| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Until now, the default_port parameters to these functions have had
different types and different behavior. There is a reason for this, since
it makes sense to listen on a kernel-selected port but it does not make
sense to connect to a kernel-selected port, but this overlooks the
possibility that a caller might want to parse a string in the format
understood by inet_parse_active() without actually using it to connect to
a remote host. This commit makes the behavior consistent and updates all
the callers to work with the new semantics.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
| |
|
|
|
|
|
|
| |
This better reuses existing code. It does require adding a slight variant
on ss_format_address(), but it still seems like a net win.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Address sets are automatically generated from corresponding port
groups, and can be used directly in ACL match conditions.
There are two address sets generated for each port group:
<port group name>_ip4
<port group name>_ip6
For example, if port_group1 is created, we can directly use below
match condition in ACL:
"outport == @port_group1 && ip4.src == $port_group1_ip4"
This will simplify OVN client implementation, and avoid some tricky
problems such as race conditions when maintaining address set
memberships as discussed in the link below.
Reported-by: Lucas Alvares Gomes <lucasagomes@gmail.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046174.html
Reviewed-by: Mark Michelson <mmichels@redhat.com>
Reviewed-by: Daniel Alvarez <dalvarez@redhat.com>
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
commit f6fabcc6245 (ofproto-dpif: Mark packets as "untracked"
after call to ct().) changed the behavior after a call to ct().
The +trk bit would automatically be unset if packet is sent to
ct() and not forked. This caused a bug in the OVN gateway
pipeline when there is SNAT rule as well as load-balancing rule.
In the OVN gateway pipeline for the gateway router, we had an
optimization where the packets sent to unSNAT need not go through
a recirculation. But since doing this now means that the +trk bit
gets unset, the DNAT rules for load-balancing a new packet in the next
table won't get hit.
This commit removes the optimization for unSNAT packets so that
there is always a recirculation.
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch enables using port group names in ACL match conditions.
Users can create a port group in northbound DB Port_Group table,
and then use the name of the port group in ACL match conditions
for "inport" or "outport". It can help reduce the number of ACLs
for CMS clients such as OpenStack Neutron, for the use cases
where a group of logical ports share same ACL rules except the
"inport"/"outport" part. Without this patch, the clients have to
create N (N = number of lports) ACLs, and this patch helps achieve
the same goal with only one ACL. E.g.:
to-lport 1000 "outport == @port_group1 && ip4.src == {IP1, IP2, ...}" allow-related
There was a similar attempt by Zong Kai Li in 2016 [1]. This patch
takes a slightly different approach by using weak refs instead of
strings, which requires a new table instead of reusing the address
set table. This way it will also benefit for a follow up patch that
enables generating address sets automatically from port groups to
avoid a lot a trouble from client perspective [2].
An extra benefit of this patch is that it could enable conjunctive
match effectively. As reported at [3], this patch was tested together
with the conjunctive match enhancement patch [4], and huge performance
improvement (more than 10x faster) was seen because of this.
[1] https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/077118.html
[2] https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046260.html
[3] https://mail.openvswitch.org/pipermail/ovs-dev/2018-March/344873.html
[4] https://patchwork.ozlabs.org/patch/874433/
Reported-by: Daniel Alvarez Sanchez <dalvarez@redhat.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2018-February/046166.html
Tested-by: Mark Michelson <mmichels@redhat.com>
Reviewed-by: Mark Michelson <mmichels@redhat.com>
Reviewed-by: Daniel Alvarez <dalvarez@redhat.com>
Signed-off-by: Han Zhou <hzhou8@ebay.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
| |
Whenever the acl reject rule is hit by an IPv6 packet send back
an ICMPv6 destination unreachable packet using the icmp6 action
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
| |
Reported-by: Wei Li <liwei@anbutu.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
| |
Whenever the acl reject rule is hit by a TCP segment send back
a TCP RST packet to close the connection using the tcp_reset action.
Moreover add add tcp_reset test case to 'ACL reject rule test'
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
| |
The priority 34000 DHCP and DNS flows are added to the
S_SWITCH_OUT_ACL table and not S_SWITCH_OUT_STATEFUL table.
Signed-off-by: Gurucharan Shetty <guru@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
| |
Whenever the acl reject rule is hit send back an ICMPv4 destination
unreachable packet and do not handle reject rule as drop one.
Treat TCP connections as DROP for the moment since tcp_reset{} action
has not been implemented yet.
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
| |
Rename the remaining variables that were shadowing another definition.
Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In one place, ovn-northd was hashing Logical_Switch or Logical_Router UUIDs
for ovn_lflow, and in another place it was hashing Datapath_Binding UUIDs.
This caused problems. This commit changes ovn-northd to always hash the
Datapath_Binding UUID.
Jacob Sitnicki reported the following performance improvement for a similar
fix:
Children Self Command Shared Object Symbol
before:
76.19% 0.01% ovn-northd ovn-northd [.] ovnnb_db_run
11.04% 0.43% ovn-northd ovn-northd [.] ovn_lflow_find
after:
75.16% 0.05% ovn-northd ovn-northd [.] ovnnb_db_run
2.49% 0.17% ovn-northd ovn-northd [.] ovn_lflow_find
Fixes: 8bf332225d4a ("ovn-northd: Reduce amount of flow hashing.")
Reported-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
| |
Jakub Sitnicki demonstrated that repeatedly calculating row hashes is
expensive, so this should improve ovn-northd performance.
Reported-by: Jakub Sitnicki <jkbs@redhat.com>
Reported-at: https://mail.openvswitch.org/pipermail/ovs-dev/2018-February/344404.html
Signed-off-by: Ben Pfaff <blp@ovn.org>
Tested-by: Jakub Sitnicki <jkbs@redhat.com>
|
| |
|
|
|
| |
Signed-off-by: Venkata Anil <vkommadi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This feature is used to limit the bandwidth of flows, such as floating IP.
ovn-northd changes:
1. add bandwidth column in NB's QOS table.
2. add QOS_METER stages in Logical switch ingress/egress.
3. add set_meter() action in SB's LFlow table.
ovn-controller changes:
add meter_table for meter action process openflow meter table.
Now, This feature is only supported in DPDK.
Signed-off-by: Guoshuai Li <ligs@dtdream.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This leak was reported by valgrind (testing ovn -- IPv6 Neighbor
Solicitation for unknown MAC):
3,027 bytes in 49 blocks are definitely lost in loss record 210 of 218
by 0x484C84: xrealloc (util.c:131)
by 0x43CE41: ds_reserve (dynamic-string.c:63)
by 0x43D29D: ds_put_format_valist (dynamic-string.c:161)
by 0x43D3A3: ds_put_format (dynamic-string.c:142)
by 0x412EEF: ovn_port_update_sbrec (ovn-northd.c:1948)
by 0x4148B4: build_ports (ovn-northd.c:2109)
by 0x4148B4: ovnnb_db_run.isra.37 (ovn-northd.c:6202)
by 0x406FE0: main (ovn-northd.c:6854)
Signed-off-by: Yifeng Sun <pkusunyifeng@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
| |
Remove ds_clear() on actions dynamic string in build_acls()
since they have just been initialized to DS_EMPTY_INITIALIZER
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This change adds three new options to the Northbound
Logical_Router_Port's ipv6_ra_configs option:
* send_periodic: If set to "true", then OVN will send periodic router
advertisements out of this router port.
* max_interval: The maximum amount of time to wait between sending
periodic router advertisements.
* min_interval: The minimum amount of time to wait between sending
periodic router advertisements.
When send_periodic is true, then IPv6 RA configs, as well as some layer
2 and layer 3 information about the router port, are copied to the
southbound database. From there, ovn-controller can use this information
to know when to send periodic RAs and what to send in them.
Because periodic RAs originate from each ovn-controller, the new
keep-local flag is set on the packet so that ports don't receive an
overabundance of RAs.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
| |
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Justin Pettit <jpettit@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Employ the simplest possible approach to determine the state of logical
ports that connect to logical routers by hardcoding it to always up.
This is intended to be less surprising than the current approach where
router ports appear as being down (with the exception of ones linking to
gateway routers, which are bound).
Reported-at: https://mail.openvswitch.org/pipermail/ovs-discuss/2017-August/045202.html
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
Acked-by: Miguel Angel Ajo <majopela@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
No functional change. Make it obvious that we determine the logical
port 'up' state by checking for bound chassis, and update the NB DB only
when state has not been set yet or current state is different.
Signed-off-by: Jakub Sitnicki <jkbs@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Mark Michelson <mmichels@redhat.com>
Acked-by: Miguel Angel Ajo <majopela@redhat.com>
|
| |
|
|
|
|
|
|
| |
Poll-loop is the core to implement main loop. It should be available in
libopenvswitch.
Signed-off-by: Xiao Liang <shaw.leon@gmail.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
| |
Signed-off-by: wei <liw@dtdream.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In the router ingress pipeline, if the destination mac is unresolved
by the time the packet reaches the ARP_REQUEST stage, OVN should generate an
IPv6 Neighbor Solicitation packet to learn the MAC address. This feature is
presently missing. This patch adds this feature. A new action "nd_ns" is
added which replaces an IPv6 packet being processed with an IPv6 Neighbor
Solicitation packet. ovn-northd adds a flow in the ARP_REQUEST router ingress
pipeline stage if the eth.dst is zero which applies this action. This action is
similar to the IPv4 counterpart "arp" action.
OVN already has the support to learn the MAC from the IPv6 Neighbor Advertisement
packets and storing in the south bound MAC_Binding table.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds logical flows which sends IPv6 Router Advertisement
packet in response to the IPv6 Router Solicitation request. It uses
the actions "put_nd_ra_opts" to transform the RS packet to RA packet
in the newly added ingress stage "lr_in_nd_ra_options" in router
pipeline. If the action "put_nd_ra_opts" is successful, it sends the
RA packet back to the originating port in the next ingress stage
"lr_in_nd_ra_response".
A new column "ipv6_ra_configs" is added in the Logical_Router_Port
table, which the CMS is expected to configure IPv6 RA
configurations - "address_mode" and "mtu" for adding these flows.
Co-authored-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Zongkai LI <zealokii@gmail.com>
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Acked-by: Miguel Angel Ajo <majopela@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
Renamed 'struct dhcp_opts_map' to 'struct gen_opts_map' and
renamed ovn-dhcp.h to ovn-l7.h. An upcoming commit to support IPv6
Router Advertisement, will make use of the refactored code to store
the IPv6 ND RA options in 'struct gen_opts_map'.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Acked-by: Miguel Angel Ajo <majopela@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
For this commit, ovn-northd will now accept both IPv4 and IPv6 addresses
in the northbound database for a load balancer VIP or destination
addresses. For IPv4, the behavior remains the same. For IPv6, the
following logical flows will be added to the southbound database:
* An ND_NA response for incoming ND_NS requests for the load balancer
VIP.
* A ct_lb flow with the configured IPv6 addresses.
The ovn-northd manpage has been updated to indicate what flows are
added for load balancers with IPv6 VIPs.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There are a couple of places in ovn-northd that set the "peer" option on
certain ports to "<error>" in certain cases. In every case where a peer is
looked up on a port binding, the code performs a NULL check in order to
ensure a peer exists. None check for the "<error>" string. They assume that the
presence of a peer string means a peer is defined and all is well.
In the past (OVS 2.6 series), this sometimes led to patch ports being created
in ovs that had names like "patch-ro-to-<error>". This particular problem
resolved itself in OVS 2.7 since such patch ports were no longer automatically
created. However, by naming the peer "<error>" the seeds are still sown for
similar issues to occur.
The solution this patch suggests is to no longer set the "peer" option
on a port binding to "<error>". Instead, if no peer can be set, then we
set no peer. Since other code is already equipped to deal with this,
this poses no problem.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OVN is lenient with the types of logical switch ports. Maybe too
lenient. This patch attempts to solve this problem on two fronts:
1) In ovn-nbctl, if you attempt to set the port type to an unknown
type, the command will not end up setting the type.
2) In northd, when copying the port type from the northbound database to
the corresponding port-binding in the southbound database, a warning
will be issued if the port is of an unknown type.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Lance Richardson <lrichard@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
This patch adds support for associating a load balancer to a
logical router with gateway router port which was missing earlier.
