Re: [ovs-dev] [PATCH v7 ovn 2/2] ovn-northd: Limit ARP/ND broadcast domain whenever possible.
On Wed, Nov 13, 2019 at 8:52 PM Han Zhou wrote: > > > > On Wed, Nov 13, 2019 at 8:14 AM Dumitru Ceara wrote: > > > > On Wed, Nov 13, 2019 at 4:30 PM Han Zhou wrote: > > > > > > > > > > > > On Wed, Nov 13, 2019 at 2:42 AM Dumitru Ceara wrote: > > >> > > >> On Tue, Nov 12, 2019 at 8:50 PM Han Zhou wrote: > > >> > > > >> > > > >> > > > >> > > > >> > On Tue, Nov 12, 2019 at 10:10 AM Dumitru Ceara > > >> > wrote: > > >> > > > > >> > > On Tue, Nov 12, 2019 at 6:17 PM Han Zhou wrote: > > >> > > > > > >> > > > > > >> > > > > > >> > > > On Tue, Nov 12, 2019 at 2:29 AM Dumitru Ceara > > >> > > > wrote: > > >> > > > > > > >> > > > > ARP request and ND NS packets for router owned IPs were being > > >> > > > > flooded in the complete L2 domain (using the MC_FLOOD multicast > > >> > > > > group). > > >> > > > > However this creates a scaling issue in scenarios where > > >> > > > > aggregation > > >> > > > > logical switches are connected to more logical routers (~350). > > >> > > > > The > > >> > > > > logical pipelines of all routers would have to be executed > > >> > > > > before the > > >> > > > > packet is finally replied to by a single router, the owner of > > >> > > > > the IP > > >> > > > > address. > > >> > > > > > > >> > > > > This commit limits the broadcast domain by bypassing the L2 > > >> > > > > Lookup stage > > >> > > > > for ARP requests that will be replied by a single router. The > > >> > > > > packets > > >> > > > > are forwarded only to the router port that owns the target IP > > >> > > > > address. > > >> > > > > > > >> > > > > IPs that are owned by the routers and for which this fix applies > > >> > > > > are: > > >> > > > > - IP addresses configured on the router ports. > > >> > > > > - VIPs. > > >> > > > > - NAT IPs. > > >> > > > > > > >> > > > > Reported-at: https://bugzilla.redhat.com/1756945 > > >> > > > > Reported-by: Anil Venkata > > >> > > > > Signed-off-by: Dumitru Ceara > > >> > > > > > > >> > > > > --- > > >> > > > > v7: > > >> > > > > - Address Han's comments: > > >> > > > > - Remove flooding for all ARPs received on VLAN networks. To > > >> > > > > avoid > > >> > > > > that we now identify self originated (G)ARPs by matching > > >> > > > > on source > > >> > > > > MAC address too. > > >> > > > > - Rename REGBIT_NOT_VXLAN to FLAGBIT_NOT_VXLAN. > > >> > > > > - Fix ovn-sb manpage. > > >> > > > > - Split patch in a series of 2: > > >> > > > > - patch1: fixes the get_router_load_balancer_ips() function. > > >> > > > > - patch2: limits the ARP/ND broadcast domain. > > >> > > > > v6: > > >> > > > > - Address Han's comments: > > >> > > > > - remove flooding of ARPs targeting OVN owned IP addresses. > > >> > > > > - update ovn-architecture documentation. > > >> > > > > - rename ARP handling functions. > > >> > > > > - Adapt "ovn -- 3 HVs, 3 LS, 3 lports/LS, 1 LR" autotest to > > >> > > > > take into > > >> > > > > account the new way of forwarding ARPs. > > >> > > > > - Also, properly deal with ARP packets on VLAN-backed networks. > > >> > > > > v5: Address Numan's comments: update comments & make autotest > > >> > > > > more > > >> > > > > robust. > > >> > > > > v4: Rebase. > > >> > > > > v3: Properly deal with VXLAN traffic. Address review comments > > >> > > > > from > > >> > > > > Numan (add autotests). Fix function > > >> > > > > get_router_load_balancer_ips. > > >> > > > > Rebase -> deal with IPv6 NAT too. > > >> > > > > v2: Move ARP broadcast domain limiting to table > > >> > > > > S_SWITCH_IN_L2_LKUP to > > >> > > > > address localnet ports too. > > >> > > > > --- > > >> > > > > northd/ovn-northd.8.xml | 14 ++ > > >> > > > > northd/ovn-northd.c | 230 > > >> > > > > +++ > > >> > > > > ovn-architecture.7.xml | 19 +++ > > >> > > > > tests/ovn.at| 307 > > >> > > > > +-- > > >> > > > > 4 files changed, 530 insertions(+), 40 deletions(-) > > >> > > > > > > >> > > > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > > >> > > > > index 0a33dcd..344cc0d 100644 > > >> > > > > --- a/northd/ovn-northd.8.xml > > >> > > > > +++ b/northd/ovn-northd.8.xml > > >> > > > > @@ -1005,6 +1005,20 @@ output; > > >> > > > > > > >> > > > > > > >> > > > > > > >> > > > > +Priority-80 flows for each port connected to a logical > > >> > > > > router > > >> > > > > +matching self originated GARP/ARP request/ND packets. > > >> > > > > These packets > > >> > > > > +are flooded to the MC_FLOOD which contains > > >> > > > > all logical > > >> > > > > +ports. > > >> > > > > + > > >> > > > > + > > >> > > > > + > > >> > > > > +Priority-75 flows for each IP address/VIP/NAT address > > >> > > > > owned by a > > >> > > > > +router port connected to the switch. These flows match > > >> > > > > ARP requests > > >> > > > > +and ND
Re: [ovs-dev] [PATCH v7 ovn 2/2] ovn-northd: Limit ARP/ND broadcast domain whenever possible.
