On 1/31/20 10:26 AM, Numan Siddique wrote: > On Thu, Jan 30, 2020 at 8:08 PM Dumitru Ceara <dce...@redhat.com> wrote: >> >> In case a VIF is trying to connect to a load balancer VIP that includes in >> its backends the VIF itself, traffic would get DNAT-ed, ct_lb(VIP), but >> when it reaches the VIF, the VIF will try to reply locally as the source IP >> is known to be local. For this kind of hairpinning to work properly, reply >> traffic must be sent back through OVN and the way to enforce that is to >> perform SNAT (VIF source IP -> VIP) on hairpinned packets. >> >> For load balancers configured on gateway logical routers we already have the >> possibility of using 'lb_force_snat_ip' but for load balancers configured >> on logical switches there's no such configuration. >> >> For this second case we take an automatic approach which determines if >> load balanced traffic needs to be hairpinned and execute the SNAT. To achieve >> this, two new stages are added to the logical switch ingress pipeline: >> - Ingress Table 11: Pre-Hairpin: which matches on load balanced traffic >> coming from VIFs that needs to be hairpinned and sets REGBIT_HAIRPIN >> (reg0[6]) to 1. If the traffic is in the direction that initiated the >> connection then 'ct_snat(VIP)' is performed, otherwise 'ct_snat' is >> used to unSNAT replies. >> - Ingress Table 12: Hairpin: which hairpins packets at L2 (swaps Ethernet >> addresses and loops traffic back on the ingress port) if REGBIT_HAIRPIN >> is 1. >> >> Also, update all references to logical switch ingress pipeline tables to use >> the correct indices. >> >> NOTE: The newly added "Load Balancer LS hairpin IPv4/IPv6" system tests >> fail when running with the userspace datapath because of a userspace >> conntrack issue. A fix for the conntrack issue was proposed here: >> https://patchwork.ozlabs.org/patch/1231433/ >> >> Reported-at: https://github.com/ovn-org/ovn-kubernetes/issues/817 >> Signed-off-by: Dumitru Ceara <dce...@redhat.com> >> >> --- >> v3: >> - rebase. >> - update comment to indicate that hairpinning doesn't work with the >> OVS userspace datapath due to a conntrack bug. >> v2: >> - add system-ovn.at tests for LB hairpinning. >> - address Numan's comments. > > Thanks for v3. > > I applied this patch to master with below minor changes > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > index 4ad03e7b9..2ce4f5ddb 100644 > --- a/northd/ovn-northd.c > +++ b/northd/ovn-northd.c > @@ -5418,8 +5418,8 @@ build_lb_hairpin_rules(struct ovn_datapath *od, > struct hmap *lflows, > const char *proto) > { > /* Ingress Pre-Hairpin table. > - * - Priority 200: SNAT load balanced traffic that needs to be > hairpinned. > - * - Priority 100: unSNAT replies to hairpinned load balanced traffic. > + * - Priority 2: SNAT load balanced traffic that needs to be hairpinned. > + * - Priority 1: unSNAT replies to hairpinned load balanced traffic. > */ > for (size_t i = 0; i < lb_vip->n_backends; i++) { > struct lb_vip_backend *backend = &lb_vip->backends[i]; > > Thanks > Numan >
Thanks Numan! LGTM, I guess I forgot to change the comment between patch iterations. Regards, Dumitru _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