Acked-by: Mark Michelson <mmichels@redhat.com>
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
logical ports
ovn-northd is adding the below logical flow for a disabled logical port (with mac M
and IP 'A')
table=6 (lr_in_arp_resolve ), match=(outport == "lrp-port" && reg0 == 'A'),
action=(eth.dst = 'M'; next;)
In the case of openstack load balancer 'octavia' service, it creates logical
ports 'P1' (M1 IP1) and 'P2' (M2 IP2). It then disables logical port P2 and
adds IP2 to P1 - (M1 IP1 IP2).
When another port tries to reach IP2, it doesn't get delivered to port P1 because
of the above flow.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
| |
op->sb->gateway_chassis[0]->chassis may null in some special cases, need
to add a check to avoid segment fault.
Signed-off-by: wang qianyu <wang.qianyu@zte.com.cn>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
| |
Signed-off-by: Joe Stringer <joe@ovn.org>
Acked-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Shadowing is when a variable with a given name in an inner scope hides a
different variable with the same name in a surrounding scope. This is
generally undesirable because it can confuse programmers. This commit
eliminates most of it.
Found with -Wshadow=local in GCC 7. The repo is not really ready to enable
this option by default because of a few cases that are harder to fix, and
harmless, such as nested use of CMAP_FOR_EACH.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Andy Zhou <azhou@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Add native support for active-standby HA in ovn-northd by having each
instance attempt to acquire an OVSDB lock. Only the instance of
ovn-northd that currently holds the lock will make active changes to
the OVN databases.
Signed-off-by: Russell Bryant <russell@ovn.org>
Acked-by: Han Zhou <zhouhan@gmail.com>
Tested-by: Numan Siddique <nusiddiq@redhat.com>
Acked-by: Numan Siddique <nusiddiq@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
This patch extends RBAC restrictiveness of the encap table in
the ovn southbound database by only allowing modification by the
chassis that created the encap.
Signed-off-by: Mark Michelson <mmichels@redhat.com>
Reported-by: Lance Richardson <lrichard@redhat.com>
Acked-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
| |
Signed-off-by: Justin Pettit <jpettit@ovn.org>
Acked-by: Han Zhou <zhouhan@gmail.com>
Acked-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Localnet port is not an endpoint, and have no security requirements
to use localnet port at present. So, for performance consideration, we
could do not use ct for localnet port.
The more specific discussion can be found from
https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/335048.html
Signed-off-by: wangqianyu <wang.qianyu@zte.com.cn>
Acked-by: Han Zhou <zhouhan@gmail.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
When ovn-controller is restarted, ovn-controller removes the old
Chassis entry from the SBDB and a new one is inserted.
This cleared the Gateway_Chassis chassis column in the SBDB and then
ovn-northd removed the empty-column Gateway_Chassis entry.
Such event made the other (non-restarted and master gateway chassis)
believe that he was a single (non-HA) gateway, turning off BFD and
releasing the port for a tiny time frame causing unnecesary downtime.
Signed-off-by: Miguel Angel Ajo <majopela@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch handles multiple gateway_chassis within chassisredirect
ports. All the gateway_chassis within chassisredirect port
will implement the rules to de-encapsulate incoming packets
for such port (please note that later patches in the series
will make is_chassis_redirect conditionals aware of the
MASTER/BACKUP status of the chassis).
Hosts targeting a remote chassisredirect port will setup a
bundle(active_backup, ..) action to each tunnel port, in the given
priority order. Following patches will enable BFD to detect
when a remote gateway chassis is no longer reachable.
Co-authored-by: Venkata Anil Kommaddi <vkommadi@redhat.com>
Signed-off-by: Miguel Angel Ajo <majopela@redhat.com>
Signed-off-by: Venkata Anil Kommaddi <vkommadi@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
The redirect-chassis option of logical router ports is now
translated to Gateway_Chassis entries for backwards compatibility.
Gateway_Chassis entries in nbdb are copied over to sbdb and
linked them to the Chassis entry.
Co-authored-by: Anil Venkata <vkommadi@redhat.com>
Signed-off-by: Miguel Angel Ajo <majopela@redhat.com>
Signed-off-by: Anil Venkata <vkommadi@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
| |
Add rbac "roles" and "permissions" tables to ovn southbound
database schema, add support to ovn-northd for managing these
tables.