On Wed, Nov 13, 2019 at 8:14 AM Dumitru Ceara wrote: > > On Wed, Nov 13, 2019 at 4:30 PM Han Zhou wrote: > > > > > > > > On Wed, Nov 13, 2019 at 2:42 AM Dumitru Ceara wrote: > >> > >> On Tue, Nov 12, 2019 at 8:50 PM Han Zhou wrote: > >> > > >> > > >> > > >> > > >> > On Tue, Nov 12, 2019 at 10:10 AM Dumitru Ceara wrote: > >> > > > >> > > On Tue, Nov 12, 2019 at 6:17 PM Han Zhou wrote: > >> > > > > >> > > > > >> > > > > >> > > > On Tue, Nov 12, 2019 at 2:29 AM Dumitru Ceara wrote: > >> > > > > > >> > > > > ARP request and ND NS packets for router owned IPs were being > >> > > > > flooded in the complete L2 domain (using the MC_FLOOD multicast group). > >> > > > > However this creates a scaling issue in scenarios where aggregation > >> > > > > logical switches are connected to more logical routers (~350). The > >> > > > > logical pipelines of all routers would have to be executed before the > >> > > > > packet is finally replied to by a single router, the owner of the IP > >> > > > > address. > >> > > > > > >> > > > > This commit limits the broadcast domain by bypassing the L2 Lookup stage > >> > > > > for ARP requests that will be replied by a single router. The packets > >> > > > > are forwarded only to the router port that owns the target IP address. > >> > > > > > >> > > > > IPs that are owned by the routers and for which this fix applies are: > >> > > > > - IP addresses configured on the router ports. > >> > > > > - VIPs. > >> > > > > - NAT IPs. > >> > > > > > >> > > > > Reported-at: https://bugzilla.redhat.com/1756945 > >> > > > > Reported-by: Anil Venkata > >> > > > > Signed-off-by: Dumitru Ceara > >> > > > > > >> > > > > --- > >> > > > > v7: > >> > > > > - Address Han's comments: > >> > > > > - Remove flooding for all ARPs received on VLAN networks. To avoid > >> > > > > that we now identify self originated (G)ARPs by matching on source > >> > > > > MAC address too. > >> > > > > - Rename REGBIT_NOT_VXLAN to FLAGBIT_NOT_VXLAN. > >> > > > > - Fix ovn-sb manpage. > >> > > > > - Split patch in a series of 2: > >> > > > > - patch1: fixes the get_router_load_balancer_ips() function. > >> > > > > - patch2: limits the ARP/ND broadcast domain. > >> > > > > v6: > >> > > > > - Address Han's comments: > >> > > > > - remove flooding of ARPs targeting OVN owned IP addresses. > >> > > > > - update ovn-architecture documentation. > >> > > > > - rename ARP handling functions. > >> > > > > - Adapt "ovn -- 3 HVs, 3 LS, 3 lports/LS, 1 LR" autotest to take into > >> > > > > account the new way of forwarding ARPs. > >> > > > > - Also, properly deal with ARP packets on VLAN-backed networks. > >> > > > > v5: Address Numan's comments: update comments & make autotest more > >> > > > > robust. > >> > > > > v4: Rebase. > >> > > > > v3: Properly deal with VXLAN traffic. Address review comments from > >> > > > > Numan (add autotests). Fix function get_router_load_balancer_ips. > >> > > > > Rebase -> deal with IPv6 NAT too. > >> > > > > v2: Move ARP broadcast domain limiting to table S_SWITCH_IN_L2_LKUP to > >> > > > > address localnet ports too. > >> > > > > --- > >> > > > > northd/ovn-northd.8.xml | 14 ++ > >> > > > > northd/ovn-northd.c | 230 +++ > >> > > > > ovn-architecture.7.xml | 19 +++ > >> > > > > tests/ovn.at| 307 +-- > >> > > > > 4 files changed, 530 insertions(+), 40 deletions(-) > >> > > > > > >> > > > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > >> > > > > index 0a33dcd..344cc0d 100644 > >> > > > > --- a/northd/ovn-northd.8.xml > >> > > > > +++ b/northd/ovn-northd.8.xml > >> > > > > @@ -1005,6 +1005,20 @@ output; > >> > > > > > >> > > > > > >> > > > > > >> > > > > +Priority-80 flows for each port connected to a logical router > >> > > > > +matching self originated GARP/ARP request/ND packets. These packets > >> > > > > +are flooded to the MC_FLOOD which contains all logical > >> > > > > +ports. > >> > > > > + > >> > > > > + > >> > > > > + > >> > > > > +Priority-75 flows for each IP address/VIP/NAT address owned by a > >> > > > > +router port connected to the switch. These flows match ARP requests > >> > > > > +and ND packets for the specific IP addresses. Matched packets are > >> > > > > +forwarded only to the router that owns the IP address. > >> > > > > + > >> > > > > + > >> > > > > + > >> > > > > A priority-70 flow that outputs all packets with an Ethernet broadcast > >> > > > > or multicast eth.dst to the MC_FLOOD > >> > > > > multicast group. > >> > > > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > >> > > > > index 32f3200..d6beb97 100644 > >> > > > > --- a/northd/ovn-northd.c > >> > > > > +++ b/northd/ovn-northd.c > >> > > > > @@ -210,6 +210,8 @@ enum ovn_stage { > >> > > > >
Re: [ovs-dev] [PATCH v7 ovn 2/2] ovn-northd: Limit ARP/ND broadcast domain whenever possible.
