This new table sits before the pre-Stateful table and sets 'reg0' as 1, if the destination ip address of a packet is a VIP in a loadbalancer object. Setting 'reg0' as 1 will send the packet through conntrack to get its status (or to track it.)
Signed-off-by: Gurucharan Shetty <g...@ovn.org> --- ovn/northd/ovn-northd.8.xml | 47 ++++++++++++++++++++++++++++++--------------- ovn/northd/ovn-northd.c | 46 +++++++++++++++++++++++++++++++++++--------- 2 files changed, 69 insertions(+), 24 deletions(-) diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index b764848..3117b9a 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -150,17 +150,28 @@ advancing to table 3. </p> - <h3>Ingress Table 2: Pre-STATEFUL</h3> + <h3>Ingress Table 2: Pre-loadbalancer</h3> <p> - Ingress table 2 prepares flows for all possible stateful processing + Ingress table 2 prepares flows for possible loadbalancing + in table 4. It contains a priority-0 flow that simply moves + traffic to next table. If the destination IP of the packet is a + VIP configured in the loadbalancer table, a priority-100 flow + is added that sets a hint (with reg0 = 1) for table 3 to send + IP packets to the connection tracker before advancing to table 4. + </p> + + <h3>Ingress Table 3: Pre-STATEFUL</h3> + + <p> + Ingress table 3 prepares flows for all possible stateful processing in next tables. It contains a priority-0 flow that simply moves - traffic to table 3. A priority-100 flow sends the packets to connection + traffic to table 4. A priority-100 flow sends the packets to connection tracker based on a hint provided by the previous tables (with a match for reg0 == 1). </p> - <h3>Ingress table 3: <code>from-lport</code> ACLs</h3> + <h3>Ingress table 4: <code>from-lport</code> ACLs</h3> <p> Logical flows in this table closely reproduce those in the @@ -175,7 +186,7 @@ </p> <p> - Ingress table 3 also contains a priority 0 flow with action + Ingress table 4 also contains a priority 0 flow with action <code>next;</code>, so that ACLs allow packets by default. If the logical datapath has a stateful ACL, the following flows will also be added: @@ -207,7 +218,7 @@ </li> </ul> - <h3>Ingress Table 4: STATEFUL</h3> + <h3>Ingress Table 5: STATEFUL</h3> <p> It contains a priority-0 flow that simply moves traffic to table 5. @@ -215,7 +226,7 @@ provided by the previous tables (with a match for reg1 == 1). </p> - <h3>Ingress Table 5: Destination Lookup</h3> + <h3>Ingress Table 6: Destination Lookup</h3> <p> This table implements switching behavior. It contains these logical @@ -264,32 +275,38 @@ output; </li> </ul> - <h3>Egress Table 0: <code>to-lport</code> Pre-ACLs</h3> + <h3>Egress Table 0: Pre-loadbalancer</h3> + + <p> + This is similar to ingress table 2. + </p> + + <h3>Egress Table 1: <code>to-lport</code> Pre-ACLs</h3> <p> This is similar to ingress table 1 except for <code>to-lport</code> traffic. </p> - <h3>Egress Table 1: Pre-STATEFUL</h3> + <h3>Egress Table 2: Pre-STATEFUL</h3> <p> - This is similar to ingress table 2. + This is similar to ingress table 3. </p> - <h3>Egress Table 2: <code>to-lport</code> ACLs</h3> + <h3>Egress Table 3: <code>to-lport</code> ACLs</h3> <p> - This is similar to ingress table 3 except for <code>to-lport</code> ACLs. + This is similar to ingress table 4 except for <code>to-lport</code> ACLs. </p> - <h3>Egress Table 3: STATEFUL</h3> + <h3>Egress Table 4: STATEFUL</h3> <p> - This is similar to ingress table 4. + This is similar to ingress table 5. </p> - <h3>Egress Table 4: Egress Port Security</h3> + <h3>Egress Table 5: Egress Port Security</h3> <p> This is similar to the ingress port security logic in ingress table 0, diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 9e30bc0..28f5b45 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -87,17 +87,19 @@ enum ovn_stage { /* Logical switch ingress stages. */ \ PIPELINE_STAGE(SWITCH, IN, PORT_SEC, 0, "ls_in_port_sec") \ PIPELINE_STAGE(SWITCH, IN, PRE_ACL, 1, "ls_in_pre_acl") \ - PIPELINE_STAGE(SWITCH, IN, PRE_STATEFUL, 2, "ls_in_pre_stateful") \ - PIPELINE_STAGE(SWITCH, IN, ACL, 3, "ls_in_acl") \ - PIPELINE_STAGE(SWITCH, IN, STATEFUL, 4, "ls_in_stateful") \ - PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 5, "ls_in_l2_lkup") \ + PIPELINE_STAGE(SWITCH, IN, PRE_LB, 2, "ls_in_pre_lb") \ + PIPELINE_STAGE(SWITCH, IN, PRE_STATEFUL, 3, "ls_in_pre_stateful") \ + PIPELINE_STAGE(SWITCH, IN, ACL, 4, "ls_in_acl") \ + PIPELINE_STAGE(SWITCH, IN, STATEFUL, 5, "ls_in_stateful") \ + PIPELINE_STAGE(SWITCH, IN, L2_LKUP, 6, "ls_in_l2_lkup") \ \ /* Logical switch egress stages. */ \ - PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 0, "ls_out_pre_acl") \ - PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 1, "ls_out_pre_stateful") \ - PIPELINE_STAGE(SWITCH, OUT, ACL, 2, "ls_out_acl") \ - PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 3, "ls_out_stateful") \ - PIPELINE_STAGE(SWITCH, OUT, PORT_SEC, 4, "ls_out_port_sec") \ + PIPELINE_STAGE(SWITCH, OUT, PRE_LB, 0, "ls_out_pre_lb") \ + PIPELINE_STAGE(SWITCH, OUT, PRE_ACL, 1, "ls_out_pre_acl") \ + PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful") \ + PIPELINE_STAGE(SWITCH, OUT, ACL, 3, "ls_out_acl") \ + PIPELINE_STAGE(SWITCH, OUT, STATEFUL, 4, "ls_out_stateful") \ + PIPELINE_STAGE(SWITCH, OUT, PORT_SEC, 5, "ls_out_port_sec") \ \ /* Logical router ingress stages. */ \ PIPELINE_STAGE(ROUTER, IN, ADMISSION, 0, "lr_in_admission") \ @@ -1024,6 +1026,31 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows, } static void +build_pre_lb(struct ovn_datapath *od, struct hmap *lflows) +{ + /* Allow all packets to go to next tables by default. */ + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 0, "1", "next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 0, "1", "next;"); + + if (od->nbs->loadbalancer) { + struct nbrec_load_balancer *lb = od->nbs->loadbalancer; + struct smap *vips = &lb->vips; + struct smap_node *node; + + SMAP_FOR_EACH (node, vips) { + struct ds match = DS_EMPTY_INITIALIZER; + + ds_put_format(&match, "ip && ip4.dst == %s", node->key); + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, + 100, ds_cstr(&match), "reg0 = 1; next;"); + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, + 100, "ip", "reg0 = 1; next;"); + ds_destroy(&match); + } + } +} + +static void build_pre_stateful(struct ovn_datapath *od, struct hmap *lflows) { /* Ingress and Egress Pre-STATEFUL Table (Priority 0): Packets are @@ -1177,6 +1204,7 @@ build_lswitch_flows(struct hmap *datapaths, struct hmap *ports, } build_pre_acls(od, lflows, ports); + build_pre_lb(od, lflows); build_pre_stateful(od, lflows); build_acls(od, lflows); build_stateful(od, lflows); -- 1.9.1 _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev