northd: bypass connection tracking for stateless flows when there are…

… LB flows present

Currently, even stateless flows are subject to connection tracking when there are
LB rules (for DNAT). However, if a flow needs to be subjected to LB, then it shouldn't
be configured as stateless.

Stateless flow means we should not track it, and this change exempts stateless
flows from being tracked regardless of whether LB rules are present or not.

Signed-off-by: venu iyer <venugopali@nvidia.com>
Signed-off-by: Han Zhou <hzhou@ovn.org>
Signed-off-by: Dumitru Ceara <dceara@redhat.com>
(cherry picked from commit a0f82ef)

northd/northd.c

@@ -128,8 +128,8 @@ enum ovn_stage {
     PIPELINE_STAGE(SWITCH, IN,  L2_UNKNOWN,    25, "ls_in_l2_unknown")    \
                                                                           \
     /* Logical switch egress stages. */                                   \
-    PIPELINE_STAGE(SWITCH, OUT, PRE_LB,       0, "ls_out_pre_lb")         \
-    PIPELINE_STAGE(SWITCH, OUT, PRE_ACL,      1, "ls_out_pre_acl")        \
+    PIPELINE_STAGE(SWITCH, OUT, PRE_ACL,      0, "ls_out_pre_acl")        \
+    PIPELINE_STAGE(SWITCH, OUT, PRE_LB,       1, "ls_out_pre_lb")         \
     PIPELINE_STAGE(SWITCH, OUT, PRE_STATEFUL, 2, "ls_out_pre_stateful")   \
     PIPELINE_STAGE(SWITCH, OUT, ACL_HINT,     3, "ls_out_acl_hint")       \
     PIPELINE_STAGE(SWITCH, OUT, ACL,          4, "ls_out_acl")            \
@@ -199,6 +199,7 @@ enum ovn_stage {
 #define REGBIT_LKUP_FDB           "reg0[11]"
 #define REGBIT_HAIRPIN_REPLY      "reg0[12]"
 #define REGBIT_ACL_LABEL          "reg0[13]"
+#define REGBIT_ACL_STATELESS      "reg0[16]"
 
 #define REG_ORIG_DIP_IPV4         "reg1"
 #define REG_ORIG_DIP_IPV6         "xxreg1"
@@ -259,7 +260,7 @@ enum ovn_stage {
  * | R0 |     REGBIT_{CONNTRACK/DHCP/DNS}              |   |                  |
  * |    |     REGBIT_{HAIRPIN/HAIRPIN_REPLY}           |   |                  |
  * |    | REGBIT_ACL_HINT_{ALLOW_NEW/ALLOW/DROP/BLOCK} |   |                  |
- * |    |     REGBIT_ACL_LABEL                         | X |                  |
+ * |    |     REGBIT_ACL_{LABEL/STATELESS}             | X |                  |
  * +----+----------------------------------------------+ X |                  |
  * | R1 |         ORIG_DIP_IPV4 (>= IN_PRE_STATEFUL)   | R |                  |
  * +----+----------------------------------------------+ E |                  |
@@ -5809,17 +5810,18 @@ build_stateless_filter(struct ovn_datapath *od,
                        const struct nbrec_acl *acl,
                        struct hmap *lflows)
 {
+    const char *action = REGBIT_ACL_STATELESS" = 1; next;";
     if (!strcmp(acl->direction, "from-lport")) {
         ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL,
                                 acl->priority + OVN_ACL_PRI_OFFSET,
                                 acl->match,
-                                "next;",
+                                action,
                                 &acl->header_);
     } else {
         ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL,
                                 acl->priority + OVN_ACL_PRI_OFFSET,
                                 acl->match,
-                                "next;",
+                                action,
                                 &acl->header_);
     }
 }
@@ -5912,6 +5914,10 @@ build_pre_acls(struct ovn_datapath *od, const struct hmap *port_groups,
                       REGBIT_CONNTRACK_DEFRAG" = 1; next;");
         ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 100, "ip",
                       REGBIT_CONNTRACK_DEFRAG" = 1; next;");
+    } else if (od->has_lb_vip) {
+        /* We'll build stateless filters if there are LB rules so that
+         * the stateless flows are not tracked in pre-lb. */
+         build_stateless_filters(od, port_groups, lflows);
     }
 }
 
@@ -6016,6 +6022,12 @@ build_pre_lb(struct ovn_datapath *od, struct hmap *lflows)
         }
     }
 
+    /* Do not sent statless flows via conntrack */
+    ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_LB, 110,
+                  REGBIT_ACL_STATELESS" == 1", "next;");
+    ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_LB, 110,
+                  REGBIT_ACL_STATELESS" == 1", "next;");
+
     /* 'REGBIT_CONNTRACK_NAT' is set to let the pre-stateful table send
      * packet to conntrack for defragmentation and possibly for unNATting.
      *
@@ -7012,7 +7024,8 @@ build_lb_rules_pre_stateful(struct hmap *lflows, struct ovn_northd_lb *lb,
         }
         ds_put_format(action, "%s;", ct_lb_mark ? "ct_lb_mark" : "ct_lb");
 