On Wed, Nov 13, 2019 at 4:30 PM Han Zhou wrote: > > > > On Wed, Nov 13, 2019 at 2:42 AM Dumitru Ceara wrote: >> >> On Tue, Nov 12, 2019 at 8:50 PM Han Zhou wrote: >> > >> > >> > >> > >> > On Tue, Nov 12, 2019 at 10:10 AM Dumitru Ceara wrote: >> > > >> > > On Tue, Nov 12, 2019 at 6:17 PM Han Zhou wrote: >> > > > >> > > > >> > > > >> > > > On Tue, Nov 12, 2019 at 2:29 AM Dumitru Ceara >> > > > wrote: >> > > > > >> > > > > ARP request and ND NS packets for router owned IPs were being >> > > > > flooded in the complete L2 domain (using the MC_FLOOD multicast >> > > > > group). >> > > > > However this creates a scaling issue in scenarios where aggregation >> > > > > logical switches are connected to more logical routers (~350). The >> > > > > logical pipelines of all routers would have to be executed before the >> > > > > packet is finally replied to by a single router, the owner of the IP >> > > > > address. >> > > > > >> > > > > This commit limits the broadcast domain by bypassing the L2 Lookup >> > > > > stage >> > > > > for ARP requests that will be replied by a single router. The packets >> > > > > are forwarded only to the router port that owns the target IP >> > > > > address. >> > > > > >> > > > > IPs that are owned by the routers and for which this fix applies are: >> > > > > - IP addresses configured on the router ports. >> > > > > - VIPs. >> > > > > - NAT IPs. >> > > > > >> > > > > Reported-at: https://bugzilla.redhat.com/1756945 >> > > > > Reported-by: Anil Venkata >> > > > > Signed-off-by: Dumitru Ceara >> > > > > >> > > > > --- >> > > > > v7: >> > > > > - Address Han's comments: >> > > > > - Remove flooding for all ARPs received on VLAN networks. To >> > > > > avoid >> > > > > that we now identify self originated (G)ARPs by matching on >> > > > > source >> > > > > MAC address too. >> > > > > - Rename REGBIT_NOT_VXLAN to FLAGBIT_NOT_VXLAN. >> > > > > - Fix ovn-sb manpage. >> > > > > - Split patch in a series of 2: >> > > > > - patch1: fixes the get_router_load_balancer_ips() function. >> > > > > - patch2: limits the ARP/ND broadcast domain. >> > > > > v6: >> > > > > - Address Han's comments: >> > > > > - remove flooding of ARPs targeting OVN owned IP addresses. >> > > > > - update ovn-architecture documentation. >> > > > > - rename ARP handling functions. >> > > > > - Adapt "ovn -- 3 HVs, 3 LS, 3 lports/LS, 1 LR" autotest to take >> > > > > into >> > > > > account the new way of forwarding ARPs. >> > > > > - Also, properly deal with ARP packets on VLAN-backed networks. >> > > > > v5: Address Numan's comments: update comments & make autotest more >> > > > > robust. >> > > > > v4: Rebase. >> > > > > v3: Properly deal with VXLAN traffic. Address review comments from >> > > > > Numan (add autotests). Fix function get_router_load_balancer_ips. >> > > > > Rebase -> deal with IPv6 NAT too. >> > > > > v2: Move ARP broadcast domain limiting to table S_SWITCH_IN_L2_LKUP >> > > > > to >> > > > > address localnet ports too. >> > > > > --- >> > > > > northd/ovn-northd.8.xml | 14 ++ >> > > > > northd/ovn-northd.c | 230 +++ >> > > > > ovn-architecture.7.xml | 19 +++ >> > > > > tests/ovn.at| 307 >> > > > > +-- >> > > > > 4 files changed, 530 insertions(+), 40 deletions(-) >> > > > > >> > > > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml >> > > > > index 0a33dcd..344cc0d 100644 >> > > > > --- a/northd/ovn-northd.8.xml >> > > > > +++ b/northd/ovn-northd.8.xml >> > > > > @@ -1005,6 +1005,20 @@ output; >> > > > > >> > > > > >> > > > > >> > > > > +Priority-80 flows for each port connected to a logical >> > > > > router >> > > > > +matching self originated GARP/ARP request/ND packets. These >> > > > > packets >> > > > > +are flooded to the MC_FLOOD which contains all >> > > > > logical >> > > > > +ports. >> > > > > + >> > > > > + >> > > > > + >> > > > > +Priority-75 flows for each IP address/VIP/NAT address owned >> > > > > by a >> > > > > +router port connected to the switch. These flows match ARP >> > > > > requests >> > > > > +and ND packets for the specific IP addresses. Matched >> > > > > packets are >> > > > > +forwarded only to the router that owns the IP address. >> > > > > + >> > > > > + >> > > > > + >> > > > > A priority-70 flow that outputs all packets with an >> > > > > Ethernet broadcast >> > > > > or multicast eth.dst to the >> > > > > MC_FLOOD >> > > > > multicast group. >> > > > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c >> > > > > index 32f3200..d6beb97 100644 >> > > > > --- a/northd/ovn-northd.c >> > > > > +++ b/northd/ovn-northd.c >> > > > > @@ -210,6 +210,8 @@ enum ovn_stage { >> > > > > #define REGBIT_LOOKUP_NEIGHBOR_RESULT "reg9[4]" >> > > > >
Re: [ovs-dev] [PATCH v7 ovn 2/2] ovn-northd: Limit ARP/ND broadcast domain whenever possible.
On Wed, Nov 13, 2019 at 2:42 AM Dumitru Ceara wrote: > On Tue, Nov 12, 2019 at 8:50 PM Han Zhou wrote: > > > > > > > > > > On Tue, Nov 12, 2019 at 10:10 AM Dumitru Ceara > wrote: > > > > > > On Tue, Nov 12, 2019 at 6:17 PM Han Zhou wrote: > > > > > > > > > > > > > > > > On Tue, Nov 12, 2019 at 2:29 AM Dumitru Ceara > wrote: > > > > > > > > > > ARP request and ND NS packets for router owned IPs were being > > > > > flooded in the complete L2 domain (using the MC_FLOOD multicast > group). > > > > > However this creates a scaling issue in scenarios where aggregation > > > > > logical switches are connected to more logical routers (~350). The > > > > > logical pipelines of all routers would have to be executed before > the > > > > > packet is finally replied to by a single router, the owner of the > IP > > > > > address. > > > > > > > > > > This commit limits the broadcast domain by bypassing the L2 Lookup > stage > > > > > for ARP requests that will be replied by a single router. The > packets > > > > > are forwarded only to the router port that owns the target IP > address. > > > > > > > > > > IPs that are owned by the routers and for which this fix applies > are: > > > > > - IP addresses configured on the router ports. > > > > > - VIPs. > > > > > - NAT IPs. > > > > > > > > > > Reported-at: https://bugzilla.redhat.com/1756945 > > > > > Reported-by: Anil Venkata > > > > > Signed-off-by: Dumitru Ceara > > > > > > > > > > --- > > > > > v7: > > > > > - Address Han's comments: > > > > > - Remove flooding for all ARPs received on VLAN networks. To > avoid > > > > > that we now identify self originated (G)ARPs by matching on > source > > > > > MAC address too. > > > > > - Rename REGBIT_NOT_VXLAN to FLAGBIT_NOT_VXLAN. > > > > > - Fix ovn-sb manpage. > > > > > - Split patch in a series of 2: > > > > > - patch1: fixes the get_router_load_balancer_ips() function. > > > > > - patch2: limits the ARP/ND broadcast domain. > > > > > v6: > > > > > - Address Han's comments: > > > > > - remove flooding of ARPs targeting OVN owned IP addresses. > > > > > - update ovn-architecture documentation. > > > > > - rename ARP handling functions. > > > > > - Adapt "ovn -- 3 HVs, 3 LS, 3 lports/LS, 1 LR" autotest to > take into > > > > > account the new way of forwarding ARPs. > > > > > - Also, properly deal with ARP packets on VLAN-backed networks. > > > > > v5: Address Numan's comments: update comments & make autotest more > > > > > robust. > > > > > v4: Rebase. > > > > > v3: Properly deal with VXLAN traffic. Address review comments from > > > > > Numan (add autotests). Fix function > get_router_load_balancer_ips. > > > > > Rebase -> deal with IPv6 NAT too. > > > > > v2: Move ARP broadcast domain limiting to table > S_SWITCH_IN_L2_LKUP to > > > > > address localnet ports too. > > > > > --- > > > > > northd/ovn-northd.8.xml | 14 ++ > > > > > northd/ovn-northd.c | 230 +++ > > > > > ovn-architecture.7.xml | 19 +++ > > > > > tests/ovn.at| 307 > +-- > > > > > 4 files changed, 530 insertions(+), 40 deletions(-) > > > > > > > > > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > > > > > index 0a33dcd..344cc0d 100644 > > > > > --- a/northd/ovn-northd.8.xml > > > > > +++ b/northd/ovn-northd.8.xml > > > > > @@ -1005,6 +1005,20 @@ output; > > > > > > > > > > > > > > > > > > > > +Priority-80 flows for each port connected to a logical > router > > > > > +matching self originated GARP/ARP request/ND packets. > These packets > > > > > +are flooded to the MC_FLOOD which contains > all logical > > > > > +ports. > > > > > + > > > > > + > > > > > + > > > > > +Priority-75 flows for each IP address/VIP/NAT address > owned by a > > > > > +router port connected to the switch. These flows match > ARP requests > > > > > +and ND packets for the specific IP addresses. Matched > packets are > > > > > +forwarded only to the router that owns the IP address. > > > > > + > > > > > + > > > > > + > > > > > A priority-70 flow that outputs all packets with an > Ethernet broadcast > > > > > or multicast eth.dst to the > MC_FLOOD > > > > > multicast group. > > > > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > > > > > index 32f3200..d6beb97 100644 > > > > > --- a/northd/ovn-northd.c > > > > > +++ b/northd/ovn-northd.c > > > > > @@ -210,6 +210,8 @@ enum ovn_stage { > > > > > #define REGBIT_LOOKUP_NEIGHBOR_RESULT "reg9[4]" > > > > > #define REGBIT_SKIP_LOOKUP_NEIGHBOR "reg9[5]" > > > > > > > > > > +#define FLAGBIT_NOT_VXLAN "flags[1] == 0" > > > > > + > > > > > /* Returns an "enum ovn_stage" built from the arguments. */ > > > > > static enum ovn_stage > > > > > ovn_stage_build(enum ovn_datapath_type dp_type, enum ovn_pipeline > pipeline, > > >
Re: [ovs-dev] [PATCH v7 ovn 2/2] ovn-northd: Limit ARP/ND broadcast domain whenever possible.
On Tue, Nov 12, 2019 at 8:50 PM Han Zhou wrote: > > > > > On Tue, Nov 12, 2019 at 10:10 AM Dumitru Ceara wrote: > > > > On Tue, Nov 12, 2019 at 6:17 PM Han Zhou wrote: > > > > > > > > > > > > On Tue, Nov 12, 2019 at 2:29 AM Dumitru Ceara wrote: > > > > > > > > ARP request and ND NS packets for router owned IPs were being > > > > flooded in the complete L2 domain (using the MC_FLOOD multicast group). > > > > However this creates a scaling issue in scenarios where aggregation > > > > logical switches are connected to more logical routers (~350). The > > > > logical pipelines of all routers would have to be executed before the > > > > packet is finally replied to by a single router, the owner of the IP > > > > address. > > > > > > > > This commit limits the broadcast domain by bypassing the L2 Lookup stage > > > > for ARP requests that will be replied by a single router. The packets > > > > are forwarded only to the router port that owns the target IP address. > > > > > > > > IPs that are owned by the routers and for which this fix applies are: > > > > - IP addresses configured on the router ports. > > > > - VIPs. > > > > - NAT