Skip to content

Commit

Permalink
northd: Add flag for CT related
Browse files Browse the repository at this point in the history 
In order to be backward compatible add feature flag
that ensures that the CT related flows are skipped
if needed.

Reported-at: https://bugzilla.redhat.com/2126083
Acked-by: Numan Siddique <numans@ovn.org>
Signed-off-by: Ales Musil <amusil@redhat.com>
Signed-off-by: Dumitru Ceara <dceara@redhat.com>
(cherry picked from commit cd600de)
  • Loading branch information
@almusil @dceara
almusil authored and dceara committed Jan 23, 2023
1 parent ad11ebf commit 172156b
Show file tree
Hide file tree
Showing 5 changed files with 157 additions and 26 deletions.
7 changes: 7 additions & 0 deletions controller/chassis.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -351,6 +351,7 @@ chassis_build_other_config(const struct ovs_chassis_cfg *ovs_cfg,
ovs_cfg->is_interconn ? "true" : "false");
smap_replace(config, OVN_FEATURE_PORT_UP_NOTIF, "true");
smap_replace(config, OVN_FEATURE_CT_NO_MASKED_LABEL, "true");
smap_replace(config, OVN_FEATURE_CT_LB_RELATED, "true");
}

/*
Expand Down Expand Up @@ -462,6 +463,12 @@ chassis_other_config_changed(const struct ovs_chassis_cfg *ovs_cfg,
return true;
}

if (!smap_get_bool(&chassis_rec->other_config,
OVN_FEATURE_CT_LB_RELATED,
false)) {
return true;
}

return false;
}

Expand Down
1 change: 1 addition & 0 deletions include/ovn/features.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
/* ovn-controller supported feature names. */
#define OVN_FEATURE_PORT_UP_NOTIF "port-up-notif"
#define OVN_FEATURE_CT_NO_MASKED_LABEL "ct-no-masked-label"
#define OVN_FEATURE_CT_LB_RELATED "ovn-ct-lb-related"

/* OVS datapath supported features. Based on availability OVN might generate
* different types of openflows.
Expand Down
65 changes: 44 additions & 21 deletions northd/northd.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -396,14 +396,23 @@ build_chassis_features(const struct northd_input *input_data,
const struct sbrec_chassis *chassis;

SBREC_CHASSIS_TABLE_FOR_EACH (chassis, input_data->sbrec_chassis) {
if (!smap_get_bool(&chassis->other_config,
OVN_FEATURE_CT_NO_MASKED_LABEL,
false)) {
bool ct_no_masked_label =
smap_get_bool(&chassis->other_config,
OVN_FEATURE_CT_NO_MASKED_LABEL,
false);
if (!ct_no_masked_label && chassis_features->ct_no_masked_label) {
chassis_features->ct_no_masked_label = false;
return;
}

bool ct_lb_related =
smap_get_bool(&chassis->other_config,
OVN_FEATURE_CT_LB_RELATED,
false);
if (!ct_lb_related &&
chassis_features->ct_lb_related) {
chassis_features->ct_lb_related = false;
}
}
chassis_features->ct_no_masked_label = true;
}

struct ovn_chassis_qdisc_queues {
Expand Down Expand Up @@ -6743,14 +6752,17 @@ build_acls(struct ovn_datapath *od, const struct chassis_features *features,
* a dynamically negotiated FTP data channel), but will allow
* related traffic such as an ICMP Port Unreachable through
* that's generated from a non-listening UDP port. */
const char *ct_acl_action = features->ct_lb_related
? "ct_commit_nat;"
: "next;";
ds_clear(&match);
ds_put_format(&match, "!ct.est && ct.rel && !ct.new%s && %s == 0",
use_ct_inv_match ? " && !ct.inv" : "",
ct_blocked_match);
ovn_lflow_add(lflows, od, S_SWITCH_IN_ACL, UINT16_MAX - 3,
ds_cstr(&match), "ct_commit_nat;");
ds_cstr(&match), ct_acl_action);
ovn_lflow_add(lflows, od, S_SWITCH_OUT_ACL, UINT16_MAX - 3,
ds_cstr(&match), "ct_commit_nat;");
ds_cstr(&match), ct_acl_action);

