Re: [ovs-dev] [External] : Re: [PATCH ovn] northd: Skip arp-proxy flows if the lsp is a router port.
On 07/06/2024 14:20, Dumitru Ceara wrote: On 6/7/24 12:24, brendan.do...@oracle.com wrote: On 06/06/2024 17:34, Dumitru Ceara wrote: On 6/5/24 16:52, Brendan Doyle via dev wrote: So I'm wondering will this break the LSP option: *o**p**t**i**o**n**s* *:* *a**r**p**_**p**r**o**x**y*: optional string Optional. A list of MAC and addresses/cidrs or just ad‐ dresses/cidrs that this logical switch*r**o**u**t**e**r* port will reply to ARP/NDP requests. Examples:*1**6**9**.**2**5**4**.**2**3**9**.**2**5**4* *1**6**9**.**2**5**4**.**2**3**9**.**2*, *0**a**:**5**8**:**a**9**:**f**e**:**0**1**:**0**1* *1**6**9**.**2**5**4**.**2**3**9**.**2**5**4* *1**6**9**.**2**5**4**.**2**3**9**.**2* *1**6**9**.**2**5**4**.**2**3**8**.**0**/**2**4*,*f**d**7**b**:**6**b**4**d**:**7**b**2**5**:**d**2**2**f**:**:**1* *f**d**7**b**:**6**b**4**d**:**7**b**2**5**:**d**2**2**f**:**:**2*, *0**a**:**5**8**:**a**9**:**f**e**:**0**1**:**0**1* *f**d**7**b**:**6**b**4**d**:**7**b**2**5**:**d**2**2**f**:**:**0**/**6**4*. The*o**p**t**i**o**n**s**:**r**o**u**t**e**r**-* *p**o**r**t*’s logical router should have a route to forward packets sent to configured proxy ARP MAC/IPs to an appropriate destina‐ tion. Hi Brendan, I'm not sure I understand what breaks. Do you have a specific scenario in mind? The patch is for the arp-proxy feature. I doubt that people rely on ARP requests originated by logical routers being handled by the arp proxy on the connected logical switch port. But I might be wrong. Thanks, Dumitru The arp_proxy option allows an lsp prot connected to an LR to respond to ARP requests sent from say a VM connected to the same LS. Right, we have a test for that: https://urldefense.com/v3/__https://github.com/ovn-org/ovn/blob/main/tests/system-ovn.at*L10721-L10869__;Iw!!ACWV5N9M2RV99hQ!K8qbDDzmm6Fz7yPm3lubG0kMbM_MmKQPqAW5ewepc1iqUAdif248P613_b0CNhmCXnEozbrwpIVCStm3Jg$ And the patch doesn't change it, it just expands it. Or am I missing something? No, I think we are good then just checking. Regards, Dumitru On 05/06/2024 13:03, Enrique Llorente Pastora wrote: On Wed, Jun 5, 2024 at 12:12 PM Lorenzo Bianconi < lorenzo.bianc...@redhat.com> wrote: On 5/14/24 18:44, Lorenzo Bianconi wrote: Skip proxy-arp logical flows for traffic that is entering the logical switch pipeline from a lsp of type router. This patch will avoid recirculating back the traffic entering by the logical router pipeline if proxy-arp hasn been configured by the CMS. Reported-at:https://urldefense.com/v3/__https://issues.redhat.com/browse/FDP-96__;!!ACWV5N9M2RV99hQ!LZCOnrD03VQXa0QBfUgAD0IntqpkCU4P2Mz0jhlfAcJ0Joe1ehsAIloa28JszFGBjchui8U4OL2MfnKJQEhn$ Signed-off-by: Lorenzo Bianconi --- Hi Lorenzo, This change looks OK but I'd like to double check that it doesn't break CNV/ovn-kubernetes use cases. Hi Enrique, Would you mind double checking that on one of your setups? If I'm not wrong our upstream ovn-kubernetes (in ovn-org/ovn) tests don't enable anything CNV specific: https://urldefense.com/v3/__https://github.com/ovsrobot/ovn/actions/runs/9083258143__;!!ACWV5N9M2RV99hQ!LZCOnrD03VQXa0QBfUgAD0IntqpkCU4P2Mz0jhlfAcJ0Joe1ehsAIloa28JszFGBjchui8U4OL2MflAqga4Q$ Thanks, Dumitru Hi Dumitru, Thx, for the review. That's a good idea :) Live migration tests look fine with this change, both IC and non IC, let's also activate the kubevirt lanes so we gate with them too. Tested-by: Regards, Lorenzo northd/northd.c | 15 +-- tests/ovn.at | 8 tests/system-ovn.at | 22 +- 3 files changed, 38 insertions(+), 7 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 0cabda7ea..29dc58ef4 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -118,6 +118,7 @@ static bool default_acl_drop; #define REGBIT_PORT_SEC_DROP "reg0[15]" #define REGBIT_ACL_STATELESS "reg0[16]" #define REGBIT_ACL_HINT_ALLOW_REL "reg0[17]" +#define REGBIT_FROM_ROUTER_PORT "reg0[18]" #define REG_ORIG_DIP_IPV4 "reg1" #define REG_ORIG_DIP_IPV6 "xxreg1" @@ -5785,6 +5786,13 @@ build_lswitch_port_sec_op(struct ovn_port *op, struct lflow_table *lflows, &op->od->localnet_ports[0]->nbsp->header_, op->lflow_ref); } + } else if (lsp_is_router(op->nbsp)) { + ds_put_format(actions, REGBIT_FROM_ROUTER_PORT" = 1; next;"); + ovn_lflow_add_with_lport_and_hint(lflows, op->od, + S_SWITCH_IN_CHECK_PORT_SEC, 70, + ds_cstr(match), ds_cstr(actions), + op->key, &op->nbsp->header_,
Re: [ovs-dev] [External] : Re: [PATCH ovn] northd: Skip arp-proxy flows if the lsp is a router port.
On 06/06/2024 17:34, Dumitru Ceara wrote: On 6/5/24 16:52, Brendan Doyle via dev wrote: So I'm wondering will this break the LSP option: *o**p**t**i**o**n**s* *:* *a**r**p**_**p**r**o**x**y*: optional string Optional. A list of MAC and addresses/cidrs or just ad‐ dresses/cidrs that this logical switch*r**o**u**t**e**r* port will reply to ARP/NDP requests. Examples:*1**6**9**.**2**5**4**.**2**3**9**.**2**5**4* *1**6**9**.**2**5**4**.**2**3**9**.**2*, *0**a**:**5**8**:**a**9**:**f**e**:**0**1**:**0**1* *1**6**9**.**2**5**4**.**2**3**9**.**2**5**4* *1**6**9**.**2**5**4**.**2**3**9**.**2* *1**6**9**.**2**5**4**.**2**3**8**.**0**/**2**4*,*f**d**7**b**:**6**b**4**d**:**7**b**2**5**:**d**2**2**f**:**:**1* *f**d**7**b**:**6**b**4**d**:**7**b**2**5**:**d**2**2**f**:**:**2*, *0**a**:**5**8**:**a**9**:**f**e**:**0**1**:**0**1* *f**d**7**b**:**6**b**4**d**:**7**b**2**5**:**d**2**2**f**:**:**0**/**6**4*. The*o**p**t**i**o**n**s**:**r**o**u**t**e**r**-* *p**o**r**t*’s logical router should have a route to forward packets sent to configured proxy ARP MAC/IPs to an appropriate destina‐ tion. Hi Brendan, I'm not sure I understand what breaks. Do you have a specific scenario in mind? The patch is for the arp-proxy feature. I doubt that people rely on ARP requests originated by logical routers being handled by the arp proxy on the connected logical switch port. But I might be wrong. Thanks, Dumitru The arp_proxy option allows an lsp prot connected to an LR to respond to ARP requests sent from say a VM connected to the same LS. On 05/06/2024 13:03, Enrique Llorente Pastora wrote: On Wed, Jun 5, 2024 at 12:12 PM Lorenzo Bianconi < lorenzo.bianc...@redhat.com> wrote: On 5/14/24 18:44, Lorenzo Bianconi wrote: Skip proxy-arp logical flows for traffic that is entering the logical switch pipeline from a lsp of type router. This patch will avoid recirculating back the traffic entering by the logical router pipeline if proxy-arp hasn been configured by the CMS. Reported-at:https://urldefense.com/v3/__https://issues.redhat.com/browse/FDP-96__;!!ACWV5N9M2RV99hQ!LZCOnrD03VQXa0QBfUgAD0IntqpkCU4P2Mz0jhlfAcJ0Joe1ehsAIloa28JszFGBjchui8U4OL2MfnKJQEhn$ Signed-off-by: Lorenzo Bianconi --- Hi Lorenzo, This change looks OK but I'd like to double check that it doesn't break CNV/ovn-kubernetes use cases. Hi Enrique, Would you mind double checking that on one of your setups? If I'm not wrong our upstream ovn-kubernetes (in ovn-org/ovn) tests don't enable anything CNV specific: https://urldefense.com/v3/__https://github.com/ovsrobot/ovn/actions/runs/9083258143__;!!ACWV5N9M2RV99hQ!LZCOnrD03VQXa0QBfUgAD0IntqpkCU4P2Mz0jhlfAcJ0Joe1ehsAIloa28JszFGBjchui8U4OL2MflAqga4Q$ Thanks, Dumitru Hi Dumitru, Thx, for the review. That's a good idea :) Live migration tests look fine with this change, both IC and non IC, let's also activate the kubevirt lanes so we gate with them too. Tested-by: Regards, Lorenzo northd/northd.c | 15 +-- tests/ovn.at | 8 tests/system-ovn.at | 22 +- 3 files changed, 38 insertions(+), 7 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 0cabda7ea..29dc58ef4 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -118,6 +118,7 @@ static bool default_acl_drop; #define REGBIT_PORT_SEC_DROP "reg0[15]" #define REGBIT_ACL_STATELESS "reg0[16]" #define REGBIT_ACL_HINT_ALLOW_REL "reg0[17]" +#define REGBIT_FROM_ROUTER_PORT "reg0[18]" #define REG_ORIG_DIP_IPV4 "reg1" #define REG_ORIG_DIP_IPV6 "xxreg1" @@ -5785,6 +5786,13 @@ build_lswitch_port_sec_op(struct ovn_port *op, struct lflow_table *lflows, &op->od->localnet_ports[0]->nbsp->header_, op->lflow_ref); } + } else if (lsp_is_router(op->nbsp)) { + ds_put_format(actions, REGBIT_FROM_ROUTER_PORT" = 1; next;"); + ovn_lflow_add_with_lport_and_hint(lflows, op->od, + S_SWITCH_IN_CHECK_PORT_SEC, 70, + ds_cstr(match), ds_cstr(actions), + op->key, &op->nbsp->header_, + op->lflow_ref); } } @@ -9051,7 +9059,9 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, if (op->proxy_arp_addrs.n_ipv4_addrs) { /* Match rule on all proxy ARP IPs. */ ds_clear(match); - ds_put_cstr(match, "arp.op == 1 && arp.tpa == {"); + ds_put_cstr(match, + REGBIT_FROM_ROUTER_
Re: [ovs-dev] [External] : Re: [PATCH ovn] northd: Skip arp-proxy flows if the lsp is a router port.