Signed-off-by: Lance Richardson <lrichard@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch makes ovn-northd copy all string-string pairs in
external_ids column of the Logical_Switch_Port table in Northbound
database to the equivalent column of the Port_Binding table in
Southbound database.
OpenStack Neutron will add some useful data to NB database that can be
later read by networking-ovn-metadata-agent without the need of
maintaining a connection to NB database. This data would include
the CIDR's of a port or the project and device ID's which are needed
when talking to Nova to request metadata.
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
Signed-off-by: Russell Bryant <russell@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch introduces a new type of OVN ports called "localport".
These ports will be present in every hypervisor and may have the
same IP/MAC addresses. They are not bound to any chassis and traffic
to these ports will never go through a tunnel.
Its main use case is the OpenStack metadata API support which relies
on a local agent running on every hypervisor and serving metadata to
VM's locally. This service is described in detail at [0].
An example to illustrate the purpose of this patch:
- One logical switch sw0 with 2 ports (p1, p2) and 1 localport (lp)
- Two hypervisors: HV1 and HV2
- p1 in HV1 (OVS port with external-id:iface-id="p1")
- p2 in HV2 (OVS port with external-id:iface-id="p2")
- lp in both hypevisors (OVS port with external-id:iface-id="lp")
- p1 should be able to reach p2 and viceversa
- lp on HV1 should be able to reach p1 but not p2
- lp on HV2 should be able to reach p2 but not p1
Explicit drop rules are inserted in table 32 with priority 150
in order to prevent traffic originated at a localport to go over
a tunnel.
[0]
https://docs.openstack.org/developer/networking-ovn/design/metadata_api.html
Signed-off-by: Daniel Alvarez <dalvarez@redhat.com>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
| |
|
|
|
|
|
|
| |
Found by Coverity.
Reported-at: https://scan3.coverity.com/reports.htm#v16889/p10449/fileInstanceId=14763080&defectInstanceId=4305186&mergedDefectId=179788
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Miguel Angel Ajo <majopela@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
| |
It was apparently possible for lrp_addr_s to be uninitialized in a logical
router with no ports.
Found by Coverity.
Reported-at: https://scan3.coverity.com/reports.htm#v16889/p10449/fileInstanceId=14763080&defectInstanceId=4304818&mergedDefectId=180426
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Miguel Angel Ajo <majopela@redhat.com>
|
| |
|
|
|
|
|
|
|
| |
Without this, ovn-northd sets external-ids properly when it creates a
Datapath_Binding record, but failed to update the external-ids if they
should have changed.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Andy Zhou <azhou@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
It's much easier to see what's going on in the southbound database if
human-friendly names are available.
Really it's too bad that we didn't put the human-friendly name in "name"
and the UUID in something like "external_ids:neutron-uuid", but it'll take
more coordination to change that at this point and it may not be worth it.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Andy Zhou <azhou@ovn.org>
|
| |
|
|
|
|
|
|
| |
This makes it possible for southbound utilities to use friendlier names,
which will happen in upcoming commits.
Signed-off-by: Ben Pfaff <blp@ovn.org>
Acked-by: Andy Zhou <azhou@ovn.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
OVN implements native DNS resolution which can be used to resolve the
internal DNS names belonging to a logical datapath.
To support this, a new table 'DNS' is added in the NB DB. A new column
'dns_records' is added in 'Logical_Switch' table which references to the
'DNS' table.
Following flows are added for each logical switch if configured with
DNS records in the 'dns_records' column
- A logical flow in DNS_LOOKUP stage which uses the action 'dns_lookup'
to transform the DNS query to DNS reply packet and advances
to the next stage - DNS_RESPONSE.
- A logical flow in DNS_RESPONSE stage which implements the DNS responder
by sending the DNS reply from previous stage back to the inport.
Signed-off-by: Numan Siddique <nusiddiq@redhat.com>
Acked-by: Gurucharan Shetty <guru@ovn.org>
Signed-off-by: Ben Pfaff <blp@ovn.org>
|