IPs. > > > > > > > > Reported-at: https://bugzilla.redhat.com/1756945 > > > > Reported-by: Anil Venkata > > > > Signed-off-by: Dumitru Ceara > > > > > > > > --- > > > > v7: > > > > - Address Han's comments: > > > > - Remove flooding for all ARPs received on VLAN networks. To avoid > > > > that we now identify self originated (G)ARPs by matching on source > > > > MAC address too. > > > > - Rename REGBIT_NOT_VXLAN to FLAGBIT_NOT_VXLAN. > > > > - Fix ovn-sb manpage. > > > > - Split patch in a series of 2: > > > > - patch1: fixes the get_router_load_balancer_ips() function. > > > > - patch2: limits the ARP/ND broadcast domain. > > > > v6: > > > > - Address Han's comments: > > > > - remove flooding of ARPs targeting OVN owned IP addresses. > > > > - update ovn-architecture documentation. > > > > - rename ARP handling functions. > > > > - Adapt "ovn -- 3 HVs, 3 LS, 3 lports/LS, 1 LR" autotest to take > > > > into > > > > account the new way of forwarding ARPs. > > > > - Also, properly deal with ARP packets on VLAN-backed networks. > > > > v5: Address Numan's comments: update comments & make autotest more > > > > robust. > > > > v4: Rebase. > > > > v3: Properly deal with VXLAN traffic. Address review comments from > > > > Numan (add autotests). Fix function get_router_load_balancer_ips. > > > > Rebase -> deal with IPv6 NAT too. > > > > v2: Move ARP broadcast domain limiting to table S_SWITCH_IN_L2_LKUP to > > > > address localnet ports too. > > > > --- > > > > northd/ovn-northd.8.xml | 14 ++ > > > > northd/ovn-northd.c | 230 +++ > > > > ovn-architecture.7.xml | 19 +++ > > > > tests/ovn.at| 307 > > > > +-- > > > > 4 files changed, 530 insertions(+), 40 deletions(-) > > > > > > > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > > > > index 0a33dcd..344cc0d 100644 > > > > --- a/northd/ovn-northd.8.xml > > > > +++ b/northd/ovn-northd.8.xml > > > > @@ -1005,6 +1005,20 @@ output; > > > > > > > > > > > > > > > > +Priority-80 flows for each port connected to a logical router > > > > +matching self originated GARP/ARP request/ND packets. These > > > > packets > > > > +are flooded to the MC_FLOOD which contains all > > > > logical > > > > +ports. > > > > + > > > > + > > > > + > > > > +Priority-75 flows for each IP address/VIP/NAT address owned by > > > > a > > > > +router port connected to the switch. These flows match ARP > > > > requests > > > > +and ND packets for the specific IP addresses. Matched packets > > > > are > > > > +forwarded only to the router that owns the IP address. > > > > + > > > > + > > > > + > > > > A priority-70 flow that outputs all packets with an Ethernet > > > > broadcast > > > > or multicast eth.dst to the MC_FLOOD > > > > multicast group. > > > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > > > > index 32f3200..d6beb97 100644 > > > > --- a/northd/ovn-northd.c > > > > +++ b/northd/ovn-northd.c > > > > @@ -210,6 +210,8 @@ enum ovn_stage { > > > > #define REGBIT_LOOKUP_NEIGHBOR_RESULT "reg9[4]" > > > > #define REGBIT_SKIP_LOOKUP_NEIGHBOR "reg9[5]" > > > > > > > > +#define FLAGBIT_NOT_VXLAN "flags[1] == 0" > > > > + > > > > /* Returns an "enum ovn_stage" built from the arguments. */ > > > > static enum ovn_stage > > > > ovn_stage_build(enum ovn_datapath_type dp_type, enum ovn_pipeline > > > > pipeline, > > > > @@ -1202,6 +1204,34 @@ ovn_port_allocate_key(struct ovn_datapath *od) > > > >1, (1u << 15) - 1, >port_key_hint); > > > > } > > > > > > > > +/* Returns true if the logical switch port 'enabled' column is
Re: [ovs-dev] [PATCH v7 ovn 2/2] ovn-northd: Limit ARP/ND broadcast domain whenever possible.
On Tue, Nov 12, 2019 at 10:10 AM Dumitru Ceara wrote: > > On Tue, Nov 12, 2019 at 6:17 PM Han Zhou wrote: > > > > > > > > On Tue, Nov 12, 2019 at 2:29 AM Dumitru Ceara wrote: > > > > > > ARP request and ND NS packets for router owned IPs were being > > > flooded in the complete L2 domain (using the MC_FLOOD multicast group). > > > However this creates a scaling issue in scenarios where aggregation > > > logical switches are connected to more logical routers (~350). The > > > logical pipelines of all routers would have to be executed before the > > > packet is finally replied to by a single router, the owner of the IP > > > address. > > > > > > This commit limits the broadcast domain by bypassing the L2 Lookup stage > > > for ARP requests that will be replied by a single router. The packets > > > are forwarded only to the router port that owns the target IP address. > > > > > > IPs that are owned by the routers and for which this fix applies are: > > > - IP addresses configured on the router ports. > > > - VIPs. > > > - NAT IPs. > > > > > > Reported-at: https://bugzilla.redhat.com/1756945 > > > Reported-by: Anil Venkata > > > Signed-off-by: Dumitru Ceara > > > > > > --- > > > v7: > > > - Address Han's comments: > > > - Remove flooding for all ARPs received on VLAN networks. To avoid > > > that we now identify self originated (G)ARPs by matching on source > > > MAC address too. > > > - Rename REGBIT_NOT_VXLAN to FLAGBIT_NOT_VXLAN. > > > - Fix ovn-sb manpage. > > > - Split patch in a series of 2: > > > - patch1: fixes the get_router_load_balancer_ips() function. > > > - patch2: limits the ARP/ND broadcast domain. > > > v6: > > > - Address Han's comments: > > > - remove flooding of ARPs targeting OVN owned IP addresses. > > > - update ovn-architecture documentation. > > > - rename ARP handling functions. > > > - Adapt "ovn -- 3 HVs, 3 LS, 3 lports/LS, 1 LR" autotest to take into > > > account the new way of forwarding ARPs. > > > - Also, properly deal with ARP packets on VLAN-backed networks. > > > v5: Address Numan's comments: update comments & make autotest more > > > robust. > > > v4: Rebase. > > > v3: Properly deal with VXLAN traffic. Address review comments from > > > Numan (add autotests). Fix function get_router_load_balancer_ips. > > > Rebase -> deal with IPv6 NAT too. > > > v2: Move ARP broadcast domain