So I'm wondering will this break the LSP option: *o**p**t**i**o**n**s* *:* *a**r**p**_**p**r**o**x**y*: optional string Optional. A list of MAC and addresses/cidrs or just ad‐ dresses/cidrs that this logical switch*r**o**u**t**e**r* port will reply to ARP/NDP requests. Examples:*1**6**9**.**2**5**4**.**2**3**9**.**2**5**4* *1**6**9**.**2**5**4**.**2**3**9**.**2*, *0**a**:**5**8**:**a**9**:**f**e**:**0**1**:**0**1* *1**6**9**.**2**5**4**.**2**3**9**.**2**5**4* *1**6**9**.**2**5**4**.**2**3**9**.**2* *1**6**9**.**2**5**4**.**2**3**8**.**0**/**2**4*,*f**d**7**b**:**6**b**4**d**:**7**b**2**5**:**d**2**2**f**:**:**1* *f**d**7**b**:**6**b**4**d**:**7**b**2**5**:**d**2**2**f**:**:**2*, *0**a**:**5**8**:**a**9**:**f**e**:**0**1**:**0**1* *f**d**7**b**:**6**b**4**d**:**7**b**2**5**:**d**2**2**f**:**:**0**/**6**4*. The*o**p**t**i**o**n**s**:**r**o**u**t**e**r**-* *p**o**r**t*’s logical router should have a route to forward packets sent to configured proxy ARP MAC/IPs to an appropriate destina‐ tion. On 05/06/2024 13:03, Enrique Llorente Pastora wrote: On Wed, Jun 5, 2024 at 12:12 PM Lorenzo Bianconi < lorenzo.bianc...@redhat.com> wrote: On 5/14/24 18:44, Lorenzo Bianconi wrote: Skip proxy-arp logical flows for traffic that is entering the logical switch pipeline from a lsp of type router. This patch will avoid recirculating back the traffic entering by the logical router pipeline if proxy-arp hasn been configured by the CMS. Reported-at:https://urldefense.com/v3/__https://issues.redhat.com/browse/FDP-96__;!!ACWV5N9M2RV99hQ!LZCOnrD03VQXa0QBfUgAD0IntqpkCU4P2Mz0jhlfAcJ0Joe1ehsAIloa28JszFGBjchui8U4OL2MfnKJQEhn$ Signed-off-by: Lorenzo Bianconi --- Hi Lorenzo, This change looks OK but I'd like to double check that it doesn't break CNV/ovn-kubernetes use cases. Hi Enrique, Would you mind double checking that on one of your setups? If I'm not wrong our upstream ovn-kubernetes (in ovn-org/ovn) tests don't enable anything CNV specific: https://urldefense.com/v3/__https://github.com/ovsrobot/ovn/actions/runs/9083258143__;!!ACWV5N9M2RV99hQ!LZCOnrD03VQXa0QBfUgAD0IntqpkCU4P2Mz0jhlfAcJ0Joe1ehsAIloa28JszFGBjchui8U4OL2MflAqga4Q$ Thanks, Dumitru Hi Dumitru, Thx, for the review. That's a good idea :) Live migration tests look fine with this change, both IC and non IC, let's also activate the kubevirt lanes so we gate with them too. Tested-by: Regards, Lorenzo northd/northd.c | 15 +-- tests/ovn.at| 8 tests/system-ovn.at | 22 +- 3 files changed, 38 insertions(+), 7 deletions(-) diff --git a/northd/northd.c b/northd/northd.c index 0cabda7ea..29dc58ef4 100644 --- a/northd/northd.c +++ b/northd/northd.c @@ -118,6 +118,7 @@ static bool default_acl_drop; #define REGBIT_PORT_SEC_DROP "reg0[15]" #define REGBIT_ACL_STATELESS "reg0[16]" #define REGBIT_ACL_HINT_ALLOW_REL "reg0[17]" +#define REGBIT_FROM_ROUTER_PORT "reg0[18]" #define REG_ORIG_DIP_IPV4 "reg1" #define REG_ORIG_DIP_IPV6 "xxreg1" @@ -5785,6 +5786,13 @@ build_lswitch_port_sec_op(struct ovn_port *op, struct lflow_table *lflows, &op->od->localnet_ports[0]->nbsp->header_, op->lflow_ref); } +} else if (lsp_is_router(op->nbsp)) { +ds_put_format(actions, REGBIT_FROM_ROUTER_PORT" = 1; next;"); +ovn_lflow_add_with_lport_and_hint(lflows, op->od, + S_SWITCH_IN_CHECK_PORT_SEC, 70, + ds_cstr(match), ds_cstr(actions), + op->key, &op->nbsp->header_, + op->lflow_ref); } } @@ -9051,7 +9059,9 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, if (op->proxy_arp_addrs.n_ipv4_addrs) { /* Match rule on all proxy ARP IPs. */ ds_clear(match); -ds_put_cstr(match, "arp.op == 1 && arp.tpa == {"); +ds_put_cstr(match, +REGBIT_FROM_ROUTER_PORT" == 0 " +"&& arp.op == 1 && arp.tpa == {"); for (i = 0; i < op->proxy_arp_addrs.n_ipv4_addrs; i++) { ds_put_format(match, "%s/%u,", @@ -9105,7 +9115,8 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, ds_truncate(&nd_target_match, nd_target_match.length - 2); ds_clear(match); ds_put_format(match, - "nd_ns " + REGBIT_FROM_ROUTER_PORT" == 0 " + "&& nd_ns " "&& ip6.dst == { %s } " "&& nd.target == { %s }", ds_cstr(&ip6_dst_match), d
Re: [ovs-dev] [External] : OVS+OVN Fall Conference 2023 - Day 2 information
Hi, I missed this, where can I access the recordings? On 06/12/2023 17:36, Aaron Conole wrote: Greetings, We had an open bridge today during the call that got flooded with spam bots for a few minutes, and we had to lock the meeting down. As such, we won't broadly publish the meeting link. If you have already filled in the google form for registration, you will have already been sent the meeting link. If you'd like to join, please fill out the form that you can access from https://urldefense.com/v3/__http://ovscon.site__;!!ACWV5N9M2RV99hQ!I6A93V0MUG7nbSaKwHW6DLY2Uqn6A0kQCfn71b7f11yhpnCA6E-_rUFXw5jouqeIrF4wckaOc8bzc62dAdM$ to get "registered." As a reminder, the conference is free this year. Thanks, -Aaron ___ dev mailing list d...@openvswitch.org https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-dev__;!!ACWV5N9M2RV99hQ!I6A93V0MUG7nbSaKwHW6DLY2Uqn6A0kQCfn71b7f11yhpnCA6E-_rUFXw5jouqeIrF4wckaOc8bzAk2d45c$ ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [External] : Re: " Add support for DHCP Option 12 (Hostname)"
OK thanks, It was going to be a relatively easy backport if we need to do it. But great that it is already done. On 25/10/2021 15:04, Numan Siddique wrote: On Fri, Oct 22, 2021 at 9:23 AM Brendan Doyle wrote: Just wondering was this patch backported, if so could someone provide a pointer I see the commit [1] in the main branch and branch-21.09. https://urldefense.com/v3/__https://github.com/ovn-org/ovn/commit/0e4d0f1fbf70ddfc347781129451fb61097d559e__;!!ACWV5N9M2RV99hQ!amElLcjYZZwvrE3Arm25gxq2Fqhed7WSKhfXoSinx8dyZlQLuBjBT9G1mR7HHfDVqzk$ Thanks Numan Thanks ___ dev mailing list d...@openvswitch.org https://urldefense.com/v3/__https://mail.openvswitch.org/mailman/listinfo/ovs-dev__;!!ACWV5N9M2RV99hQ!amElLcjYZZwvrE3Arm25gxq2Fqhed7WSKhfXoSinx8dyZlQLuBjBT9G1mR7He6P7wbM$ ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] " Add support for DHCP Option 12 (Hostname)"
Just wondering was this patch backported, if so could someone provide a pointer Thanks ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [External] : [PATCH ovn] northd-ddlog: Add proxy arp flows for configured addresses in lsp router port.
Thanks for doing the ddlog for this, comment below On 29/06/2021 17:08, num...@ovn.org wrote: From: Numan Siddique The commit [1] didn't add the ddlog part. [1] - 8087cbc7462("ovn-northd.c: Add proxy ARP support to OVN") Signed-off-by: Numan Siddique --- northd/ovn.dl| 1 + northd/ovn.rs| 13 + northd/ovn_northd.dl | 38 ++ tests/ovn.at | 4 ++-- 4 files changed, 54 insertions(+), 2 deletions(-) diff --git a/northd/ovn.dl b/northd/ovn.dl index f23ea3b9e1..3c7a734ddb 100644 --- a/northd/ovn.dl +++ b/northd/ovn.dl @@ -364,6 +364,7 @@ extern function is_dynamic_lsp_address(addr: string): bool extern function extract_lsp_addresses(address: string): Option extern function extract_addresses(address: string): Option extern function extract_lrp_networks(mac: string, networks: Set): Option +extern function extract_ip_addresses(address: string): Option extern function split_addresses(addr: string): (Set, Set) diff --git a/northd/ovn.rs b/northd/ovn.rs index d44f83bc75..5f0939409c 100644 --- a/northd/ovn.rs +++ b/northd/ovn.rs @@ -184,6 +184,18 @@ pub fn extract_lrp_networks(mac: &String, networks: &ddlog_std::Set) -> } } +pub fn extract_ip_addresses(address: &String) -> ddlog_std::Option { +unsafe { +let mut laddrs: lport_addresses_c = Default::default(); +if ovn_c::extract_ip_addresses(string2cstr(address).as_ptr(), + &mut laddrs as *mut lport_addresses_c) { +ddlog_std::Option::Some{x: laddrs.into_ddlog()} +} else { +ddlog_std::Option::None +} +} +} + pub fn ovn_internal_version() -> String { unsafe { let s = ovn_c::ovn_get_internal_version(); @@ -623,6 +635,7 @@ mod ovn_c { pub fn extract_addresses(address: *const raw::c_char, laddrs: *mut lport_addresses_c, ofs: *mut raw::c_int) -> bool; pub fn extract_lrp_networks__(mac: *const raw::c_char, networks: *const *const raw::c_char, n_networks: libc::size_t, laddrs: *mut lport_addresses_c) -> bool; +pub fn extract_ip_addresses(address: *const raw::c_char, laddrs: *mut lport_addresses_c) -> bool; pub fn destroy_lport_addresses(addrs: *mut lport_addresses_c); pub fn is_dynamic_lsp_address(address: *const raw::c_char) -> bool; pub fn split_addresses(addresses: *const raw::c_char, ip4_addrs: *mut ovs_svec, ipv6_addrs: *mut ovs_svec); diff --git a/northd/ovn_northd.dl b/northd/ovn_northd.dl index 52a6206a18..a7a327c7f0 100644 --- a/northd/ovn_northd.dl +++ b/northd/ovn_northd.dl @@ -3360,6 +3360,44 @@ for (CheckLspIsUp[check_lsp_is_up]) { } } +Flow(.logical_datapath = sw._uuid, + .stage= s_SWITCH_IN_ARP_ND_RSP(), + .priority = 50, + .__match = __match, + .actions = __actions, + .external_ids = stage_hint(sp.lsp._uuid)) :- + +sp in &SwitchPort(.sw = sw, .peer = Some{rp}), +rp.is_enabled(), +var proxy_ips = { +match (sp.lsp.options.get("arp_proxy")) { +None -> "", +Some {addresses} -> { +match (extract_ip_addresses(addresses)) { +None -> "", +Some{addr} -> { +var ip4_addrs = vec_empty(); +for (ip4 in addr.ipv4_addrs) { +ip4_addrs.push("${ip4.addr}") +}; +string_join(ip4_addrs, ",") +} +} +} +} +}, +proxy_ips != "", +var __match = "arp.op == 1 && arp.tpa == {" ++ proxy_ips ++ "}", +var __actions = "eth.dst = eth.src; " +"eth.src = ${rp.networks.ea}; " +"arp.op = 2; /* ARP reply */ " +"arp.tha = arp.sha; " +"arp.sha = %s; " +"arp.tpa <-> arp.spa; " +"outport = inport; " +"flags.loopback = 1; " +"output;". + /* For ND solicitations, we need to listen for both the * unicast IPv6 address and its all-nodes multicast address, * but always respond with the unicast IPv6 address. */ diff --git a/tests/ovn.at b/tests/ovn.at index db1a0a35c2..31f0b90996 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -26940,7 +26940,7 @@ ovs-vsctl -- add-port br-int vif1 -- \ # And proxy ARP flows for 69.254.239.254 and 169.254.239.2 # and check that SB flows have been added. ovn-nbctl --wait=hv add Logical_Switch_Port rp-ls1 \ -options arp_proxy='"169.254.239.254 169.254.239.2"' +options arp_proxy='"169.254.239.254,169.254.239.2"' ovn-sbctl dump-flows > sbflows AT_CAPTURE_FILE([sbflows]) @@ -26957,7 +26957,7 @@ AT_CHECK([ovn-sbctl dump-flows | grep ls_in_arp_rsp | grep "169.254.239.2"], [1] # Add the
Re: [ovs-dev] [External] : Re: [PATCH ovn v5] ovn-northd.c: Add proxy ARP support to OVN
