2022403 – [OVN] Do not install ARP responder flows for VIPs that are not part of directly connected networks.

The FDP team is no longer accepting new bugs in Bugzilla. Please report your issues under FDP project in Jira. Thanks.

Bug 2022403 - [OVN] Do not install ARP responder flows for VIPs that are not part of directly connected networks.

Summary: [OVN] Do not install ARP responder flows for VIPs that are not part of direct...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux Fast Datapath
Classification:	Red Hat
Component:	OVN
Sub Component:
Version:	FDP 21.I
Hardware:	Unspecified
OS:	Unspecified
Priority:	high
Severity:	high
Target Milestone:	---
Target Release:	FDP 22.C
Assignee:	Dumitru Ceara
QA Contact:	ying xu
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2021-11-11 15:04 UTC by Dumitru Ceara
Modified:	2022-04-25 14:27 UTC (History)
CC List:	3 users (show)
Fixed In Version:	ovn21.12-21.12.0-23.el8fdp ovn-2021-21.12.0-4.el8fdp
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2022-04-25 14:26:54 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Issue Tracker	FD-1648	0	None	None	None	2021-11-11 15:04:48 UTC
Red Hat Product Errata	RHBA-2022:1523	0	None	None	None	2022-04-25 14:27:10 UTC

Description Dumitru Ceara 2021-11-11 15:04:08 UTC

Description of problem:

When a load balancer is applied on a logical router OVN should only reply to ARP requests (and neighbor solicitation packets) for load balancer VIPs that are actually part of subnets configured on the logical router ports.

In ovn-k8s deployments, cluster-wide service VIPs are not part of any gateway router subnet.  Installing ARP responder flows for them is a waste of resources and significantly increases the SB size (due to the per-logical router LB IPs address_set).

Comment 1 Dumitru Ceara 2021-11-16 11:00:07 UTC

Patch posted for review: http://patchwork.ozlabs.org/project/ovn/list/?series=272253&state=*

Comment 6 ying xu 2022-04-19 12:20:08 UTC

reproduced on version:
# rpm -qa|grep ovn
ovn-2021-21.09.1-24.el8fdp.x86_64
ovn-2021-host-21.09.1-24.el8fdp.x86_64
ovn-2021-central-21.09.1-24.el8fdp.x86_64



# ovn-nbctl lr-add lr -- lrp-add lr lrp 00:00:00:00:00:01 172.16.1.1/24 -- lb-add lb1 192.168.100.1 42.42.42.1 -- lr-lb-add lr lb1 
[root@dell-per730-19 load_balance]# ovn-sbctl list address_set
_uuid               : 440b112c-54ea-4eb8-85c7-8bf9645a16de
addresses           : ["192.168.1.100", "192.168.1.110"]
name                : _rtr_lb_1_ip4

_uuid               : 5f665ac9-cc76-41d8-9272-45eeb8b3dd71
addresses           : ["a6:cf:33:ad:44:fd"]
name                : svc_monitor_mac

_uuid               : 1a2a5dd6-50d3-447d-bb5b-14d91096250a
addresses           : ["192.168.100.1"]       ---------------------this should not be here
name                : _rtr_lb_5_ip4
[root@dell-per730-19 load_balance]# ovn-sbctl dump-flows|grep lb_5  ---------this flow should not installed.
  table=3 (lr_in_ip_input     ), priority=90   , match=(inport == "lrp" && arp.op == 1 && arp.tpa == $_rtr_lb_5_ip4), action=(eth.dst = eth.src; eth.src = xreg0[0..47]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[0..47]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;)


verified on version:
# rpm -qa|grep ovn
ovn-2021-21.12.0-42.el8fdp.x86_64
ovn-2021-central-21.12.0-42.el8fdp.x86_64
ovn-2021-host-21.12.0-42.el8fdp.x86_64

# ovn-nbctl lb-add lb1 192.168.200.1 192.168.0.1
[root@dell-per730-19 load_balance]# ovn-nbctl --wait=hv lr-lb-add R1 lb1
[root@dell-per730-19 load_balance]# ovn-sbctl list address_set
_uuid               : 2c31b359-86d7-456b-8780-3e978b305a60
addresses           : ["0a:ba:7a:08:56:47"]
name                : svc_monitor_mac

_uuid               : c3357576-456d-497b-9177-753f394fecf6
addresses           : ["192.168.1.100", "192.168.1.110"]            ---------------here is no 192.168.200.1
name                : _rtr_lb_1_ip4

Comment 8 errata-xmlrpc 2022-04-25 14:26:54 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn-2021 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1523

Note You need to log in before you can comment on or make changes to this bug.