limiting to table S_SWITCH_IN_L2_LKUP to > > > address localnet ports too. > > > --- > > > northd/ovn-northd.8.xml | 14 ++ > > > northd/ovn-northd.c | 230 +++ > > > ovn-architecture.7.xml | 19 +++ > > > tests/ovn.at| 307 +-- > > > 4 files changed, 530 insertions(+), 40 deletions(-) > > > > > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > > > index 0a33dcd..344cc0d 100644 > > > --- a/northd/ovn-northd.8.xml > > > +++ b/northd/ovn-northd.8.xml > > > @@ -1005,6 +1005,20 @@ output; > > > > > > > > > > > > +Priority-80 flows for each port connected to a logical router > > > +matching self originated GARP/ARP request/ND packets. These packets > > > +are flooded to the MC_FLOOD which contains all logical > > > +ports. > > > + > > > + > > > + > > > +Priority-75 flows for each IP address/VIP/NAT address owned by a > > > +router port connected to the switch. These flows match ARP requests > > > +and ND packets for the specific IP addresses. Matched packets are > > > +forwarded only to the router that owns the IP address. > > > + > > > + > > > + > > > A priority-70 flow that outputs all packets with an Ethernet broadcast > > > or multicast eth.dst to the MC_FLOOD > > > multicast group. > > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > > > index 32f3200..d6beb97 100644 > > > --- a/northd/ovn-northd.c > > > +++ b/northd/ovn-northd.c > > > @@ -210,6 +210,8 @@ enum ovn_stage { > > > #define REGBIT_LOOKUP_NEIGHBOR_RESULT "reg9[4]" > > > #define REGBIT_SKIP_LOOKUP_NEIGHBOR "reg9[5]" > > > > > > +#define FLAGBIT_NOT_VXLAN "flags[1] == 0" > > > + > > > /* Returns an "enum ovn_stage" built from the arguments. */ > > > static enum ovn_stage > > > ovn_stage_build(enum ovn_datapath_type dp_type, enum ovn_pipeline pipeline, > > > @@ -1202,6 +1204,34 @@ ovn_port_allocate_key(struct ovn_datapath *od) > > >1, (1u << 15) - 1, >port_key_hint); > > > } > > > > > > +/* Returns true if the logical switch port 'enabled' column is empty or > > > + * set to true. Otherwise, returns false. */ > > > +static bool > > > +lsp_is_enabled(const struct nbrec_logical_switch_port *lsp) > > > +{ > > > +return !lsp->n_enabled || *lsp->enabled; > > > +} > > > + > > > +/* Returns true only if the logical switch port 'up' column is set to true. > > > + * Otherwise, if the column is
Re: [ovs-dev] [PATCH v7 ovn 2/2] ovn-northd: Limit ARP/ND broadcast domain whenever possible.
On Tue, Nov 12, 2019 at 6:17 PM Han Zhou wrote: > > > > On Tue, Nov 12, 2019 at 2:29 AM Dumitru Ceara wrote: > > > > ARP request and ND NS packets for router owned IPs were being > > flooded in the complete L2 domain (using the MC_FLOOD multicast group). > > However this creates a scaling issue in scenarios where aggregation > > logical switches are connected to more logical routers (~350). The > > logical pipelines of all routers would have to be executed before the > > packet is finally replied to by a single router, the owner of the IP > > address. > > > > This commit limits the broadcast domain by bypassing the L2 Lookup stage > > for ARP requests that will be replied by a single router. The packets > > are forwarded only to the router port that owns the target IP address. > > > > IPs that are owned by the routers and for which this fix applies are: > > - IP addresses configured on the router ports. > > - VIPs. > > - NAT IPs. > > > > Reported-at: https://bugzilla.redhat.com/1756945 > > Reported-by: Anil Venkata > > Signed-off-by: Dumitru Ceara > > > > --- > > v7: > > - Address Han's comments: > > - Remove flooding for all ARPs received on VLAN networks. To avoid > > that we now identify self originated (G)ARPs by matching on source > > MAC address too. > > - Rename REGBIT_NOT_VXLAN to FLAGBIT_NOT_VXLAN. > > - Fix ovn-sb manpage. > > - Split patch in a series of 2: > > - patch1: fixes the get_router_load_balancer_ips() function. > > - patch2: limits the ARP/ND broadcast domain. > > v6: > > - Address Han's comments: > > - remove flooding of ARPs targeting OVN owned IP addresses. > > - update ovn-architecture documentation. > > - rename ARP handling functions. > > - Adapt "ovn -- 3 HVs, 3 LS, 3 lports/LS, 1 LR" autotest to take into > > account the new way of forwarding ARPs. > > - Also, properly deal with ARP packets on VLAN-backed networks. > > v5: Address Numan's comments: update comments & make autotest more > > robust. > > v4: Rebase. > > v3: Properly deal with VXLAN traffic. Address review comments from > > Numan (add autotests). Fix function get_router_load_balancer_ips. > > Rebase -> deal with IPv6 NAT too. > > v2: Move ARP broadcast domain limiting to table S_SWITCH_IN_L2_LKUP to > > address localnet ports too. > > --- > > northd/ovn-northd.8.xml | 14 ++ > > northd/ovn-northd.c | 230 +++ > > ovn-architecture.7.xml | 19 +++ > > tests/ovn.at| 307 > > +-- > > 4 files changed, 530 insertions(+), 40 deletions(-) > > > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > > index 0a33dcd..344cc0d 100644 > > --- a/northd/ovn-northd.8.xml > > +++ b/northd/ovn-northd.8.xml > > @@ -1005,6 +1005,20 @@ output; > > > > > > > > +Priority-80 flows for each port connected to a logical router > > +matching self originated GARP/ARP request/ND packets. These packets > > +are flooded to the MC_FLOOD which contains all logical > > +ports. > > + > > + > > + > > +Priority-75 flows for each IP address/VIP/NAT address owned by a > > +router port connected to the switch. These flows match ARP requests > > +and ND packets for the specific IP addresses. Matched packets are > > +forwarded only to the router that owns the IP address. > > + > > + > > + > > A priority-70 flow that outputs all packets with an Ethernet > > broadcast > > or multicast eth.dst to the MC_FLOOD > > multicast group. > > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > > index 32f3200..d6beb97 100644 > > --- a/northd/ovn-northd.c > > +++ b/northd/ovn-northd.c > > @@ -210,6 +210,8 @@ enum ovn_stage { > > #define