/* Ingress and Egress ACL Table (Priority 65532).
*
Expand Down Expand Up @@ -9910,9 +9922,11 @@ build_lrouter_nat_flows_for_lb(struct ovn_lb_vip *lb_vip,
struct hmap *lflows,
struct ds *match, struct ds *action,
const struct shash *meter_groups,
bool ct_lb_mark)
const struct chassis_features *features)
{
const char *ct_natted = ct_lb_mark ? "ct_mark.natted" : "ct_label.natted";
const char *ct_natted = features->ct_no_masked_label
? "ct_mark.natted"
: "ct_label.natted";
char *skip_snat_new_action = NULL;
char *force_snat_new_action = NULL;
char *skip_snat_est_action = NULL;
Expand All @@ -9924,7 +9938,7 @@ build_lrouter_nat_flows_for_lb(struct ovn_lb_vip *lb_vip,

bool reject = build_lb_vip_actions(lb_vip, vips_nb, action,
lb->selection_fields, false,
ct_lb_mark);
features->ct_no_masked_label);
bool drop = !!strncmp(ds_cstr(action), "ct_lb", strlen("ct_lb"));
if (!drop) {
/* Remove the trailing ");". */
Expand All @@ -9948,9 +9962,11 @@ build_lrouter_nat_flows_for_lb(struct ovn_lb_vip *lb_vip,
enum lb_snat_type snat_type = NO_FORCE_SNAT;
if (smap_get_bool(&lb->nlb->options, "skip_snat", false)) {
snat_type = SKIP_SNAT;
const char *skip_snat = features->ct_lb_related && !drop
? "; skip_snat);"
: "";
skip_snat_new_action = xasprintf("flags.skip_snat_for_lb = 1; %s%s",
ds_cstr(action),
drop ? "" : "; skip_snat);");
ds_cstr(action), skip_snat);
skip_snat_est_action = xasprintf("flags.skip_snat_for_lb = 1; "
"next;");
}
Expand Down Expand Up @@ -10010,9 +10026,11 @@ build_lrouter_nat_flows_for_lb(struct ovn_lb_vip *lb_vip,
lb_vip->vip_port);
}

const char *force_snat = features->ct_lb_related && !drop
? "; force_snat);"
: "";
force_snat_new_action = xasprintf("flags.force_snat_for_lb = 1; %s%s",
ds_cstr(action),
drop ? "" : "; force_snat);");
ds_cstr(action), force_snat);
if (!drop) {
ds_put_cstr(action, ");");
}
Expand Down Expand Up @@ -10254,7 +10272,7 @@ build_lrouter_flows_for_lb(struct ovn_northd_lb *lb, struct hmap *lflows,

build_lrouter_nat_flows_for_lb(lb_vip, lb, &lb->vips_nb[i],
lflows, match, action, meter_groups,
features->ct_no_masked_label);
features);

if (!build_empty_lb_event_flow(lb_vip, lb->nlb, match, action)) {
continue;
Expand Down Expand Up @@ -13439,7 +13457,7 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows,
const struct hmap *ports, struct ds *match,
struct ds *actions,
const struct shash *meter_groups,
bool ct_lb_mark)
const struct chassis_features *features)
{
if (!od->nbr) {
return;
Expand Down Expand Up @@ -13470,9 +13488,11 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows,
* a dynamically negotiated FTP data channel), but will allow
* related traffic such as an ICMP Port Unreachable through
* that's generated from a non-listening UDP port. */
if (od->has_lb_vip) {
if (od->has_lb_vip && features->ct_lb_related) {
ds_clear(match);
const char *ct_flag_reg = ct_lb_mark ? "ct_mark" : "ct_label";
const char *ct_flag_reg = features->ct_no_masked_label
? "ct_mark"
: "ct_label";

ds_put_cstr(match, "ct.rel && !ct.est && !ct.new");
size_t match_len = match->length;
Expand Down Expand Up @@ -13683,7 +13703,7 @@ build_lrouter_nat_defrag_and_lb(struct ovn_datapath *od, struct hmap *lflows,

if (od->nbr->n_nat) {
ds_clear(match);
const char *ct_natted = ct_lb_mark ?
const char *ct_natted = features->ct_no_masked_label ?
"ct_mark.natted" :
"ct_label.natted";
ds_put_format(match, "ip && %s == 1", ct_natted);
Expand Down Expand Up @@ -13801,7 +13821,7 @@ build_lswitch_and_lrouter_iterate_by_od(struct ovn_datapath *od,
build_lrouter_arp_nd_for_datapath(od, lsi->lflows, lsi->meter_groups);
build_lrouter_nat_defrag_and_lb(od, lsi->lflows, lsi->ports, &lsi->match,
&lsi->actions, lsi->meter_groups,
lsi->features->ct_no_masked_label);
lsi->features);
}

/* Helper function to combine all lflow generation which is iterated by port.
Expand Down Expand Up @@ -15316,7 +15336,10 @@ northd_init(struct northd_data *data)
hmap_init(&data->lbs);
hmap_init(&data->bfd_connections);
ovs_list_init(&data->lr_list);
memset(&data->features, 0, sizeof data->features);
data->features = (struct chassis_features) {
.ct_no_masked_label = true,
.ct_lb_related = true,
};
data->ovn_internal_version_changed = false;
}

Expand Down
1 change: 1 addition & 0 deletions northd/northd.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -55,6 +55,7 @@ struct northd_input {

struct chassis_features {
bool ct_no_masked_label;
bool ct_lb_related;
};

struct northd_data {
Expand Down

0 comments on commit 172156b

Please sign in to comment.