On 29/06/2021 13:24, Numan Siddique wrote: On Tue, Jun 29, 2021 at 7:48 AM Brendan Doyle wrote: Numan, Did this version apply ? I'm guessing not. This was generated with git mail. But I don't see an entry in https://urldefense.com/v3/__https://patchwork.ozlabs.org/project/ovn/list/__;!!ACWV5N9M2RV99hQ!crHDbcylO2xdE8lL5OBvisqTciHbBxY2Viml-p_H_HuEtd6-KXvvdib_NWgdqCHWi3M$ for it. Please let me know if this has issue, if so I'll try generate a PR. No. This didn't apply either. Since the patch was straightforward, I just applied the diff manually and applied the patch to the main branch. Great thanks. I'm not sure how you generated the patch. I presume using git-format-patch. Yes. You can refer this if you haven't already - https://urldefense.com/v3/__https://github.com/ovn-org/ovn/blob/master/Documentation/internals/contributing/submitting-patches.rst__;!!ACWV5N9M2RV99hQ!crHDbcylO2xdE8lL5OBvisqTciHbBxY2Viml-p_H_HuEtd6-KXvvdib_NWgdUiKKgR0$ Yes, I have, and as far as I know I followed all the instructions. Even sent the patch via git mail to a colleague who was able to apply the patch to his fresh clone of master. I did a few changes in the code and in the test before applying. Ok, I'll have a look - thanks The commit is missing the ddlog part unfortunately. I tried to add it, but I probably need some help from Ben. Sorry, just don't know anything about dlog The added test case fails for ddlog now. Thanks Numan Thanks Brendan On 28/06/2021 12:16, Brendan Doyle wrote: This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 48 ovn-nb.xml | 9 + tests/ovn.at| 103 3 files changed, 160 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index fcd6167..258b5db 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6969,6 +6969,8 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { +const char *arp_proxy; + if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7126,6 +7128,52 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + +/* + * Add responses for ARP proxies. + */ +arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); + +if (arp_proxy && op->peer) { +struct lport_addresses proxy_arp_addrs; +int i = 0; + +if (extract_ip_addresses(arp_proxy, &proxy_arp_addrs)) { +/* + * Match rule on all proxy ARP IPs. + */ +ds_clear(match); +ds_put_cstr(match, "arp.op == 1 && ("); + +for (i = 0; i < proxy_arp_addrs.n_ipv4_addrs; i++) { +if (i > 0) { +ds_put_cstr(match, " || "); +} +ds_put_format(match, "arp.tpa == %s", +proxy_arp_addrs.ipv4_addrs[i].addr_s); +} + +ds_put_cstr(match, ")"); +destroy_lport_addresses(&proxy_arp_addrs); + +ds_clear(actions); +ds_put_format(actions, +"eth.dst = eth.src; " +"eth.src = %s; " +"arp.op = 2; /* ARP reply */ " +"arp.tha = arp.sha; " +"arp.sha = %s; " +"arp.tpa <-> arp.spa; " +"outport = inport; " +"flags.loopback = 1; " +"output;", +op->peer->lrp_networks.ea_s, +op->peer->lrp_networks.ea_s); + +ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, +50, ds_cstr(match), ds_cstr(actions
Re: [ovs-dev] [PATCH ovn v5] ovn-northd.c: Add proxy ARP support to OVN
Numan, Did this version apply ? I'm guessing not. This was generated with git mail. But I don't see an entry in https://patchwork.ozlabs.org/project/ovn/list/ for it. Please let me know if this has issue, if so I'll try generate a PR. Thanks Brendan On 28/06/2021 12:16, Brendan Doyle wrote: This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 48 ovn-nb.xml | 9 + tests/ovn.at| 103 3 files changed, 160 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index fcd6167..258b5db 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6969,6 +6969,8 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { +const char *arp_proxy; + if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7126,6 +7128,52 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + +/* + * Add responses for ARP proxies. + */ +arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); + +if (arp_proxy && op->peer) { +struct lport_addresses proxy_arp_addrs; +int i = 0; + +if (extract_ip_addresses(arp_proxy, &proxy_arp_addrs)) { +/* + * Match rule on all proxy ARP IPs. + */ +ds_clear(match); +ds_put_cstr(match, "arp.op == 1 && ("); + +for (i = 0; i < proxy_arp_addrs.n_ipv4_addrs; i++) { +if (i > 0) { +ds_put_cstr(match, " || "); +} +ds_put_format(match, "arp.tpa == %s", +proxy_arp_addrs.ipv4_addrs[i].addr_s); +} + +ds_put_cstr(match, ")"); +destroy_lport_addresses(&proxy_arp_addrs); + +ds_clear(actions); +ds_put_format(actions, +"eth.dst = eth.src; " +"eth.src = %s; " +"arp.op = 2; /* ARP reply */ " +"arp.tha = arp.sha; " +"arp.sha = %s; " +"arp.tpa <-> arp.spa; " +"outport = inport; " +"flags.loopback = 1; " +"output;", +op->peer->lrp_networks.ea_s, +op->peer->lrp_networks.ea_s); + +ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, +50, ds_cstr(match), ds_cstr(actions), &op->nbsp->header_); +} +} } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 406bc85..077a2d8 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -848,6 +848,15 @@ + + + Optional. A list IPv4 addresses that this + logical switch router port will reply to ARP requests. + Example: 169.254.239.254 169.254.239.2. The + 's logical router should + have a route to forward packets sent to configured proxy ARP IPs to + an appropriate destination. + diff --git a/tests/ovn.at b/tests/ovn.at index 5926350..1e0065d 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -26899,3 +26899,106 @@ AT_CHECK([ovs-ofctl dump-flows br-int "nw_src=10.0.0.0/24" | \ OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- proxy-arp: 1 HVs, 1 LSs, 1 lport/LS, 1 LR]) +AT_KEYWORDS([proxy-arp]) +ovn_start + +# Logical network: +# One LR - lr1 has switch ls1 (192.16.1.0/24) connected to it, +# and and one HV with IP 192.16.1.6. + +ovn-nbctl lr-add lr1 +ovn-nbctl ls-add ls1 + +# Connect ls1 to lr1 +ovn-nbctl lrp-add lr1 ls1 00:00:00:01:02:f1 192.16.1.1/24 +ovn-nbctl lsp-ad
Re: [ovs-dev] [External] : [PATCH ovn v3] ovn-northd.c: Add proxy ARP support to OVN
Hi Numan, So just did a v5 this time using git mail, please see if you can apply that one. Thanks On 27/06/2021 18:19, Numan Siddique wrote: On Sun, Jun 27, 2021 at 8:46 AM Brendan Doyle wrote: Hi Numan, I did a fresh clone and recreated/resubmitted the patch [PATCH ovn v4] ovn-northd.c: Add proxy ARP support to OVN. v4 still doesn't apply. Maybe you can share your github private branch with the patch ? Thanks Numan I tried to create a PR, but I got an error when trying to create a remote branch from which to generate the PR: git push --set-upstream origin proxy_arp:proxy_arp Username for 'https://urldefense.com/v3/__https://github.com__;!!ACWV5N9M2RV99hQ!fE13KKbvJnF64MDyfTHbnvYXjqu8wuAVInShZvJAwXy6NPM6rcdjMhesoD8-oZGth6Y$ ': BrendanDoyle1 Password for 'https://urldefense.com/v3/__https://BrendanDoyle1@github.com__;!!ACWV5N9M2RV99hQ!fE13KKbvJnF64MDyfTHbnvYXjqu8wuAVInShZvJAwXy6NPM6rcdjMhesoD8-qzJHZ_8$ ': remote: Permission to ovn-org/ovn.git denied to BrendanDoyle1. fatal: unable to access 'https://urldefense.com/v3/__https://github.com/ovn-org/ovn/__;!!ACWV5N9M2RV99hQ!fE13KKbvJnF64MDyfTHbnvYXjqu8wuAVInShZvJAwXy6NPM6rcdjMhesoD8-k2ML9jk$ ': The requested URL returned error: 403 If the v4 does not work I'll have to wait for my goit/GitHub experts to come in on Monday. Brendan. On 25/06/2021 22:22, Numan Siddique wrote: On Thu, Jun 24, 2021 at 5:14 AM Brendan Doyle wrote: Hi, Just wondering how to move this along. It's been in the queue a while now. I've made the requested changes, this is v3 of the patch. The product I'm working on requires this feature and If I can't get it upstream I'll need to look at other options. Hi Brendan, I just can't apply your patch cleanly. The same issue I faced with your previous version. Normally when patch is submitted, the ovsrobot applies the patch on top of the master and runs the tests. It generally creates a branch with the patch series number. In your case, the series number is 249668 (https://urldefense.com/v3/__https://patchwork.ozlabs.org/project/ovn/list/?series=249668__;!!ACWV5N9M2RV99hQ!fmNb3A9Qn2_9U4wjyZ1fVFxqrPOwLDHJ8uBbL-0zKNDDHDNqE-xORpdhqZdjs1rnJo4$ ) and the branch is here - https://urldefense.com/v3/__https://github.com/ovsrobot/ovn/commits/series_249668__;!!ACWV5N9M2RV99hQ!fmNb3A9Qn2_9U4wjyZ1fVFxqrPOwLDHJ8uBbL-0zKNDDHDNqE-xORpdhqZdjS24tNa4$ and I don't see your patch applied cleanly. So I'm pretty sure something is wrong with your patch format. Either you can resend the patch or send a github PR. Thanks Numan Thanks Brendan On 18/06/2021 14:53, Brendan Doyle wrote: From 634fd88b726700b30cb76203ca45f1e9c041368a Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 46 +++ ovn-nb.xml | 9 + tests/ovn.at| 103 3 files changed, 158 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..2bc6f28 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { +const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,51 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + +/* + * Add responses for ARP proxies. + */ +arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); +if (arp_proxy && op->peer) { +struct lport_addresses proxy_arp_addrs; +int i = 0; + +if (extract_ip_addresses(arp_proxy, &proxy_arp_addrs)) { +/* + * Match rule on all proxy ARP IPs. + */ +ds_clear(match); +
Re: [ovs-dev] [External] : [PATCH ovn v3] ovn-northd.c: Add proxy ARP support to OVN
On 27/06/2021 18:19, Numan Siddique wrote: On Sun, Jun 27, 2021 at 8:46 AM Brendan Doyle wrote: Hi Numan, I did a fresh clone and recreated/resubmitted the patch [PATCH ovn v4] ovn-northd.c: Add proxy ARP support to OVN. v4 still doesn't apply. Maybe you can share your github private branch with the patch ? I can't push to origin to create a branch. I'll have to wait for some help from my colleagues who are more familiar with GitLab Thanks Numan I tried to create a PR, but I got an error when trying to create a remote branch from which to generate the PR: git push --set-upstream origin proxy_arp:proxy_arp Username for 'https://urldefense.com/v3/__https://github.com__;!!ACWV5N9M2RV99hQ!fE13KKbvJnF64MDyfTHbnvYXjqu8wuAVInShZvJAwXy6NPM6rcdjMhesoD8-oZGth6Y$ ': BrendanDoyle1 Password for 'https://urldefense.com/v3/__https://BrendanDoyle1@github.com__;!!ACWV5N9M2RV99hQ!fE13KKbvJnF64MDyfTHbnvYXjqu8wuAVInShZvJAwXy6NPM6rcdjMhesoD8-qzJHZ_8$ ': remote: Permission to ovn-org/ovn.git denied to BrendanDoyle1. fatal: unable to access 'https://urldefense.com/v3/__https://github.com/ovn-org/ovn/__;!!ACWV5N9M2RV99hQ!fE13KKbvJnF64MDyfTHbnvYXjqu8wuAVInShZvJAwXy6NPM6rcdjMhesoD8-k2ML9jk$ ': The requested URL returned error: 403 If the v4 does not work I'll have to wait for my goit/GitHub experts to come in on Monday. Brendan. On 25/06/2021 22:22, Numan Siddique wrote: On Thu, Jun 24, 2021 at 5:14 AM Brendan Doyle wrote: Hi, Just wondering how to move this along. It's been in the queue a while now. I've made the requested changes, this is v3 of the patch. The product I'm working on requires this feature and If I can't get it upstream I'll need to look at other options. Hi Brendan, I just can't apply your patch cleanly. The same issue I faced with your previous version. Normally when patch is submitted, the ovsrobot applies the patch on top of the master and runs the tests. It generally creates a branch with the patch series number. In your case, the series number is 249668 (https://urldefense.com/v3/__https://patchwork.ozlabs.org/project/ovn/list/?series=249668__;!!ACWV5N9M2RV99hQ!fmNb3A9Qn2_9U4wjyZ1fVFxqrPOwLDHJ8uBbL-0zKNDDHDNqE-xORpdhqZdjs1rnJo4$ ) and the branch is here - https://urldefense.com/v3/__https://github.com/ovsrobot/ovn/commits/series_249668__;!!ACWV5N9M2RV99hQ!fmNb3A9Qn2_9U4wjyZ1fVFxqrPOwLDHJ8uBbL-0zKNDDHDNqE-xORpdhqZdjS24tNa4$ and I don't see your patch applied cleanly. So I'm pretty sure something is wrong with your patch format. Either you can resend the patch or send a github PR. Thanks Numan Thanks Brendan On 18/06/2021 14:53, Brendan Doyle wrote: From 634fd88b726700b30cb76203ca45f1e9c041368a Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 46 +++ ovn-nb.xml | 9 + tests/ovn.at| 103 3 files changed, 158 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..2bc6f28 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { +const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,51 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + +/* + * Add responses for ARP proxies. + */ +arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); +if (arp_proxy && op->peer) { +struct lport_addresses proxy_arp_addrs; +int i = 0; + +if (extract_ip_addresses(arp_proxy, &proxy_arp_addrs)) { +/* + * Match rule on all proxy ARP IPs. + */ +ds_clear(match)