REGBIT_LOOKUP_NEIGHBOR_RESULT "reg9[4]" > > #define REGBIT_SKIP_LOOKUP_NEIGHBOR "reg9[5]" > > > > +#define FLAGBIT_NOT_VXLAN "flags[1] == 0" > > + > > /* Returns an "enum ovn_stage" built from the arguments. */ > > static enum ovn_stage > > ovn_stage_build(enum ovn_datapath_type dp_type, enum ovn_pipeline pipeline, > > @@ -1202,6 +1204,34 @@ ovn_port_allocate_key(struct ovn_datapath *od) > >1, (1u << 15) - 1, >port_key_hint); > > } > > > > +/* Returns true if the logical switch port 'enabled' column is empty or > > + * set to true. Otherwise, returns false. */ > > +static bool > > +lsp_is_enabled(const struct nbrec_logical_switch_port *lsp) > > +{ > > +return !lsp->n_enabled || *lsp->enabled; > > +} > > + > > +/* Returns true only if the logical switch port 'up' column is set to true. > > + * Otherwise, if the column is not set or set to false, returns false. */ > > +static bool > > +lsp_is_up(const struct nbrec_logical_switch_port *lsp) > > +{ > > +return lsp->n_up && *lsp->up; > > +} > > + > > +static bool > > +lsp_is_external(const struct nbrec_logical_switch_port *nbsp) > > +{ > > +
Re: [ovs-dev] [PATCH v7 ovn 2/2] ovn-northd: Limit ARP/ND broadcast domain whenever possible.
On Tue, Nov 12, 2019 at 2:29 AM Dumitru Ceara wrote: > > ARP request and ND NS packets for router owned IPs were being > flooded in the complete L2 domain (using the MC_FLOOD multicast group). > However this creates a scaling issue in scenarios where aggregation > logical switches are connected to more logical routers (~350). The > logical pipelines of all routers would have to be executed before the > packet is finally replied to by a single router, the owner of the IP > address. > > This commit limits the broadcast domain by bypassing the L2 Lookup stage > for ARP requests that will be replied by a single router. The packets > are forwarded only to the router port that owns the target IP address. > > IPs that are owned by the routers and for which this fix applies are: > - IP addresses configured on the router ports. > - VIPs. > - NAT IPs. > > Reported-at: https://bugzilla.redhat.com/1756945 > Reported-by: Anil Venkata > Signed-off-by: Dumitru Ceara > > --- > v7: > - Address Han's comments: > - Remove flooding for all ARPs received on VLAN networks. To avoid > that we now identify self originated (G)ARPs by matching on source > MAC address too. > - Rename REGBIT_NOT_VXLAN to FLAGBIT_NOT_VXLAN. > - Fix ovn-sb manpage. > - Split patch in a series of 2: > - patch1: fixes the get_router_load_balancer_ips() function. > - patch2: limits the ARP/ND broadcast domain. > v6: > - Address Han's comments: > - remove flooding of ARPs targeting OVN owned IP addresses. > - update ovn-architecture documentation. > - rename ARP handling functions. > - Adapt "ovn -- 3 HVs, 3 LS, 3 lports/LS, 1 LR" autotest to take into > account the new way of forwarding ARPs. > - Also, properly deal with ARP packets on VLAN-backed networks. > v5: Address Numan's comments: update comments & make autotest more > robust. > v4: Rebase. > v3: Properly deal with VXLAN traffic. Address review comments from > Numan (add autotests). Fix function get_router_load_balancer_ips. > Rebase -> deal with IPv6 NAT too. > v2: Move ARP broadcast domain limiting to table S_SWITCH_IN_L2_LKUP to > address localnet ports too. > --- > northd/ovn-northd.8.xml | 14 ++ > northd/ovn-northd.c | 230 +++ > ovn-architecture.7.xml | 19 +++ > tests/ovn.at| 307 +-- > 4 files changed, 530 insertions(+), 40 deletions(-) > > diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml > index 0a33dcd..344cc0d 100644 > --- a/northd/ovn-northd.8.xml > +++ b/northd/ovn-northd.8.xml > @@ -1005,6 +1005,20 @@ output; > > > > +Priority-80 flows for each port connected to a logical router > +matching self originated GARP/ARP request/ND packets. These packets > +are flooded to the MC_FLOOD which contains all logical > +ports. > + > + > + > +Priority-75 flows for each IP address/VIP/NAT address owned by a > +router port connected to the switch. These flows match ARP requests > +and ND packets for the specific IP addresses. Matched packets are > +forwarded only to the router that owns the IP address. > + > + > + > A priority-70 flow that outputs all packets with an Ethernet broadcast > or multicast eth.dst to the MC_FLOOD > multicast group. > diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c > index 32f3200..d6beb97 100644 > --- a/northd/ovn-northd.c > +++ b/northd/ovn-northd.c > @@ -210,6 +210,8 @@ enum ovn_stage { > #define REGBIT_LOOKUP_NEIGHBOR_RESULT "reg9[4]" > #define REGBIT_SKIP_LOOKUP_NEIGHBOR "reg9[5]" > > +#define FLAGBIT_NOT_VXLAN "flags[1] == 0" > + > /* Returns an "enum ovn_stage" built from the arguments. */ > static enum ovn_stage > ovn_stage_build(enum ovn_datapath_type dp_type, enum ovn_pipeline pipeline, > @@ -1202,6 +1204,34 @@ ovn_port_allocate_key(struct ovn_datapath *od) >1, (1u << 15) - 1, >port_key_hint); > } > > +/* Returns true if the logical switch port 'enabled' column is empty or > + * set to true. Otherwise, returns false. */ > +static bool > +lsp_is_enabled(const struct nbrec_logical_switch_port *lsp) > +{ > +return !lsp->n_enabled || *lsp->enabled; > +} > + > +/* Returns true only if the logical switch port 'up' column is set to true. > + * Otherwise, if the column is not set or set to false, returns false. */ > +static bool > +lsp_is_up(const struct nbrec_logical_switch_port *lsp) > +{ > +return lsp->n_up && *lsp->up; > +} > + > +static bool > +lsp_is_external(const struct nbrec_logical_switch_port *nbsp) > +{ > +return !strcmp(nbsp->type, "external"); > +} > + > +static bool > +lrport_is_enabled(const struct nbrec_logical_router_port *lrport) > +{ > +return !lrport->enabled || *lrport->enabled; > +} > + > static char * > chassis_redirect_name(const char *port_name) > { > @@ -3750,28 +3780,6 @@
[ovs-dev] [PATCH v7 ovn 2/2] ovn-northd: Limit ARP/ND broadcast domain whenever possible.
