Bug 2022403

Summary: [OVN] Do not install ARP responder flows for VIPs that are not part of directly connected networks.
Product: Red Hat Enterprise Linux Fast Datapath Reporter: Dumitru Ceara <dceara>
Component: OVNAssignee: Dumitru Ceara <dceara>
Status: CLOSED ERRATA QA Contact: ying xu <yinxu>
Severity: high Docs Contact:
Priority: high    
Version: FDP 21.ICC: ctrautma, jiji, mmichels
Target Milestone: ---   
Target Release: FDP 22.C   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: ovn21.12-21.12.0-23.el8fdp ovn-2021-21.12.0-4.el8fdp Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-04-25 14:26:54 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Dumitru Ceara 2021-11-11 15:04:08 UTC 
Description of problem:

When a load balancer is applied on a logical router OVN should only reply to ARP requests (and neighbor solicitation packets) for load balancer VIPs that are actually part of subnets configured on the logical router ports.

In ovn-k8s deployments, cluster-wide service VIPs are not part of any gateway router subnet.  Installing ARP responder flows for them is a waste of resources and significantly increases the SB size (due to the per-logical router LB IPs address_set).
Comment 1 Dumitru Ceara 2021-11-16 11:00:07 UTC 
Patch posted for review: http://patchwork.ozlabs.org/project/ovn/list/?series=272253&state=*
Comment 6 ying xu 2022-04-19 12:20:08 UTC 
reproduced on version:
# rpm -qa|grep ovn
ovn-2021-21.09.1-24.el8fdp.x86_64
ovn-2021-host-21.09.1-24.el8fdp.x86_64
ovn-2021-central-21.09.1-24.el8fdp.x86_64



# ovn-nbctl lr-add lr -- lrp-add lr lrp 00:00:00:00:00:01 172.16.1.1/24 -- lb-add lb1 192.168.100.1 42.42.42.1 -- lr-lb-add lr lb1 
[root@dell-per730-19 load_balance]# ovn-sbctl list address_set
_uuid               : 440b112c-54ea-4eb8-85c7-8bf9645a16de
addresses           : ["192.168.1.100", "192.168.1.110"]
name                : _rtr_lb_1_ip4

_uuid               : 5f665ac9-cc76-41d8-9272-45eeb8b3dd71
addresses           : ["a6:cf:33:ad:44:fd"]
name                : svc_monitor_mac

_uuid               : 1a2a5dd6-50d3-447d-bb5b-14d91096250a
addresses           : ["192.168.100.1"]       ---------------------this should not be here
name                : _rtr_lb_5_ip4
[root@dell-per730-19 load_balance]# ovn-sbctl dump-flows|grep lb_5  ---------this flow should not installed.
  table=3 (lr_in_ip_input     ), priority=90   , match=(inport == "lrp" && arp.op == 1 && arp.tpa == $_rtr_lb_5_ip4), action=(eth.dst = eth.src; eth.src = xreg0[0..47]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[0..47]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;)


verified on version:
# rpm -qa|grep ovn
ovn-2021-21.12.0-42.el8fdp.x86_64
ovn-2021-central-21.12.0-42.el8fdp.x86_64
ovn-2021-host-21.12.0-42.el8fdp.x86_64

# ovn-nbctl lb-add lb1 192.168.200.1 192.168.0.1
[root@dell-per730-19 load_balance]# ovn-nbctl --wait=hv lr-lb-add R1 lb1
[root@dell-per730-19 load_balance]# ovn-sbctl list address_set
_uuid               : 2c31b359-86d7-456b-8780-3e978b305a60
addresses           : ["0a:ba:7a:08:56:47"]
name                : svc_monitor_mac

_uuid               : c3357576-456d-497b-9177-753f394fecf6
addresses           : ["192.168.1.100", "192.168.1.110"]            ---------------here is no 192.168.200.1
name                : _rtr_lb_1_ip4
Comment 8 errata-xmlrpc 2022-04-25 14:26:54 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn-2021 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1523