On Mon, Mar 20, 2023 at 9:04 AM Felix Hüttner via dev <
ovs-dev@openvswitch.org> wrote:
> Assume the following setup:
>
> +----------------+
> | Logical Router |
> | lr001 +-+
> +----------------+ |
> |
> +----------------+ |
> | Logical Router | | +----------------+ +------------------+
> | lr002 +-+-+ Logical Switch +-+ Phyiscal Network |
> +----------------+ | | ls-ext | | |
> | +----------------+ +------------------+
> ... |
> |
> +----------------+ |
> | Logical Router | |
> | lr300 +-+
> +----------------+
>
> If a arp request for the ip of lr001 on ls-ext is now received it is
> only forwarded to that individual logical router.
>
> If we however now receive a arp request for an ip not used by any of
> lr001-lr300 we try to flood the arp request to all logical ports on ls-ext.
> With around 300 routers this causes the arp request to be dropped after
> some routers as we hit the 4096 resubmit limit.
>
> In the most cases forwarding the arp requests to the logical routers is
> pointless as we already know all of their ip addresses and they will
> therefor not be able to answer the arp requests anyway.
> Only if someone sends garps this is not the case. Then the request would
> need to be flooded to all logical routers.
>
> We can therefor not generally send these arp requests to MC_FLOOD_L2 as
> this would break garps. As we can also not detect garps we need to leave
> the solution to our users.
>
> To do this we introduce the other_config `broadcast-arps-to-all-routers`
> on logical switches (which is per default true). If set to false we add
> a logical flow that forwards arp requests where we do not know a
> specific target logical switch port to MC_FLOOD_L2, thereby bypassing
> all logical routers.
>
> Signed-off-by: Felix Huettner <felix.huettner@mail.schwarz>
> ---
> NEWS | 5 +++++
> northd/northd.c | 8 ++++++++
> northd/ovn-northd.8.xml | 7 +++++++
> ovn-nb.xml | 12 ++++++++++++
> tests/ovn-northd.at | 31 +++++++++++++++++++++++++++++++
> 5 files changed, 63 insertions(+)
>
> diff --git a/NEWS b/NEWS
> index 637adcff3..2379f5089 100644
> --- a/NEWS
> +++ b/NEWS
> @@ -2,6 +2,11 @@ Post v23.03.0
> -------------
> - Enhance LSP.options:arp_proxy to support IPv6, configurable MAC
> addresses and CIDRs.
> + - Add LS.other_config:broadcast-arps-to-all-routers. If false then arp
> + requests are only send to Logical Routers on that Logical Switch if
> the
> + target mac address matches. Arp requests matching no Logical Router
> will
> + only be forwarded to non-router ports. Default is true which keeps the
> + existing behaviour of flooding these arp requests to all attached
> Ports.
>
> OVN v23.03.0 - 03 Mar 2023
> --------------------------
> diff --git a/northd/northd.c b/northd/northd.c
> index 5f0b436c2..be6d70d94 100644
> --- a/northd/northd.c
> +++ b/northd/northd.c
> @@ -9030,6 +9030,14 @@ build_lswitch_destination_lookup_bmcast(struct
> ovn_datapath *od,
> }
> }
>
> +
> + if (!smap_get_bool(&od->nbs->other_config,
> + "broadcast-arps-to-all-routers", true)) {
> + ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 72,
> + "eth.mcast && (arp.op == 1 || nd_ns)",
> + "outport = \""MC_FLOOD_L2"\"; output;");
> + }
> +
> ovn_lflow_add(lflows, od, S_SWITCH_IN_L2_LKUP, 70, "eth.mcast",
> "outport = \""MC_FLOOD"\"; output;");
> }
> diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml
> index 5d513e65a..3d5f579fe 100644
> --- a/northd/ovn-northd.8.xml
> +++ b/northd/ovn-northd.8.xml
> @@ -1880,6 +1880,13 @@ output;
> non-router logical ports.
> </li>
>
> + <li>
> + A priority-72 flow that outputs all ARP requests and ND packets
> with
> + an Ethernet broadcast or multicast <code>eth.dst</code> to the
> + <code>MC_FLOOD_L2</code> multicast group if
> + <code>other_config:broadcast-arps-to-all-routers=true</code>.