ARP request and ND NS packets for router owned IPs were being flooded in the complete L2 domain (using the MC_FLOOD multicast group). However this creates a scaling issue in scenarios where aggregation logical switches are connected to more logical routers (~350). The logical pipelines of all routers would have to be executed before the packet is finally replied to by a single router, the owner of the IP address. This commit limits the broadcast domain by bypassing the L2 Lookup stage for ARP requests that will be replied by a single router. The packets are forwarded only to the router port that owns the target IP address. IPs that are owned by the routers and for which this fix applies are: - IP addresses configured on the router ports. - VIPs. - NAT IPs. Reported-at: https://bugzilla.redhat.com/1756945 Reported-by: Anil Venkata Signed-off-by: Dumitru Ceara --- v7: - Address Han's comments: - Remove flooding for all ARPs received on VLAN networks. To avoid that we now identify self originated (G)ARPs by matching on source MAC address too. - Rename REGBIT_NOT_VXLAN to FLAGBIT_NOT_VXLAN. - Fix ovn-sb manpage. - Split patch in a series of 2: - patch1: fixes the get_router_load_balancer_ips() function. - patch2: limits the ARP/ND broadcast domain. v6: - Address Han's comments: - remove flooding of ARPs targeting OVN owned IP addresses. - update ovn-architecture documentation. - rename ARP handling functions. - Adapt "ovn -- 3 HVs, 3 LS, 3 lports/LS, 1 LR" autotest to take into account the new way of forwarding ARPs. - Also, properly deal with ARP packets on VLAN-backed networks. v5: Address Numan's comments: update comments & make autotest more robust. v4: Rebase. v3: Properly deal with VXLAN traffic. Address review comments from Numan (add autotests). Fix function get_router_load_balancer_ips. Rebase -> deal with IPv6 NAT too. v2: Move ARP broadcast domain limiting to table S_SWITCH_IN_L2_LKUP to address localnet ports too. --- northd/ovn-northd.8.xml | 14 ++ northd/ovn-northd.c | 230 +++ ovn-architecture.7.xml | 19 +++ tests/ovn.at| 307 +-- 4 files changed, 530 insertions(+), 40 deletions(-) diff --git a/northd/ovn-northd.8.xml b/northd/ovn-northd.8.xml index 0a33dcd..344cc0d 100644 --- a/northd/ovn-northd.8.xml +++ b/northd/ovn-northd.8.xml @@ -1005,6 +1005,20 @@ output; +Priority-80 flows for each port connected to a logical router +matching self originated GARP/ARP request/ND packets. These packets +are flooded to the MC_FLOOD which contains all logical +ports. + + + +Priority-75 flows for each IP address/VIP/NAT address owned by a +router port connected to the switch. These flows match ARP requests +and ND packets for the specific IP addresses. Matched packets are +forwarded only to the router that owns the IP address. + + + A priority-70 flow that outputs all packets with an Ethernet broadcast or multicast eth.dst to the MC_FLOOD multicast group. diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c index 32f3200..d6beb97 100644 --- a/northd/ovn-northd.c +++ b/northd/ovn-northd.c @@ -210,6 +210,8 @@ enum ovn_stage { #define REGBIT_LOOKUP_NEIGHBOR_RESULT "reg9[4]" #define REGBIT_SKIP_LOOKUP_NEIGHBOR "reg9[5]" +#define FLAGBIT_NOT_VXLAN "flags[1] == 0" + /* Returns an "enum ovn_stage" built from the arguments. */ static enum ovn_stage ovn_stage_build(enum ovn_datapath_type dp_type, enum ovn_pipeline pipeline, @@ -1202,6 +1204,34 @@ ovn_port_allocate_key(struct ovn_datapath *od) 1, (1u << 15) - 1, >port_key_hint); } +/* Returns true if the logical switch port 'enabled' column is empty or + * set to true. Otherwise, returns false. */ +static bool +lsp_is_enabled(const struct nbrec_logical_switch_port *lsp) +{ +return !lsp->n_enabled || *lsp->enabled; +} + +/* Returns true only if the logical switch port 'up' column is set to true. + * Otherwise, if the column is not set or set to false, returns false. */ +static bool +lsp_is_up(const struct nbrec_logical_switch_port *lsp) +{ +return lsp->n_up && *lsp->up; +} + +static bool +lsp_is_external(const struct nbrec_logical_switch_port *nbsp) +{ +return !strcmp(nbsp->type, "external"); +} + +static bool +lrport_is_enabled(const struct nbrec_logical_router_port *lrport) +{ +return !lrport->enabled || *lrport->enabled; +} + static char * chassis_redirect_name(const char *port_name) { @@ -3750,28 +3780,6 @@ build_port_security_ip(enum ovn_pipeline pipeline, struct ovn_port *op, } -/* Returns true if the logical switch port 'enabled' column is empty or - * set to true. Otherwise, returns false. */ -static bool -lsp_is_enabled(const struct nbrec_logical_switch_port *lsp) -{ -return !lsp->n_enabled ||