-        ds_put_format(match, "%s.dst == %s", ip_match, lb_vip->vip_str);
+        ds_put_format(match, REGBIT_CONNTRACK_NAT" == 1 && %s.dst == %s",
+                      ip_match, lb_vip->vip_str);
         if (lb_vip->vip_port) {
             ds_put_format(match, " && %s.dst == %d", proto, lb_vip->vip_port);
         }

northd/ovn-northd.8.xml

@@ -508,7 +508,9 @@
       priority-110 flow is added to skip over stateful ACLs. Multicast, IPv6
       Neighbor Discovery and MLD traffic also skips stateful ACLs. For
       "allow-stateless" ACLs, a flow is added to bypass setting the hint for
-      connection tracker processing.
+      connection tracker processing when there are stateful ACLs or LB rules;
+      <code>REGBIT_ACL_STATELESS</code> is set for traffic matching stateless
+      ACL flows.
     </p>
 
     <p>
@@ -528,8 +530,10 @@
       in ingress table <code>LB</code> and <code>Stateful</code>.  It contains
       a priority-0 flow that simply moves traffic to the next table. Moreover
       it contains two priority-110 flows to move multicast, IPv6 Neighbor
-      Discovery and MLD traffic to the next table. If load balancing rules with
-      virtual IP addresses (and ports) are configured in
+      Discovery and MLD traffic to the next table. It also contains two
+      priority-110 flows to move stateless traffic, i.e traffic for which
+      <code>REGBIT_ACL_STATELESS</code> is set, to the next table. If load
+      balancing rules with virtual IP addresses (and ports) are configured in
       <code>OVN_Northbound</code> database for a logical switch datapath, a
       priority-100 flow is added with the match <code>ip</code> to match on IP
       packets and sets the action <code>reg0[2] = 1; next;</code> to act as a
@@ -1866,19 +1870,11 @@ output;
       </li>
     </ul>
 
-    <h3>Egress Table 0: Pre-LB</h3>
+    <h3>Egress Table 0: <code>to-lport</code> Pre-ACLs</h3>
 
     <p>
-      This table is similar to ingress table <code>Pre-LB</code>.  It
-      contains a priority-0 flow that simply moves traffic to the next table.
-      Moreover it contains two priority-110 flows to move multicast, IPv6
-      Neighbor Discovery and MLD traffic to the next table. If any load
-      balancing rules exist for the datapath, a priority-100 flow is added with
-      a match of <code>ip</code> and action of <code>reg0[2] = 1; next;</code>
-      to act as a hint for table <code>Pre-stateful</code> to send IP packets
-      to the connection tracker for packet de-fragmentation and possibly DNAT
-      the destination VIP to one of the selected backend for already commited
-      load balanced traffic.
+      This is similar to ingress table <code>Pre-ACLs</code> except for
+     <code>to-lport</code> traffic.
     </p>
 
     <p>
@@ -1891,11 +1887,29 @@ output;
       db="OVN_Northbound"/> table.
     </p>
 
-    <h3>Egress Table 1: <code>to-lport</code> Pre-ACLs</h3>
+    <p>
+      This table also has a priority-110 flow with the match
+      <code>outport == <var>I</var></code> for all logical switch
+      datapaths to move traffic to the next table. Where <var>I</var>
+      is the peer of a logical router port. This flow is added to
+      skip the connection tracking of packets which will be entering
+      logical router datapath from logical switch datapath for routing.
+    </p>
+
+
+    <h3>Egress Table 1: Pre-LB</h3>
 
     <p>
-      This is similar to ingress table <code>Pre-ACLs</code> except for
-     <code>to-lport</code> traffic.
+      This table is similar to ingress table <code>Pre-LB</code>.  It
+      contains a priority-0 flow that simply moves traffic to the next table.
+      Moreover it contains two priority-110 flows to move multicast, IPv6
+      Neighbor Discovery and MLD traffic to the next table. If any load
+      balancing rules exist for the datapath, a priority-100 flow is added with
+      a match of <code>ip</code> and action of <code>reg0[2] = 1; next;</code>
+      to act as a hint for table <code>Pre-stateful</code> to send IP packets
+      to the connection tracker for packet de-fragmentation and possibly DNAT
+      the destination VIP to one of the selected backend for already committed
+      load balanced traffic.
     </p>
 
     <p>
@@ -1908,15 +1922,6 @@ output;
       db="OVN_Northbound"/> table.
     </p>
 
-    <p>
-      This table also has a priority-110 flow with the match
-      <code>outport == <var>I</var></code> for all logical switch
-      datapaths to move traffic to the next table. Where <var>I</var>
-      is the peer of a logical router port. This flow is added to
-      skip the connection tracking of packets which will be entering
-      logical router datapath from logical switch datapath for routing.
-    </p>
-
     <h3>Egress Table 2: Pre-stateful</h3>
 
     <p>

ovn-nb.xml

@@ -2010,6 +2010,9 @@
           outgoing TCP traffic directed to an IP address, then you probably
           also want to define another rule to allow incoming TCP traffic coming
           from this same IP address.
+          In addition, traffic that matches stateless ACLs will bypass
+          load-balancer DNAT/un-DNAT processing. Stateful ACLs should be
+          used instead if the traffic is supposed to be load-balanced.
         </li>
 
         <li>