Currently OVN supports NAT functionality by connecting each distributed logical router to a centralized "l3gateway" router that resides on a single chassis. NAT is only carried out in the "l3gateway" router.
This patch set introduces NAT capability in the distributed logical router itself, avoiding the need to pass through a transit logical switch and a second logical router, and in many cases avoiding the need to pass through a centralized chassis. NAT functionality is associated with the logical router gateway port. In order to support one-to-many SNAT (aka IP masquerading), where multiple private IP addresses spread across multiple chassis are mapped to a single public IP address, it will be necessary to handle some of the logical router processing on a specific chassis in a centralized manner. Some NAT flows are handled in a distributed manner on all chassis (following the local "patch" port as is normally done for distributed logical routers), while other NAT flows are handled on a centralized "redirect-chassis". Possible future work items (hopefully not required for this patch set to be accepted) include: 1. The NAT flows patch lifts the restriction that conntrack zones are only assigned to datapaths for gateway routers. Given recent changes to ovn-controller, a hypervisor only sees the datapaths for which there is a port resident on this chassis, or datapaths reachable from ports resident on this chassis. Is that good enough? Or should conntrack zone assignment for datapaths be restricted further, perhaps only to logical router datapaths? 2. The current automated test for NAT flows is single node, so it does not cover the distributed functionality. Full coverage requires a multi-node test with conntrack NAT capability, either in the kernel or userspace. Is this possible? Multi-node tests have been added for the chassisdirect patch, testing non-NAT aspects of the distributed router gateway port. 3. Consider how to generalize distributed versus centralized handling of non-NAT traffic being output on the distributed gateway port. If MAC learning is used in the upstream network, then the distributed gateway port’s MAC address must be restricted to the redirect-chassis by using the chassisredirect port. In the presence of dynamic protocols such as BGP EVPN, non-NAT traffic could be handled in a distributed manner. 4. Gratuitous ARP for NAT addresses needs to be updated for distributed NAT. 5. Add load balancing on the redirect chassis of an otherwise distributed logical router. PATCH v3 -> PATCH v4 Rebase PATCH v2 -> PATCH v3 Added table to set egress loopback flag in the egress pipeline stage, fixing east-west NAT across multiple chassis. PATCH v1 -> PATCH v2 Added ovn-trace logic for chassisredirect ports, including automated test. Added ovn-trace logic for egress loopback. Fixed some bugs in ovn-trace register handling from ingress to egress, and across patch ports (should these be filed separately as well?). RFC v4 -> PATCH v1 Added egress loopback capability Added east/west NAT tests to system-ovn.at (make check-kernel) Added REGBIT_NAT_REDIRECT flows to IN_IP_ROUTING and IN_ARP_RESOLVE, resolving remaining issues with east/west NAT RFC v3 -> RFC v4 Rebased to pick up recent changes to ovn-controller, including a fix to the localnet issue where VIFs had to be added on a chassis in order to cause the localnet port to be instantiated. The chassisredirect port logic was rewritten to avoid creating an ofport. Besides streamlining the code significantly, this fixed the problem when the distributed port name was longer than 12 characters. Restricted IPv6 ND replies for the router IP address to the redirect chassis, similar to IPv4 ARP restrictions. Added specific gateway redirect flows for unresolved ethernet destination, so that ARP requests generated by the router are sent through the redirect chassis regardless of NAT rules. Relaxed checks in chassisredirect tests so that they are independent of register assignments. Renamed ovn-northd.c "l3gateway_port" to "l3dgw_port" in order to avoid overlaps with gateway router terminology. RFC v2 -> RFC v3 Reordered the first two patches. Moved non-NAT specific flows from patch 5 to patch 2. Added automated tests for is_chassis_resident (which is ready for review) and chassisredirect patches. Added flows to limit ICMP echo replies for router IPs on the gateway interface, so that they are only generated on the redirect-chassis. Mickey Spiegel (6): ovn: add is_chassis_resident match expression component ovn: Introduce "chassisredirect" port binding ovn: add egress loopback capability ovn: move load balancing flows after NAT flows ovn: avoid snat recirc only on gateway routers ovn: distributed NAT flows include/ovn/actions.h | 3 + include/ovn/expr.h | 22 +- ovn/controller/binding.c | 8 + ovn/controller/lflow.c | 49 ++- ovn/controller/lflow.h | 5 +- ovn/controller/ovn-controller.c | 15 +- ovn/controller/physical.c | 101 +++++- ovn/lib/actions.c | 15 +- ovn/lib/expr.c | 155 ++++++++- ovn/lib/logical-fields.c | 8 + ovn/lib/logical-fields.h | 14 + ovn/northd/ovn-northd.8.xml | 421 ++++++++++++++++++++++- ovn/northd/ovn-northd.c | 717 ++++++++++++++++++++++++++++++++-------- ovn/ovn-nb.ovsschema | 13 +- ovn/ovn-nb.xml | 70 +++- ovn/ovn-sb.xml | 37 ++- ovn/utilities/ovn-trace.c | 105 +++++- tests/ovn.at | 303 ++++++++++++++++- tests/system-ovn.at | 338 +++++++++++++++++++ tests/test-ovn.c | 15 +- 20 files changed, 2218 insertions(+), 196 deletions(-) -- 1.9.1 _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev