer to them as "floating" IPs. Though I think at this point this is well-understood, based on our having special cases in ovn-northd to handle unreachable addresses. Regarding (2), I'm still not 100% sure about the details behind why this might cause a flow explosion. If you compare this patch with the one where we flood ARPs to all switch ports, this has no more logical flows. We are essentially editing the actions of our existing flows to unicast the ARPs instead of flooding them. I'm re-proposing this patch because I think it makes the most sense to unicast the ARP if we know which logical router port the IP address is configured on, even if we think it is "unreachable". In addition, ovn-kubernetes has gone through some massive changes since the original patch was proposed, and so I don't even know if the concerns originally raised are still valid. Mark Michelson (1): ovn-northd: Treat reachable and unreachable addresses identically. northd/northd.c | 185 ++++---------------------------------------- tests/ovn-northd.at | 99 ------------------------ tests/ovn.at | 10 +++ 3 files changed, 23 insertions(+), 271 deletions(-) -- 2.31.1 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
