On Sat, May 9, 2020 at 4:53 PM Girish Moodalbail <gmoodalb...@gmail.com> wrote: > > (edited the subject line.. sorry about not adding the necessary tags initially) > > On Fri, May 8, 2020 at 12:50 AM Girish Moodalbail <gmoodalb...@gmail.com> wrote: >> >> Hello all, >> >> In certain cases, the logical_flow priorities in lr_in_ip_routing will be such that one cannot forward the packets to the directly connected logical switch. Let me explain using the logical topology below: >> >> +-----------+ +-----------+ >> | l3gateway | | l3gateway | >> | node1 | | node2 | >> +----^------+ +------^----+ >> 100.64.0.2 100.64.0.3 >> | | >> +----+----------------------------------+-----+ >> | join switch | >> +----------------------^----------------------+ >> | >> +----------------------+----------------------+ +----------------+ >> | logical_router(lr1) | | ls3 | >> | src-ip=192.168.1.0/24 nexthop=100.64.0.2 +------+ 172.16.0.0/23 | >> | src-ip=192.168.2.0/24 nexthop=100.64.0.3 | | | >> +---------^-------------------------^---------+ +----------------+ >> | | >> | | >> +--------+-------+ +-----+----------+ >> | ls1 | | ls2 | >> | 192.168.1.0/24 | | 192.168.2.0/24 | >> +----------------+ +----------------+ >> >> >> We have 3 logical switches -- ls1, ls2, and ls3 directly connected to the distributed router. On this router, we have added policy-based routing based on the source IP. We steer all the packets from ls1 towards l3gateway on node1 and all the packets from ls2 towards l3gateway on node2. >> >> Note that the prefix-length of the `ls3` router is little larger than that for ls1 and ls2. >> >> If you look at the logical flows that represent the static routes in `lr_in_ip_routing` table for the distributed router, you will see that the packets destined to ls3 will matched last, that is after the source-ip based routing. As a result, packets from LS1 and LS2 destined to LS3 will never get forwarded to LS3 because they will hit the source-ip based routes first due to longest-prefix match. The order of routes will be >> >> 1. ip4.dst == 192.168.1.0/24 >> 2. ip4.dst == 192.168.2.0/24 >> 3. ip4.dst == 100.64.0.0/24 >> 4. src-ip == 192.168.1.0/24 >> 5. src-ip == 192.168.2.0/24 >> 6. ip4.dst == 172.16.0.0/23 >> >> Is this by design? One would think that the directly connected routes should get higher priority before we start checking the source-ip based routes. >> >> To workaround the problem, I am thinking of putting an another logical router between the lr1 and ls3, like this: >> lr1 <---- peer -----> lr2 <----> ls3 >> (some /30 CIDR) (172.16.0.0/23) >> >> Regards >> ~Girish >> >> > _______________________________________________ > discuss mailing list > disc...@openvswitch.org > https://mail.openvswitch.org/mailman/listinfo/ovs-discuss
I agree with you. I think that even dst routes should take priority over src routes (or the other way around). It seems not quite meaningful to compare prefix length between src routes and dst routes. Not sure if someone has different opinion with certain use cases. Thanks, Han
_______________________________________________ discuss mailing list disc...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-discuss