Re: [ovs-dev] [External] : [PATCH ovn v3] ovn-northd.c: Add proxy ARP support to OVN
Hi Numan, I did a fresh clone and recreated/resubmitted the patch [PATCH ovn v4] ovn-northd.c: Add proxy ARP support to OVN. I tried to create a PR, but I got an error when trying to create a remote branch from which to generate the PR: git push --set-upstream origin proxy_arp:proxy_arp Username for 'https://github.com': BrendanDoyle1 Password for 'https://brendandoy...@github.com': remote: Permission to ovn-org/ovn.git denied to BrendanDoyle1. fatal: unable to access 'https://github.com/ovn-org/ovn/': The requested URL returned error: 403 If the v4 does not work I'll have to wait for my goit/GitHub experts to come in on Monday. Brendan. On 25/06/2021 22:22, Numan Siddique wrote: On Thu, Jun 24, 2021 at 5:14 AM Brendan Doyle wrote: Hi, Just wondering how to move this along. It's been in the queue a while now. I've made the requested changes, this is v3 of the patch. The product I'm working on requires this feature and If I can't get it upstream I'll need to look at other options. Hi Brendan, I just can't apply your patch cleanly. The same issue I faced with your previous version. Normally when patch is submitted, the ovsrobot applies the patch on top of the master and runs the tests. It generally creates a branch with the patch series number. In your case, the series number is 249668 (https://urldefense.com/v3/__https://patchwork.ozlabs.org/project/ovn/list/?series=249668__;!!ACWV5N9M2RV99hQ!fmNb3A9Qn2_9U4wjyZ1fVFxqrPOwLDHJ8uBbL-0zKNDDHDNqE-xORpdhqZdjs1rnJo4$ ) and the branch is here - https://urldefense.com/v3/__https://github.com/ovsrobot/ovn/commits/series_249668__;!!ACWV5N9M2RV99hQ!fmNb3A9Qn2_9U4wjyZ1fVFxqrPOwLDHJ8uBbL-0zKNDDHDNqE-xORpdhqZdjS24tNa4$ and I don't see your patch applied cleanly. So I'm pretty sure something is wrong with your patch format. Either you can resend the patch or send a github PR. Thanks Numan Thanks Brendan On 18/06/2021 14:53, Brendan Doyle wrote: From 634fd88b726700b30cb76203ca45f1e9c041368a Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 46 +++ ovn-nb.xml | 9 + tests/ovn.at| 103 3 files changed, 158 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..2bc6f28 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { +const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,51 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + +/* + * Add responses for ARP proxies. + */ +arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); +if (arp_proxy && op->peer) { +struct lport_addresses proxy_arp_addrs; +int i = 0; + +if (extract_ip_addresses(arp_proxy, &proxy_arp_addrs)) { +/* + * Match rule on all proxy ARP IPs. + */ +ds_clear(match); +ds_put_cstr(match, "arp.op == 1 && ("); + +for (i = 0; i < proxy_arp_addrs.n_ipv4_addrs; i++) { +if (i > 0) { +ds_put_cstr(match, " || "); +} +ds_put_format(match, "arp.tpa == %s", +proxy_arp_addrs.ipv4_addrs[i].addr_s); +} + +ds_put_cstr(match, ")"); +destroy_lport_addresses(&proxy_arp_addrs); + +ds_clear(actions); +ds_put_format(actions, +"eth.dst = eth.src; " +"eth.src = %
[ovs-dev] [PATCH ovn v4] ovn-northd.c: Add proxy ARP support to OVN
From 7a38fff6ce6ee17767b426c7cf84e1b07eda5552 Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Sun, 27 Jun 2021 05:36:40 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 48 ovn-nb.xml | 9 + tests/ovn.at| 103 3 files changed, 160 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index fcd6167..258b5db 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6969,6 +6969,8 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { +const char *arp_proxy; + if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7126,6 +7128,52 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + +/* + * Add responses for ARP proxies. + */ +arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); + +if (arp_proxy && op->peer) { +struct lport_addresses proxy_arp_addrs; +int i = 0; + +if (extract_ip_addresses(arp_proxy, &proxy_arp_addrs)) { +/* + * Match rule on all proxy ARP IPs. + */ +ds_clear(match); +ds_put_cstr(match, "arp.op == 1 && ("); + +for (i = 0; i < proxy_arp_addrs.n_ipv4_addrs; i++) { +if (i > 0) { +ds_put_cstr(match, " || "); +} +ds_put_format(match, "arp.tpa == %s", +proxy_arp_addrs.ipv4_addrs[i].addr_s); +} + +ds_put_cstr(match, ")"); +destroy_lport_addresses(&proxy_arp_addrs); + +ds_clear(actions); +ds_put_format(actions, +"eth.dst = eth.src; " +"eth.src = %s; " +"arp.op = 2; /* ARP reply */ " +"arp.tha = arp.sha; " +"arp.sha = %s; " +"arp.tpa <-> arp.spa; " +"outport = inport; " +"flags.loopback = 1; " +"output;", +op->peer->lrp_networks.ea_s, +op->peer->lrp_networks.ea_s); + +ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, +50, ds_cstr(match), ds_cstr(actions), &op->nbsp->header_); +} +} } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 406bc85..077a2d8 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -848,6 +848,15 @@ + + + Optional. A list IPv4 addresses that this + logical switch router port will reply to ARP requests. + Example: 169.254.239.254 169.254.239.2. The + 's logical router should + have a route to forward packets sent to configured proxy ARP IPs to + an appropriate destination. + diff --git a/tests/ovn.at b/tests/ovn.at index 5926350..1e0065d 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -26899,3 +26899,106 @@ AT_CHECK([ovs-ofctl dump-flows br-int "nw_src=10.0.0.0/24" | \ OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- proxy-arp: 1 HVs, 1 LSs, 1 lport/LS, 1 LR]) +AT_KEYWORDS([proxy-arp]) +ovn_start + +# Logical network: +# One LR - lr1 has switch ls1 (192.16.1.0/24) connected to it, +# and and one HV with IP 192.16.1.6. + +ovn-nbctl lr-add lr1 +ovn-nbctl ls-add ls1 + +# Connect ls1 to lr1 +ovn-nbctl lrp-add lr1 ls1 00:00:00:01:02:f1 192.16.1.1/24 +ovn-nbctl lsp-add ls1 rp-ls1 -- set Logical_Switch_Port rp-ls1 \ +type=router options:router-port=ls1 addresses=\"00:00:00:01:02:f1\" + +# Create
Re: [ovs-dev] [External] : [PATCH ovn v3] ovn-northd.c: Add proxy ARP support to OVN
Hi, Just wondering how to move this along. It's been in the queue a while now. I've made the requested changes, this is v3 of the patch. The product I'm working on requires this feature and If I can't get it upstream I'll need to look at other options. Thanks Brendan On 18/06/2021 14:53, Brendan Doyle wrote: From 634fd88b726700b30cb76203ca45f1e9c041368a Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 46 +++ ovn-nb.xml | 9 + tests/ovn.at | 103 3 files changed, 158 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..2bc6f28 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { + const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,51 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + + /* + * Add responses for ARP proxies. + */ + arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); + if (arp_proxy && op->peer) { + struct lport_addresses proxy_arp_addrs; + int i = 0; + + if (extract_ip_addresses(arp_proxy, &proxy_arp_addrs)) { + /* + * Match rule on all proxy ARP IPs. + */ + ds_clear(match); + ds_put_cstr(match, "arp.op == 1 && ("); + + for (i = 0; i < proxy_arp_addrs.n_ipv4_addrs; i++) { + if (i > 0) { + ds_put_cstr(match, " || "); + } + ds_put_format(match, "arp.tpa == %s", + proxy_arp_addrs.ipv4_addrs[i].addr_s); + } + + ds_put_cstr(match, ")"); + destroy_lport_addresses(&proxy_arp_addrs); + + ds_clear(actions); + ds_put_format(actions, + "eth.dst = eth.src; " + "eth.src = %s; " + "arp.op = 2; /* ARP reply */ " + "arp.tha = arp.sha; " + "arp.sha = %s; " + "arp.tpa <-> arp.spa; " + "outport = inport; " + "flags.loopback = 1; " + "output;", + op->peer->lrp_networks.ea_s, + op->peer->lrp_networks.ea_s); + + ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, + 50, ds_cstr(match), ds_cstr(actions), &op->nbsp->header_); + } + } } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 02fd216..e4a8114 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -848,6 +848,15 @@ + + + Optional. A list IPv4 addresses that this + logical switch router port will reply to ARP requests. + Example: 169.254.239.254 169.254.239.2. The + 's logical router should + have a route to forward packets sent to configured proxy ARP IPs to + an appropriate destination. + diff --git a/tests/ovn.at b/tests/ovn.at index 2c3c36d..ffbb594 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -26527,3 +26527,106 @@ AT_CHECK([test $(ovn-appctl -t ovn-controller coverage/read-counter lflow_run) = OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- proxy-arp: 1 HVs, 1 LSs, 1 lport/LS, 1 LR]) +AT_KEYWORDS([proxy-arp]) +ovn_start + +# Logical network: +# One LR - lr1 has switch ls1 (192.16.1
Re: [ovs-dev] [External] : [PATCH ovn v3] ovn-northd.c: Add proxy ARP support to OVN