> + </li>
> +
> <li>
> A priority-70 flow that outputs all packets with an Ethernet
> broadcast
> or multicast <code>eth.dst</code> to the <code>MC_FLOOD</code>
> diff --git a/ovn-nb.xml b/ovn-nb.xml
> index 73f707aa0..d106af8be 100644
> --- a/ovn-nb.xml
> +++ b/ovn-nb.xml
> @@ -729,6 +729,18 @@
> localnet ports, fabric traffic that belongs to other tagged
> networks may
> be passed through such a port.
> </column>
> +
> + <column name="other_config" key="broadcast-arps-to-all-routers"
> + type='{"type": "boolean"}'>
> + Determines whether arp requests and ipv6 neighbor solicitations
> should
> + be send to all routers and other switchports (default) or if it
> should
> + only be send to switchports where the ip/mac address is unknown.
> + Setting this to false can significantly reduce the load if the
> logical
> + switch can receive arp requests for ips it does not know about.
> + However setting this to false also means that garps are no longer
> + forwarded to all routers and therefor the mac bindings of the
> routers
> + are no longer updated.
> + </column>
> </group>
>
> <group title="Common Columns">
> diff --git a/tests/ovn-northd.at b/tests/ovn-northd.at
> index ef29233db..4bf59f4af 100644
> --- a/tests/ovn-northd.at
> +++ b/tests/ovn-northd.at
> @@ -6421,6 +6421,37 @@ AT_CHECK([ovn-sbctl get Port_Binding S1-R1
> nat_addresses |grep -q 172.16.1.10],
> AT_CLEANUP
> ])
>
> +OVN_FOR_EACH_NORTHD_NO_HV([
> +AT_SETUP([check broadcast-arps-to-all-routers option])
> +ovn_start
> +
> +ovn-nbctl lr-add R1
> +ovn-nbctl set logical_router R1 options:chassis=hv1
> +ovn-nbctl lrp-add R1 R1-S1 02:ac:10:01:00:01 172.16.1.1/24
> +
> +ovn-nbctl ls-add S1
> +ovn-nbctl lsp-add S1 S1-R1
> +ovn-nbctl lsp-set-type S1-R1 router
> +ovn-nbctl lsp-set-addresses S1-R1 "02:ac:10:01:00:01 172.16.1.1"
> +ovn-nbctl --wait=sb lsp-set-options S1-R1 router-port=R1-S1
> nat-addresses="router"
> +ovn-nbctl lsp-add S1 S1-VIF
> +ovn-nbctl lsp-set-addresses S1-VIF "02:ac:10:01:00:02 unkown"
> +
> +AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_in_l2_lkup | grep -q
> 'match=(eth.mcast && (arp.op == 1 || nd_ns)), action=(outport =
> "_MC_flood_l2"; output;)'], [1])
> +
> +ovn-nbctl --wait=sb set Logical_Switch S1 \
> + other_config:broadcast-arps-to-all-routers=false
> +
> +AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_in_l2_lkup | grep -q
> 'match=(eth.mcast && (arp.op == 1 || nd_ns)), action=(outport =
> "_MC_flood_l2"; output;)'], [0])
> +
> +ovn-nbctl --wait=sb set Logical_Switch S1 \
> + other_config:broadcast-arps-to-all-routers=true
> +
> +AT_CHECK([ovn-sbctl lflow-list S1 | grep ls_in_l2_lkup | grep -q
> 'match=(eth.mcast && (arp.op == 1 || nd_ns)), action=(outport =
> "_MC_flood_l2"; output;)'], [1])
> +
> +AT_CLEANUP
> +])
> +
> OVN_FOR_EACH_NORTHD_NO_HV([
> AT_SETUP([ACL log replies -- flows])
>
> --
> 2.39.2
> Diese E Mail enthält möglicherweise vertrauliche Inhalte und ist nur für
> die Verwertung durch den vorgesehenen Empfänger bestimmt. Sollten Sie nicht
> der vorgesehene Empfänger sein, setzen Sie den Absender bitte unverzüglich
> in Kenntnis und löschen diese E Mail. Hinweise zum Datenschutz finden Sie
> hier<https://www.datenschutz.schwarz>.
> _______________________________________________
> dev mailing list
> d...@openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>
>
Looks good to me, thanks.
Acked-by: Ales Musil <amu...@redhat.com>
--
Ales Musil
Senior Software Engineer - OVN Core
Red Hat EMEA <https://www.redhat.com>
amu...@redhat.com IM: amusil
<https://red.ht/sig>
_______________________________________________
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
