On Wed, Feb 17, 2021 at 2:36 PM Tim Rozet <tro...@redhat.com> wrote: > > > > > On Tue, Feb 16, 2021 at 4:21 AM Han Zhou <hz...@ovn.org> wrote: >> >> >> >> On Wed, Feb 10, 2021 at 2:17 PM Lorenzo Bianconi < lorenzo.bianc...@redhat.com> wrote: >> > >> > Increase priority for automatic routes (routes created assigning IP >> > addresses to OVN logical router interfaces) in order to always prefer them >> > over static routes since the router has a direct link to the destination >> > address (possible use-case can be found here [0]). >> > >> > [0] https://bugzilla.redhat.com/show_bug.cgi?id=1891516 >> > >> >> Hi Lorenzo, Tim, >> >> While the patch may solve the problem in the bug report, I think there is something more fundamental to be discussed. The problem is caused by ovn-k8s's use of "src-ip" in static routes which overrides the direct-connected route. I think the implementation of "src-ip" support in the static route is somehow flawed. The priorities of the flows generated by static routes are calculated according to the prefix length, so that longest prefix routes are prioritised when there are multiple route matches, which is correct when comparing matches among "dst-ip" routes or among "src-ip" routes, but is not correct between "dst-ip" and "src-ip" routes. Comparison of prefix length between these two types of static routes doesn't make sense, because they match by different fields (src-ip v.s. dst-ip). For example, when there are static routes: >> 1. 192.168.0.0/24 via 100.64.0.1 src-ip >> 2. 10.0.0.0/20 via 100.64.0.2 dst-ip >> >> In this example, a packet from 192.168.0.1 to 10.0.0.1 matches both routes, but it is unreasonable to say it should follow the 1st route just because it has longer prefix length. Instead, we should prioritize one type over the other. It seems in physical router implementation policy based routing always has higher priority than destination routing, so we should probably enforce it in a similar way in OVN, i.e. set "src-ip" flows with higher priority than all the "dst-ip" flows. In fact, the policy routing table already supported this behavior because it is examined before the static route table. >> >> Since the "src-ip" feature in the static route table is flawed, and can be replaced by the policy routing table, I'd suggest to deprecate it. For correctness, users (like ovn-k8s) should use the policy routing table instead for the src-ip based routing rules. Users have full control of how they want the packets to be routed. For the use case mentioned in the bug report, it should have two rules in the policy routing table: >> >> >> 100 ip.dst == 100.64.0.0/16 accept # for directly connected destination, skip the src-ip rules >> 90 ip.src == 10.244.0.0/24 nexthop 100.64.0.1 # src-ip rules >> >> Would this better satisfy the need of ovn-k8s? > > > I believe this is correct. src-ip matching should be done in the policy table so traditional dest based routing is handled in default routing table. Need to go double check though. > >> >> If the above is agreed, the priority change of directly connected routes from this patch is irrelevant to the problem reported in the bug, because policy routing rules are examined before the static routing table anyway, so no matter how high the route priority is, it wouldn't matter. In addition, it seems to me no real use cases would benefit from this change, but I could be wrong and please correct me if so. >> > I disagree with this. Trying to override a directly connected route is fundamentally wrong, which is why real routers specifically stop a user from being able to do this. What if a user who had a router attached to 100.64.0.0/16, adds a /32 route for 100.64.0.1 via another interface/subnet? That would take precedence over the directly attached route in OVN iiuc and pretty much guarantee improper networking. Directly connected routes should always take precedence, and therefore the default route lflows that get installed should always have the highest possible priority. >
Hi Tim, Thanks for your inputs. Here are my thoughts: In the scenario we discussed, it is in fact the same output interfaces but just different nexthops in the 10.64.0.0/16 subnet. In this case, adding a more specific route with a specific nexthop on the directly connected subnet doesn't seem to be violating any routing principle, right? Use the topology in the bug report as an example ((In the diagram of the bug report I think there is a typo: 100.64.0.1 should be the DR's output port IP, and 100.64.0.2 & 100.64.0.3 belong to GR1 and GR2). 10.64.0.0/16 is directly connected, but the adjacent L2 network doesn't have to have all the /16 IPs directly connected. Some of the nodes can reside behind a L3 hop. For example, if we know that 10.64.1.0/24 is behind a router with IP 10.64.255.1, we can still add a route: 10.64.1.0/24 via 10.64.255.1, which should work with the current OVN implementation, while this patch would in fact break it. On the other hand, what I wanted to emphasize is not that we want to support the above use case I mentioned - it doesn't look like a good design for me either although it seems valid. My point is that maybe we shouldn't have the special adjustment for the priority just to restrict such use cases, which doesn't bring us any extra benefit, while making the code less generic. OVN providing the possibility of overriding the routes with longer prefix length doesn't mean the user has to use it, and if someone relies on this capability for their special needs then I assume they should have a clear understanding of what they are doing - it is totally up to the user. If we do believe that any configuration that tries to add more specific routes than the directly connected routes is invalid and want to protect against them (I am not convinced yet), then probably we should consider even more scenarios, e.g. what if there are two interfaces configured with overlapping directly connected subnets, e.g. 100.64.0.0/16 on LRP1 and 100.64.123.0/24 on LRP2 (both LRP1 and LRP2 are on the same LR)? Currently if a packet with dest IP 100.64.123.* arrives we would expect it to be routed to LRP2, but with this patch they will have the same priority and the behavior will become unpredictable. So for the above reasons I'm a little concerned about making the specific change for the priorities of directly connected routes because it seems would make things more complex without obvious benefits. Thanks, Han _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