Hi Numan, I know things are busy but did you get a chance to look at this. I made the change to use extract_ip_addresses() as requested. Brendan On 18/06/2021 14:53, Brendan Doyle wrote: From 634fd88b726700b30cb76203ca45f1e9c041368a Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 46 +++ ovn-nb.xml | 9 + tests/ovn.at | 103 3 files changed, 158 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..2bc6f28 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { + const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,51 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + + /* + * Add responses for ARP proxies. + */ + arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); + if (arp_proxy && op->peer) { + struct lport_addresses proxy_arp_addrs; + int i = 0; + + if (extract_ip_addresses(arp_proxy, &proxy_arp_addrs)) { + /* + * Match rule on all proxy ARP IPs. + */ + ds_clear(match); + ds_put_cstr(match, "arp.op == 1 && ("); + + for (i = 0; i < proxy_arp_addrs.n_ipv4_addrs; i++) { + if (i > 0) { + ds_put_cstr(match, " || "); + } + ds_put_format(match, "arp.tpa == %s", + proxy_arp_addrs.ipv4_addrs[i].addr_s); + } + + ds_put_cstr(match, ")"); + destroy_lport_addresses(&proxy_arp_addrs); + + ds_clear(actions); + ds_put_format(actions, + "eth.dst = eth.src; " + "eth.src = %s; " + "arp.op = 2; /* ARP reply */ " + "arp.tha = arp.sha; " + "arp.sha = %s; " + "arp.tpa <-> arp.spa; " + "outport = inport; " + "flags.loopback = 1; " + "output;", + op->peer->lrp_networks.ea_s, + op->peer->lrp_networks.ea_s); + + ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, + 50, ds_cstr(match), ds_cstr(actions), &op->nbsp->header_); + } + } } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 02fd216..e4a8114 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -848,6 +848,15 @@ + + + Optional. A list IPv4 addresses that this + logical switch router port will reply to ARP requests. + Example: 169.254.239.254 169.254.239.2. The + 's logical router should + have a route to forward packets sent to configured proxy ARP IPs to + an appropriate destination. + diff --git a/tests/ovn.at b/tests/ovn.at index 2c3c36d..ffbb594 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -26527,3 +26527,106 @@ AT_CHECK([test $(ovn-appctl -t ovn-controller coverage/read-counter lflow_run) = OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- proxy-arp: 1 HVs, 1 LSs, 1 lport/LS, 1 LR]) +AT_KEYWORDS([proxy-arp]) +ovn_start + +# Logical network: +# One LR - lr1 has switch ls1 (192.16.1.0/24) connected to it, +# and and one HV with IP 192.16.1.6. + +ovn-nbctl lr-add lr1 +ovn-nbctl ls-add ls1 + +# Connect ls1 to lr1 +ovn-nbctl lrp-add l
[ovs-dev] [PATCH ovn v3] ovn-northd.c: Add proxy ARP support to OVN
From 634fd88b726700b30cb76203ca45f1e9c041368a Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 46 +++ ovn-nb.xml | 9 + tests/ovn.at| 103 3 files changed, 158 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..2bc6f28 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { +const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,51 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + +/* + * Add responses for ARP proxies. + */ +arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); +if (arp_proxy && op->peer) { +struct lport_addresses proxy_arp_addrs; +int i = 0; + +if (extract_ip_addresses(arp_proxy, &proxy_arp_addrs)) { +/* + * Match rule on all proxy ARP IPs. + */ +ds_clear(match); +ds_put_cstr(match, "arp.op == 1 && ("); + +for (i = 0; i < proxy_arp_addrs.n_ipv4_addrs; i++) { +if (i > 0) { +ds_put_cstr(match, " || "); +} +ds_put_format(match, "arp.tpa == %s", +proxy_arp_addrs.ipv4_addrs[i].addr_s); +} + +ds_put_cstr(match, ")"); +destroy_lport_addresses(&proxy_arp_addrs); + +ds_clear(actions); +ds_put_format(actions, +"eth.dst = eth.src; " +"eth.src = %s; " +"arp.op = 2; /* ARP reply */ " +"arp.tha = arp.sha; " +"arp.sha = %s; " +"arp.tpa <-> arp.spa; " +"outport = inport; " +"flags.loopback = 1; " +"output;", +op->peer->lrp_networks.ea_s, +op->peer->lrp_networks.ea_s); + +ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, +50, ds_cstr(match), ds_cstr(actions), &op->nbsp->header_); +} +} } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 02fd216..e4a8114 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -848,6 +848,15 @@ + + + Optional. A list IPv4 addresses that this + logical switch router port will reply to ARP requests. + Example: 169.254.239.254 169.254.239.2. The + 's logical router should + have a route to forward packets sent to configured proxy ARP IPs to + an appropriate destination. + diff --git a/tests/ovn.at b/tests/ovn.at index 2c3c36d..ffbb594 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -26527,3 +26527,106 @@ AT_CHECK([test $(ovn-appctl -t ovn-controller coverage/read-counter lflow_run) = OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- proxy-arp: 1 HVs, 1 LSs, 1 lport/LS, 1 LR]) +AT_KEYWORDS([proxy-arp]) +ovn_start + +# Logical network: +# One LR - lr1 has switch ls1 (192.16.1.0/24) connected to it, +# and and one HV with IP 192.16.1.6. + +ovn-nbctl lr-add lr1 +ovn-nbctl ls-add ls1 + +# Connect ls1 to lr1 +ovn-nbctl lrp-add lr1 ls1 00:00:00:01:02:f1 192.16.1.1/24 +ovn-nbctl lsp-add ls1 rp-ls1 -- set Logical_Switch_Port rp-ls1 \ +type=router options:router-port=ls1 addresses=\"00:00:00:01:02:f1\" + +# Create logic
Re: [ovs-dev] [External] : [PATCH ovn v2] ovn-northd.c: Add proxy ARP support to OVN
On 15/06/2021 14:33, Numan Siddique wrote: On Tue, Jun 15, 2021 at 8:34 AM Brendan Doyle wrote: On 15/06/2021 13:26, Numan Siddique wrote: On Tue, Jun 15, 2021 at 7:50 AM Brendan Doyle wrote: On 14/06/2021 21:17, Numan Siddique wrote: On Mon, Jun 14, 2021 at 5:19 AM Brendan Doyle wrote: Hi, Just wondering how to move this along. It's been in the queue a while now. The product I'm working on requires this feature and If I can't get it upstream I'll need to look at other options. Hi Brendan, Sorry for the late reply. For some reason the patch doesn't apply to me. Sorry I'm not sure what you mean, the patch did not apply, it works when I apply to my repo? Please see below for a few comments. Thanks Brendan On 04/06/2021 15:51, Brendan Doyle wrote: From 07ecd5d00f82658e094132102575d8d576161a6b Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 44 ++ ovn-nb.xml | 9 + tests/ovn.at| 103 3 files changed, 156 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..9b686d9 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { +const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,49 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + +/* + * Add responses for ARP proxies. + */ +arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); In my opinion instead of defining these proxy IPs in the logical switch port options, it is better to define them in the router port as generally a router would handle proxy arps (correct me if I'm wrong here). I'd suggest to add a new column "proxy_ips" (or something more appropriate) in the Logical_Router_Port and this column would point to an address set. CMS can define the list of IPs in the address set. ovn-northd can add a logical flow like match = "inport == && arp.tpa == $proxy_ip, action = {} This would result in just one logical flow. CMS would do something like addr_set_uuid=$(ovn-nbctl create address_set name=proxy_arps addresses="10.0.0.4, 10.0.0.5") ovn-nbctl set logical_router_port proxy_ip=$addr_set_uuid What do you think ? In both cases only one OVS flows is created (after I made the changes) suggested by Dan. I can see the point with respect to proxy ARP and routers, in physical equipment proxy ARP is done by routers. But I think doing the proxy ARP on the LRP of the LS is consistent with the use of the "options : nat-addresses" entry in the Logical_Switch_Port TABLE . The patch makes it clear that this feature is associated with a router, It is after all in the "Options for router ports". I think it is also more efficient in that we'd respond to the ARP request earlier in the datapath flows. Even if the proxy arps are associated with a router port, the flows can still be added in the logical switch pipeline of the peer to avoid the extra hop from logical switch pipeline to router pipeline. In my opinion, it is better that the proxy arps are associated with a router port rather than a logical switch peer port. Also having a separate column makes more sense to me than defining a string of IP addresses in the options smap. I see your point, but "options : nat-addresses" is a list of IPs on a router peer port so it is at least consistent with that. Like "options : nat-addresses" I don't expect it to be a large list. Ok. I'd have no objections if other reviewers are fine. Please see below for one comment. Thanks Numan I defer to other reviewers if th
Re: [ovs-dev] [External] : [PATCH ovn v2] ovn-northd.c: Add proxy ARP support to OVN
On 15/06/2021 13:26, Numan Siddique wrote: On Tue, Jun 15, 2021 at 7:50 AM Brendan Doyle wrote: On 14/06/2021 21:17, Numan Siddique wrote: On Mon, Jun 14, 2021 at 5:19 AM Brendan Doyle wrote: Hi, Just wondering how to move this along. It's been in the queue a while now. The product I'm working on requires this feature and If I can't get it upstream I'll need to look at other options. Hi Brendan, Sorry for the late reply. For some reason the patch doesn't apply to me. Sorry I'm not sure what you mean, the patch did not apply, it works when I apply to my repo? Please see below for a few comments. Thanks Brendan On 04/06/2021 15:51, Brendan Doyle wrote: From 07ecd5d00f82658e094132102575d8d576161a6b Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 44 ++ ovn-nb.xml | 9 + tests/ovn.at| 103 3 files changed, 156 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..9b686d9 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { +const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,49 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + +/* + * Add responses for ARP proxies. + */ +arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); In my opinion instead of defining these proxy IPs in the logical switch port options, it is better to define them in the router port as generally a router would handle proxy arps (correct me if I'm wrong here). I'd suggest to add a new column "proxy_ips" (or something more appropriate) in the Logical_Router_Port and this column would point to an address set. CMS can define the list of IPs in the address set. ovn-northd can add a logical flow like match = "inport == && arp.tpa == $proxy_ip, action = {} This would result in just one logical flow. CMS would do something like addr_set_uuid=$(ovn-nbctl create address_set name=proxy_arps addresses="10.0.0.4, 10.0.0.5") ovn-nbctl set logical_router_port proxy_ip=$addr_set_uuid What do you think ? In both cases only one OVS flows is created (after I made the changes) suggested by Dan. I can see the point with respect to proxy ARP and routers, in physical equipment proxy ARP is done by routers. But I think doing the proxy ARP on the LRP of the LS is consistent with the use of the "options : nat-addresses" entry in the Logical_Switch_Port TABLE . The patch makes it clear that this feature is associated with a router, It is after all in the "Options for router ports". I think it is also more efficient in that we'd respond to the ARP request earlier in the datapath flows. Even if the proxy arps are associated with a router port, the flows can still be added in the logical switch pipeline of the peer to avoid the extra hop from logical switch pipeline to router pipeline. In my opinion, it is better that the proxy arps are associated with a router port rather than a logical switch peer port. Also having a separate column makes more sense to me than defining a string of IP addresses in the options smap. I see your point, but "options : nat-addresses" is a list of IPs on a router peer port so it is at least consistent with that. Like "options : nat-addresses" I don't expect it to be a large list. I defer to other reviewers if they are fine with your patch. Ok thanks. Thanks Numan The suggestion you make is a lot more involved, touching much more code and changes the DB schema, so I'm hesitant to go down that path. Brendan.
Re: [ovs-dev] [External] : [PATCH ovn v2] ovn-northd.c: Add proxy ARP support to OVN
On 14/06/2021 21:17, Numan Siddique wrote: On Mon, Jun 14, 2021 at 5:19 AM Brendan Doyle wrote: Hi, Just wondering how to move this along. It's been in the queue a while now. The product I'm working on requires this feature and If I can't get it upstream I'll need to look at other options. Hi Brendan, Sorry for the late reply. For some reason the patch doesn't apply to me. Sorry I'm not sure what you mean, the patch did not apply, it works when I apply to my repo? Please see below for a few comments. Thanks Brendan On 04/06/2021 15:51, Brendan Doyle wrote: From 07ecd5d00f82658e094132102575d8d576161a6b Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 44 ++ ovn-nb.xml | 9 + tests/ovn.at| 103 3 files changed, 156 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..9b686d9 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { +const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,49 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + +/* + * Add responses for ARP proxies. + */ +arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); In my opinion instead of defining these proxy IPs in the logical switch port options, it is better to define them in the router port as generally a router would handle proxy arps (correct me if I'm wrong here). I'd suggest to add a new column "proxy_ips" (or something more appropriate) in the Logical_Router_Port and this column would point to an address set. CMS can define the list of IPs in the address set. ovn-northd can add a logical flow like match = "inport == && arp.tpa == $proxy_ip, action = {} This would result in just one logical flow. CMS would do something like addr_set_uuid=$(ovn-nbctl create address_set name=proxy_arps addresses="10.0.0.4, 10.0.0.5") ovn-nbctl set logical_router_port proxy_ip=$addr_set_uuid What do you think ? In both cases only one OVS flows is created (after I made the changes) suggested by Dan. I can see the point with respect to proxy ARP and routers, in physical equipment proxy ARP is done by routers. But I think doing the proxy ARP on the LRP of the LS is consistent with the use of the "options : nat-addresses" entry in the Logical_Switch_Port TABLE . The patch makes it clear that this feature is associated with a router, It is after all in the "Options for router ports". I think it is also more efficient in that we'd respond to the ARP request earlier in the datapath flows. The suggestion you make is a lot more involved, touching much more code and changes the DB schema, so I'm hesitant to go down that path. Brendan. Thanks Numan +if (arp_proxy && op->peer) { +char *ips, *ip, *rest; +int i = 0; + +ips = xstrdup(arp_proxy); +rest = ips; + +/* + * Match rule on all proxy ARP IPs. + */ +ds_clear(match); +ds_put_cstr(match, "arp.op == 1 && ("); +while ((ip = strtok_r(rest,",", &rest))) { +if (i++ > 0) { +ds_put_cstr(match, " || "); +}; +ds_put_format(match, "arp.tpa == %s", ip); +} +ds_put_cstr(match, ")"); + +ds_clear(actions); +ds_put_format(actions, +"eth.dst = eth.src; " +"eth.src = %s; " +
Re: [ovs-dev] [External] : [PATCH ovn v2] ovn-northd.c: Add proxy ARP support to OVN
Hi, Just wondering how to move this along. It's been in the queue a while now. The product I'm working on requires this feature and If I can't get it upstream I'll need to look at other options. Thanks Brendan On 04/06/2021 15:51, Brendan Doyle wrote: From 07ecd5d00f82658e094132102575d8d576161a6b Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 44 ++ ovn-nb.xml | 9 + tests/ovn.at | 103 3 files changed, 156 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..9b686d9 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { + const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,49 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + + /* + * Add responses for ARP proxies. + */ + arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); + if (arp_proxy && op->peer) { + char *ips, *ip, *rest; + int i = 0; + + ips = xstrdup(arp_proxy); + rest = ips; + + /* + * Match rule on all proxy ARP IPs. + */ + ds_clear(match); + ds_put_cstr(match, "arp.op == 1 && ("); + while ((ip = strtok_r(rest,",", &rest))) { + if (i++ > 0) { + ds_put_cstr(match, " || "); + }; + ds_put_format(match, "arp.tpa == %s", ip); + } + ds_put_cstr(match, ")"); + + ds_clear(actions); + ds_put_format(actions, + "eth.dst = eth.src; " + "eth.src = %s; " + "arp.op = 2; /* ARP reply */ " + "arp.tha = arp.sha; " + "arp.sha = %s; " + "arp.tpa <-> arp.spa; " + "outport = inport; " + "flags.loopback = 1; " + "output;", + op->peer->lrp_networks.ea_s, + op->peer->lrp_networks.ea_s); + + ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, + 50, ds_cstr(match), ds_cstr(actions), &op->nbsp->header_); + free(ips); + } } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 02fd216..4b6c183 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -848,6 +848,15 @@ + + + Optional. A comma separated list IPv4 addresses that this + logical switch router port will reply to ARP requests. + Example: 169.254.239.254,169.254.239.2. The + 's logical router should + have a route to forward packets sent to configured proxy ARP IPs to + an appropriate destination. + diff --git a/tests/ovn.at b/tests/ovn.at index 2c3c36d..4befe4a 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -26527,3 +26527,106 @@ AT_CHECK([test $(ovn-appctl -t ovn-controller coverage/read-counter lflow_run) = OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- proxy-arp: 1 HVs, 1 LSs, 1 lport/LS, 1 LR]) +AT_KEYWORDS([proxy-arp]) +ovn_start + +# Logical network: +# One LR - lr1 has switch ls1 (192.16.1.0/24) connected to it, +# and and one HV with IP 192.16.1.6. + +ovn-nbctl lr-add lr1 +ovn-nbctl ls-add ls1 + +# Connect ls1 to lr1 +ovn-nbctl lrp-add lr1 ls1 00:00:00:01:02:f1 192.16.1.1/24 +ovn-nbctl lsp-add ls1 rp-ls1 -- set Logical_Switch_Port rp-ls1 \ + type=router options:router
[ovs-dev] [PATCH ovn v2] ovn-northd.c: Add proxy ARP support to OVN
From 07ecd5d00f82658e094132102575d8d576161a6b Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 44 ++ ovn-nb.xml | 9 + tests/ovn.at| 103 3 files changed, 156 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..9b686d9 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { +const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,49 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + +/* + * Add responses for ARP proxies. + */ +arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); +if (arp_proxy && op->peer) { +char *ips, *ip, *rest; +int i = 0; + +ips = xstrdup(arp_proxy); +rest = ips; + +/* + * Match rule on all proxy ARP IPs. + */ +ds_clear(match); +ds_put_cstr(match, "arp.op == 1 && ("); +while ((ip = strtok_r(rest,",", &rest))) { +if (i++ > 0) { +ds_put_cstr(match, " || "); +}; +ds_put_format(match, "arp.tpa == %s", ip); +} +ds_put_cstr(match, ")"); + +ds_clear(actions); +ds_put_format(actions, +"eth.dst = eth.src; " +"eth.src = %s; " +"arp.op = 2; /* ARP reply */ " +"arp.tha = arp.sha; " +"arp.sha = %s; " +"arp.tpa <-> arp.spa; " +"outport = inport; " +"flags.loopback = 1; " +"output;", +op->peer->lrp_networks.ea_s, +op->peer->lrp_networks.ea_s); + +ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, +50, ds_cstr(match), ds_cstr(actions), &op->nbsp->header_); +free(ips); +} } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 02fd216..4b6c183 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -848,6 +848,15 @@ + + + Optional. A comma separated list IPv4 addresses that this + logical switch router port will reply to ARP requests. + Example: 169.254.239.254,169.254.239.2. The + 's logical router should + have a route to forward packets sent to configured proxy ARP IPs to + an appropriate destination. + diff --git a/tests/ovn.at b/tests/ovn.at index 2c3c36d..4befe4a 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -26527,3 +26527,106 @@ AT_CHECK([test $(ovn-appctl -t ovn-controller coverage/read-counter lflow_run) = OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- proxy-arp: 1 HVs, 1 LSs, 1 lport/LS, 1 LR]) +AT_KEYWORDS([proxy-arp]) +ovn_start + +# Logical network: +# One LR - lr1 has switch ls1 (192.16.1.0/24) connected to it, +# and and one HV with IP 192.16.1.6. + +ovn-nbctl lr-add lr1 +ovn-nbctl ls-add ls1 + +# Connect ls1 to lr1 +ovn-nbctl lrp-add lr1 ls1 00:00:00:01:02:f1 192.16.1.1/24 +ovn-nbctl lsp-add ls1 rp-ls1 -- set Logical_Switch_Port rp-ls1 \ +type=router options:router-port=ls1 addresses=\"00:00:00:01:02:f1\" + +# Create logical port ls1-lp1 in ls1 +ovn-nbctl lsp-add ls1 ls1-lp1 \ +-- lsp-set-addresses ls1-lp1 "00:00:00:01:02:03 192.16.1.6" + + +# Create one hypervisor and create OVS ports corresponding to logical ports. +net_add n
Re: [ovs-dev] [External] : Re: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN
On 03/06/2021 16:59, Dan Williams wrote: On Wed, 2021-06-02 at 17:02 +0100, Brendan Doyle wrote: From a9d3140845175edb7644b2d0d82a95bd6cf94662 Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 38 +++ ovn-nb.xml | 9 + tests/ovn.at | 103 3 files changed, 150 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..a377e83 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { + const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,43 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + + /* + * Add responses for ARP proxies. + */ + arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); + if (arp_proxy && op->peer) { + char *ips, *ip, *rest; + + ips = xstrdup(arp_proxy); + rest = ips; + + while ((ip = strtok_r(rest,",", &rest))) { + ds_clear(match); + ds_put_format(match, "arp.tpa == %s && arp.op == 1", ip); + + ds_clear(actions); + ds_put_format(actions, + "eth.dst = eth.src; " + "eth.src = %s; " + "arp.op = 2; /* ARP reply */ " + "arp.tha = arp.sha; " + "arp.sha = %s; " + "arp.tpa = arp.spa; " + "arp.spa = %s; " I think you can collapse the two lines above into: "arp.tpa <-> arp.spa;" and get rid of one %s. For an example, see build_lrouter_arp_flow(). In fact, you might be able to reduce the number of lflows down to one by doing something like the following, since now your action is constant due to the <->. int i = 0; ds_clear(&match); ds_put_cstr(match, "arp.op == 1 && ("); while ((ip = strtok_r(rest,",", &rest))) { if (i++ > 0) { ds_put_cstr(match, " || "); }; ds_put_format(match, "arp.tpa == %s", ip); } ds_put_cstr(match, ")"); An example of that is in build_port_security_ipv6_nd_flow(). Yes, I can modify as above much more elegant. On a process point It seems the convention for updated patches is to resubmit with a v2, v3 etc make changes and resubmit as: [PATCH ovn v2] ovn-northd.c: Add proxy ARP support to OVN ? --- General comment, this will need a ddlog counterpart too. I'm not an ddlog?? Not something I know about, I have seen other ovn-northd.c patches that do not have a reference to ddlog?? expert there, so I'll leave it to the OVN team to help. But you could use Ilya's lrouter arp flow patch as a reference: https://urldefense.com/v3/__http://patchwork.ozlabs.org/project/ovn/patch/20210507162256.3661118-1-i.maxim...@ovn.org/__;!!GqivPVa7Brio!Nj575dWsjTnglWHVCkWMecpF2LWvS8PaWIQQvYmZbvYYgt1yjxGBBOoivhRao3nCZd0$ Looking at that patch, you might need to update the ovn-northd.8 manpage as well? Not sure I'm not adding a new table, just an ability to add flows to an existing table. Not sure what I would add to that man page, I have made updates to ovn-nb.xml. I used: [ovs-dev,v4] Policy-based routing (PBR) in OVN. - Patchwork <https://patchwork.ozlabs.org/project/openvswitch/patch/1554334195-126528-2-git-send-email-mary.mano...@nutanix.com/> as a guide on what I should update. Thanks! Dan + "outport = inport; " + "flags.loopback = 1; " + "output;"
[ovs-dev] [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN
From a9d3140845175edb7644b2d0d82a95bd6cf94662 Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 38 +++ ovn-nb.xml | 9 + tests/ovn.at| 103 3 files changed, 150 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..a377e83 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { +const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,43 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + +/* + * Add responses for ARP proxies. + */ +arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); +if (arp_proxy && op->peer) { +char *ips, *ip, *rest; + +ips = xstrdup(arp_proxy); +rest = ips; + +while ((ip = strtok_r(rest,",", &rest))) { +ds_clear(match); +ds_put_format(match, "arp.tpa == %s && arp.op == 1", ip); + +ds_clear(actions); +ds_put_format(actions, +"eth.dst = eth.src; " +"eth.src = %s; " +"arp.op = 2; /* ARP reply */ " +"arp.tha = arp.sha; " +"arp.sha = %s; " +"arp.tpa = arp.spa; " +"arp.spa = %s; " +"outport = inport; " +"flags.loopback = 1; " +"output;", +op->peer->lrp_networks.ea_s, +op->peer->lrp_networks.ea_s, +ip); + +ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, +50, ds_cstr(match), ds_cstr(actions), +&op->nbsp->header_); +} +free(ips); +} } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 02fd216..4b6c183 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -848,6 +848,15 @@ + + + Optional. A comma separated list IPv4 addresses that this + logical switch router port will reply to ARP requests. + Example: 169.254.239.254,169.254.239.2. The + 's logical router should + have a route to forward packets sent to configured proxy ARP IPs to + an appropriate destination. + diff --git a/tests/ovn.at b/tests/ovn.at index 2c3c36d..c675cc9 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -26527,3 +26527,106 @@ AT_CHECK([test $(ovn-appctl -t ovn-controller coverage/read-counter lflow_run) = OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- proxy-arp: 1 HVs, 1 LSs, 1 lport/LS, 1 LR]) +AT_KEYWORDS([proxy-arp]) +ovn_start + +# Logical network: +# One LR - lr1 has switch ls1 (192.16.1.0/24) connected to it, +# and and one HV with IP 192.16.1.6. + +ovn-nbctl lr-add lr1 +ovn-nbctl ls-add ls1 + +# Connect ls1 to lr1 +ovn-nbctl lrp-add lr1 ls1 00:00:00:01:02:f1 192.16.1.1/24 +ovn-nbctl lsp-add ls1 rp-ls1 -- set Logical_Switch_Port rp-ls1 \ +type=router options:router-port=ls1 addresses=\"00:00:00:01:02:f1\" + +# Create logical port ls1-lp1 in ls1 +ovn-nbctl lsp-add ls1 ls1-lp1 \ +-- lsp-set-addresses ls1-lp1 "00:00:00:01:02:03 192.16.1.6" + + +# Create one hypervisor and create OVS ports corresponding to logical ports. +net_add n1 + +sim_add pa-hv +as pa-hv +ovs-vsctl add-br br-phys +ovn_attach n1 br-phys 192.16.0.1 + +# Note: tx/rx are with respect to the LS port, so +# tx on switch port is HV rx, etc. +ovs-vsc
Re: [ovs-dev] [External] : Re: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN
On 02/06/2021 15:42, Dan Williams wrote: On Wed, 2021-06-02 at 09:26 +0100, Brendan Doyle wrote: Hi, Just wondering what the process is here, I submitted this patch a while ago, and I see quite a few other patches have been submitted since. So wondering what happens after a patch is submitted, how do I know if it has been accepted/rejected/need more work, and how does it make it into the repo if accepted. This does not seem to be documented in: Thanks for the patch; now that it's posted the patch is waiting for review. You can track overall status here: https://urldefense.com/v3/__http://patchwork.ozlabs.org/project/ovn/list/?series=246447__;!!GqivPVa7Brio!NAT2CA0Mr3YQ0gASU9iSe8-ql0xQnnn3q7gvr8E25QYgrAvVWAE0QvPelMH9KXmj-pM$ Great, thanks but you'll also get replies to the patch with review comments. Reviews may take a bit of time as the patch volume is fairly large, and everyone is busy. But don't worry! It's on the list. NP - I know the feeling :) Submitting Patches — Open Virtual Network (OVN) 21.03.0 documentation < https://urldefense.com/v3/__https://docs.ovn.org/en/stable/internals/contributing/submitting-patches.html__;!!GqivPVa7Brio!NAT2CA0Mr3YQ0gASU9iSe8-ql0xQnnn3q7gvr8E25QYgrAvVWAE0QvPelMH9OLJt62c$ Good point, there should probably be a "What's next?" section. --- One thing though, the patch seems to be linewrapped and won't apply cleanly. Any chance you could fix that up by setting your email client to "preformatted" before pasting the patch into the mail, or using git- send-email? Oh, sorry I did run the patch checker before pasting into email, I'll see what I can do. Then just resubmit? Thanks, Dan Thanks Brendan On 31/05/2021 10:06, Brendan Doyle wrote: From a9d3140845175edb7644b2d0d82a95bd6cf94662 Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 38 +++ ovn-nb.xml | 9 + tests/ovn.at | 103 3 files changed, 150 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..a377e83 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { + const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,43 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + + /* + * Add responses for ARP proxies. + */ + arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); + if (arp_proxy && op->peer) { + char *ips, *ip, *rest; + + ips = xstrdup(arp_proxy); + rest = ips; + + while ((ip = strtok_r(rest,",", &rest))) { + ds_clear(match); + ds_put_format(match, "arp.tpa == %s && arp.op == 1", ip); + + ds_clear(actions); + ds_put_format(actions, + "eth.dst = eth.src; " + "eth.src = %s; " + "arp.op = 2; /* ARP reply */ " + "arp.tha = arp.sha; " + "arp.sha = %s; " + "arp.tpa = arp.spa; " + "arp.spa = %s; " + "outport = inport; " + "flags.loopback = 1; " + "output;", + op->peer->lrp_networks.ea_s, + op->peer->lrp_networks.ea_s, + ip); + + ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, + 50, ds_cstr(match), ds_cstr(actions), + &op->nbsp->header_); +
Re: [ovs-dev] [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN
Hi, Just wondering what the process is here, I submitted this patch a while ago, and I see quite a few other patches have been submitted since. So wondering what happens after a patch is submitted, how do I know if it has been accepted/rejected/need more work, and how does it make it into the repo if accepted. This does not seem to be documented in: Submitting Patches — Open Virtual Network (OVN) 21.03.0 documentation <https://docs.ovn.org/en/stable/internals/contributing/submitting-patches.html> Thanks Brendan On 31/05/2021 10:06, Brendan Doyle wrote: From a9d3140845175edb7644b2d0d82a95bd6cf94662 Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 38 +++ ovn-nb.xml | 9 + tests/ovn.at | 103 3 files changed, 150 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..a377e83 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { + const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,43 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + + /* + * Add responses for ARP proxies. + */ + arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); + if (arp_proxy && op->peer) { + char *ips, *ip, *rest; + + ips = xstrdup(arp_proxy); + rest = ips; + + while ((ip = strtok_r(rest,",", &rest))) { + ds_clear(match); + ds_put_format(match, "arp.tpa == %s && arp.op == 1", ip); + + ds_clear(actions); + ds_put_format(actions, + "eth.dst = eth.src; " + "eth.src = %s; " + "arp.op = 2; /* ARP reply */ " + "arp.tha = arp.sha; " + "arp.sha = %s; " + "arp.tpa = arp.spa; " + "arp.spa = %s; " + "outport = inport; " + "flags.loopback = 1; " + "output;", + op->peer->lrp_networks.ea_s, + op->peer->lrp_networks.ea_s, + ip); + + ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, + 50, ds_cstr(match), ds_cstr(actions), + &op->nbsp->header_); + } + free(ips); + } } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 02fd216..4b6c183 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -848,6 +848,15 @@ + + + Optional. A comma separated list IPv4 addresses that this + logical switch router port will reply to ARP requests. + Example: 169.254.239.254,169.254.239.2. The + 's logical router should + have a route to forward packets sent to configured proxy ARP IPs to + an appropriate destination. + diff --git a/tests/ovn.at b/tests/ovn.at index 2c3c36d..c675cc9 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -26527,3 +26527,106 @@ AT_CHECK([test $(ovn-appctl -t ovn-controller coverage/read-counter lflow_run) = OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- proxy-arp: 1 HVs, 1 LSs, 1 lport/LS, 1 LR]) +AT_KEYWORDS([proxy-arp]) +ovn_start + +# Logical network: +# One LR - lr1 has switch ls1 (192.16.1.0/24) connected to it, +# and and one HV with IP 192.16.1.6. + +ovn-nbctl lr-add lr1 +ovn-nbctl ls-add ls1 + +# Connect ls1 to lr1 +ovn-nbctl lrp-add lr1 ls1 00:00:00:01:0
[ovs-dev] [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN
From a9d3140845175edb7644b2d0d82a95bd6cf94662 Mon Sep 17 00:00:00 2001 From: Brendan Doyle Date: Fri, 28 May 2021 10:01:17 -0700 Subject: [PATCH ovn] ovn-northd.c: Add proxy ARP support to OVN This patch provides the ability to configure proxy ARP IPs on a Logical Switch Router port. The IPs are added as Options for router ports. This provides a useful feature where traffic for a service must be sent to an address in a logical network address space, but the service is provided in a different network. For example an NFS service is provide to Logical networks at an address in their Logical network space, but the NFS server resides in a physical network. A Logical switch Router port can be configured to respond to ARP requests sent to the service "Logical address", the Logical Router/Gateway can then be configured to forward the traffic to the underlay/physical network. Signed-off-by: Brendan Doyle --- northd/ovn-northd.c | 38 +++ ovn-nb.xml | 9 + tests/ovn.at | 103 3 files changed, 150 insertions(+) diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 0e5092a..a377e83 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -6943,6 +6943,7 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, struct ds *match) { if (op->nbsp) { + const char *arp_proxy; if (!strcmp(op->nbsp->type, "virtual")) { /* Handle * - GARPs for virtual ip which belongs to a logical port @@ -7096,6 +7097,43 @@ build_lswitch_arp_nd_responder_known_ips(struct ovn_port *op, } } } + + /* + * Add responses for ARP proxies. + */ + arp_proxy = smap_get(&op->nbsp->options,"arp_proxy"); + if (arp_proxy && op->peer) { + char *ips, *ip, *rest; + + ips = xstrdup(arp_proxy); + rest = ips; + + while ((ip = strtok_r(rest,",", &rest))) { + ds_clear(match); + ds_put_format(match, "arp.tpa == %s && arp.op == 1", ip); + + ds_clear(actions); + ds_put_format(actions, + "eth.dst = eth.src; " + "eth.src = %s; " + "arp.op = 2; /* ARP reply */ " + "arp.tha = arp.sha; " + "arp.sha = %s; " + "arp.tpa = arp.spa; " + "arp.spa = %s; " + "outport = inport; " + "flags.loopback = 1; " + "output;", + op->peer->lrp_networks.ea_s, + op->peer->lrp_networks.ea_s, + ip); + + ovn_lflow_add_with_hint(lflows, op->od, S_SWITCH_IN_ARP_ND_RSP, + 50, ds_cstr(match), ds_cstr(actions), + &op->nbsp->header_); + } + free(ips); + } } } diff --git a/ovn-nb.xml b/ovn-nb.xml index 02fd216..4b6c183 100644 --- a/ovn-nb.xml +++ b/ovn-nb.xml @@ -848,6 +848,15 @@ + + + Optional. A comma separated list IPv4 addresses that this + logical switch router port will reply to ARP requests. + Example: 169.254.239.254,169.254.239.2. The + 's logical router should + have a route to forward packets sent to configured proxy ARP IPs to + an appropriate destination. + diff --git a/tests/ovn.at b/tests/ovn.at index 2c3c36d..c675cc9 100644 --- a/tests/ovn.at +++ b/tests/ovn.at @@ -26527,3 +26527,106 @@ AT_CHECK([test $(ovn-appctl -t ovn-controller coverage/read-counter lflow_run) = OVN_CLEANUP([hv1]) AT_CLEANUP ]) + +OVN_FOR_EACH_NORTHD([ +AT_SETUP([ovn -- proxy-arp: 1 HVs, 1 LSs, 1 lport/LS, 1 LR]) +AT_KEYWORDS([proxy-arp]) +ovn_start + +# Logical network: +# One LR - lr1 has switch ls1 (192.16.1.0/24) connected to it, +# and and one HV with IP 192.16.1.6. + +ovn-nbctl lr-add lr1 +ovn-nbctl ls-add ls1 + +# Connect ls1 to lr1 +ovn-nbctl lrp-add lr1 ls1 00:00:00:01:02:f1 192.16.1.1/24 +ovn-nbctl lsp-add ls1 rp-ls1 -- set Logical_Switch_Port rp-ls1 \ + type=router options:router-port=ls1 addresses=\"00:00:00:01:02:f1\" + +# Create logical port ls1-lp1 in ls1 +ovn-nbctl lsp-add ls1 ls1-lp1 \ +-- lsp-set-addresses ls1-lp1 "00:00:00:01:02:03 192.16.1.6" + + +# Create one hypervisor and create OVS ports corresponding to logical ports. +net_add n1 + +sim_add pa-hv +as pa-hv +ovs-vsctl add-br br-phys +ovn_attach n1 br-phys 192.16.0.1 + +# Note: tx/rx are with respect to the LS port, so +# tx on switch port is H
Re: [ovs-dev] [External] : Re: Fwd: tracing ovs flows in br-int
Thanks On 19/01/2021 12:14, Ilya Maximets wrote: On 1/18/21 7:38 PM, Brendan Doyle wrote: Forwarded Message Subject: tracing ovs flows in br-int Date: Mon, 18 Jan 2021 18:31:53 + From: Brendan Doyle Organization: Oracle Corporation To: ovs-disc...@openvswitch.org Hi Folks, I'm trying to trace a flow through br-int but ovs-appctl ofproto/trace br-int is not giving me the output I expect to see. I'm trying to trace the pkt below through br-int on the remote chassis. The pkt does get tunnel and delivered to its destination, which replies, and the reply is successfully tunneled back to the initiating host, so the flows are working, but I just can't seem to trace them. pkt in question (extract from tcpdump): -- 00:00:00.00 98:03:9b:59:af:1c > 98:03:9b:3f:d9:1e, ethertype IPv4 (0x0800), length 156: (tos 0x0, ttl 64, id 9804, offset 0, flags [DF], proto UDP (17), length 142) 253.255.2.6.47096 > 253.255.0.35.6081: [udp sum ok] Geneve, Flags [C], vni 0x392, proto TEB (0x6558), options [class Open Virtual Networking (OVN) (0x102) type 0x80(C) len 8 data 00010007] 52:54:00:be:06:16 > 40:44:00:00:04:10, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 43284, offset 0, flags [DF], proto ICMP (1), length 84) 192.16.1.6 > 169.254.169.254: ICMP echo request, id 25237, seq 1, length 64 0x: 9803 9b3f d91e 9803 9b59 af1c 0800 4500 0x0010: 008e 264c 4000 4011 15eb fdff 0206 fdff 0x0020: 0023 b7f8 17c1 007a 10f4 0240 6558 0003 0x0030: 9200 0102 8001 0001 0007 4044 0410 0x0040: 5254 00be 0616 0800 4500 0054 a914 4000 0x0050: 4001 7c81 c010 0106 a9fe a9fe 0800 f629 0x0060: 6295 0001 f166 0560 e3a5 0600 0x0070: 1011 1213 1415 1617 1819 1a1b 0x0080: 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 0x0090: 2c2d 2e2f 3031 3233 3435 3637 --- The ovs br-int details on the target chassis: ovs-appctl dpif/show system@ovs-system: hit:6576964 missed:4469 br-int: br-int 65534/2: (internal) ovn-ca-rai-0 2/1: (geneve: csum=true, key=flow, remote_ip=253.255.2.17) ovn-ca-rai-1 11/1: (geneve: csum=true, key=flow, remote_ip=253.255.0.34) ovn-ca-rai-2 5/1: (geneve: csum=true, key=flow, remote_ip=253.255.0.33) ovn-ca-rai-3 3/1: (geneve: csum=true, key=flow, remote_ip=253.255.2.6) <-- tunnel port for VM host (3) ovn-ca-rai-4 4/1: (geneve: csum=true, key=flow, remote_ip=253.255.2.5) vethVn1M 84/3: (system) <-- Veth port (84) I thought this command would replicate the pkt that is deviled to the tunnel port on the target chassis: - ovs-appctl ofproto/trace br-int in_port=3 98039b3fd91e98039b59af1c0800458e264c4000401115ebfdff0206fdff0023b7f817c1007a10f40240655800039200010280010001000740440410525400be061608004554a914400040017c81c0100106a9fea9fe0800f62962950001f1660560e3a50600101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 Flow: udp,in_port=3,vlan_tci=0x,dl_src=98:03:9b:59:af:1c,dl_dst=98:03:9b:3f:d9:1e,nw_src=253.255.2.6,nw_dst=253.255.0.35,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=47096,tp_dst=6081 bridge("br-int") 0. in_port=3, priority 100 move:NXM_NX_TUN_ID[0..23]->OXM_OF_METADATA[0..23] -> OXM_OF_METADATA[0..23] is now 0 move:NXM_NX_TUN_METADATA0[16..30]->NXM_NX_REG14[0..14] -> NXM_NX_REG14[0..14] is now 0 move:NXM_NX_TUN_METADATA0[0..15]->NXM_NX_REG15[0..15] -> NXM_NX_REG15[0..15] is now 0 resubmit(,33) 33. No match. drop Final flow: unchanged Megaflow: recirc_id=0,eth,ip,tun_id=0/0xff,in_port=3,nw_frag=no Datapath actions: drop - But it says the packet is dropped, when in actual fact it is output on port 84 as expected. So I'm wondering am I inserting the pkt wrong? to the wrong port on the remote chassis? Hi. While receiving packets on tunnel ports, kernel fills up tunnel metadata. You can see that rules from table 0 are trying to extract TUN_ID and TUN_METADATA0 fields, but you're passing pure packet without this information, so flows in table 33 that are likely matches on extracted metadata doesn't fit. You need to pass the packet in a different format with tunnel metadata included in order to have behavior similar to what you have for a real packet, e.g. ovs-appctl ofproto/trace br-int in_port=3,tun_id= You may also need to specify other things like tun_src/dst, tun_metadata0, tun_tos or tun_flags. Since you have 'key=flow', you need to find out the correct tun_id for your tunnel in your OF rules. Best regards, Ilya Maximets. _
[ovs-dev] Fwd: tracing ovs flows in br-int
Forwarded Message Subject:tracing ovs flows in br-int Date: Mon, 18 Jan 2021 18:31:53 + From: Brendan Doyle Organization: Oracle Corporation To: ovs-disc...@openvswitch.org Hi Folks, I'm trying to trace a flow through br-int but ovs-appctl ofproto/trace br-int is not giving me the output I expect to see. I'm trying to trace the pkt below through br-int on the remote chassis. The pkt does get tunnel and delivered to its destination, which replies, and the reply is successfully tunneled back to the initiating host, so the flows are working, but I just can't seem to trace them. pkt in question (extract from tcpdump): -- 00:00:00.00 98:03:9b:59:af:1c > 98:03:9b:3f:d9:1e, ethertype IPv4 (0x0800), length 156: (tos 0x0, ttl 64, id 9804, offset 0, flags [DF], proto UDP (17), length 142) 253.255.2.6.47096 > 253.255.0.35.6081: [udp sum ok] Geneve, Flags [C], vni 0x392, proto TEB (0x6558), options [class Open Virtual Networking (OVN) (0x102) type 0x80(C) len 8 data 00010007] 52:54:00:be:06:16 > 40:44:00:00:04:10, ethertype IPv4 (0x0800), length 98: (tos 0x0, ttl 64, id 43284, offset 0, flags [DF], proto ICMP (1), length 84) 192.16.1.6 > 169.254.169.254: ICMP echo request, id 25237, seq 1, length 64 0x: 9803 9b3f d91e 9803 9b59 af1c 0800 4500 0x0010: 008e 264c 4000 4011 15eb fdff 0206 fdff 0x0020: 0023 b7f8 17c1 007a 10f4 0240 6558 0003 0x0030: 9200 0102 8001 0001 0007 4044 0410 0x0040: 5254 00be 0616 0800 4500 0054 a914 4000 0x0050: 4001 7c81 c010 0106 a9fe a9fe 0800 f629 0x0060: 6295 0001 f166 0560 e3a5 0600 0x0070: 1011 1213 1415 1617 1819 1a1b 0x0080: 1c1d 1e1f 2021 2223 2425 2627 2829 2a2b 0x0090: 2c2d 2e2f 3031 3233 3435 3637 --- The ovs br-int details on the target chassis: ovs-appctl dpif/show system@ovs-system: hit:6576964 missed:4469 br-int: br-int 65534/2: (internal) ovn-ca-rai-0 2/1: (geneve: csum=true, key=flow, remote_ip=253.255.2.17) ovn-ca-rai-1 11/1: (geneve: csum=true, key=flow, remote_ip=253.255.0.34) ovn-ca-rai-2 5/1: (geneve: csum=true, key=flow, remote_ip=253.255.0.33) ovn-ca-rai-3 3/1: (geneve: csum=true, key=flow, remote_ip=253.255.2.6) <-- tunnel port for VM host (3) ovn-ca-rai-4 4/1: (geneve: csum=true, key=flow, remote_ip=253.255.2.5) vethVn1M 84/3: (system) <-- Veth port (84) I thought this command would replicate the pkt that is deviled to the tunnel port on the target chassis: - ovs-appctl ofproto/trace br-int in_port=3 98039b3fd91e98039b59af1c0800458e264c4000401115ebfdff0206fdff0023b7f817c1007a10f40240655800039200010280010001000740440410525400be061608004554a914400040017c81c0100106a9fea9fe0800f62962950001f1660560e3a50600101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f3031323334353637 Flow: udp,in_port=3,vlan_tci=0x,dl_src=98:03:9b:59:af:1c,dl_dst=98:03:9b:3f:d9:1e,nw_src=253.255.2.6,nw_dst=253.255.0.35,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=47096,tp_dst=6081 bridge("br-int") 0. in_port=3, priority 100 move:NXM_NX_TUN_ID[0..23]->OXM_OF_METADATA[0..23] -> OXM_OF_METADATA[0..23] is now 0 move:NXM_NX_TUN_METADATA0[16..30]->NXM_NX_REG14[0..14] -> NXM_NX_REG14[0..14] is now 0 move:NXM_NX_TUN_METADATA0[0..15]->NXM_NX_REG15[0..15] -> NXM_NX_REG15[0..15] is now 0 resubmit(,33) 33. No match. drop Final flow: unchanged Megaflow: recirc_id=0,eth,ip,tun_id=0/0xff,in_port=3,nw_frag=no Datapath actions: drop - But it says the packet is dropped, when in actual fact it is output on port 84 as expected. So I'm wondering am I inserting the pkt wrong? to the wrong port on the remote chassis? Thanks Brendan. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev