Bug 2022403 - [OVN] Do not install ARP responder flows for VIPs that are not part of directly connected networks.
Summary: [OVN] Do not install ARP responder flows for VIPs that are not part of direct...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux Fast Datapath
Classification: Red Hat
Component: OVN
Version: FDP 21.I
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: FDP 22.C
Assignee: Dumitru Ceara
QA Contact: ying xu
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-11-11 15:04 UTC by Dumitru Ceara
Modified: 2022-04-25 14:27 UTC (History)
3 users (show)

Fixed In Version: ovn21.12-21.12.0-23.el8fdp ovn-2021-21.12.0-4.el8fdp
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-04-25 14:26:54 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FD-1648 0 None None None 2021-11-11 15:04:48 UTC
Red Hat Product Errata RHBA-2022:1523 0 None None None 2022-04-25 14:27:10 UTC

Description Dumitru Ceara 2021-11-11 15:04:08 UTC
Description of problem:

When a load balancer is applied on a logical router OVN should only reply to ARP requests (and neighbor solicitation packets) for load balancer VIPs that are actually part of subnets configured on the logical router ports.

In ovn-k8s deployments, cluster-wide service VIPs are not part of any gateway router subnet.  Installing ARP responder flows for them is a waste of resources and significantly increases the SB size (due to the per-logical router LB IPs address_set).

Comment 1 Dumitru Ceara 2021-11-16 11:00:07 UTC
Patch posted for review: http://patchwork.ozlabs.org/project/ovn/list/?series=272253&state=*

Comment 6 ying xu 2022-04-19 12:20:08 UTC
reproduced on version:
# rpm -qa|grep ovn
ovn-2021-21.09.1-24.el8fdp.x86_64
ovn-2021-host-21.09.1-24.el8fdp.x86_64
ovn-2021-central-21.09.1-24.el8fdp.x86_64



# ovn-nbctl lr-add lr -- lrp-add lr lrp 00:00:00:00:00:01 172.16.1.1/24 -- lb-add lb1 192.168.100.1 42.42.42.1 -- lr-lb-add lr lb1 
[root@dell-per730-19 load_balance]# ovn-sbctl list address_set
_uuid               : 440b112c-54ea-4eb8-85c7-8bf9645a16de
addresses           : ["192.168.1.100", "192.168.1.110"]
name                : _rtr_lb_1_ip4

_uuid               : 5f665ac9-cc76-41d8-9272-45eeb8b3dd71
addresses           : ["a6:cf:33:ad:44:fd"]
name                : svc_monitor_mac

_uuid               : 1a2a5dd6-50d3-447d-bb5b-14d91096250a
addresses           : ["192.168.100.1"]       ---------------------this should not be here
name                : _rtr_lb_5_ip4
[root@dell-per730-19 load_balance]# ovn-sbctl dump-flows|grep lb_5  ---------this flow should not installed.
  table=3 (lr_in_ip_input     ), priority=90   , match=(inport == "lrp" && arp.op == 1 && arp.tpa == $_rtr_lb_5_ip4), action=(eth.dst = eth.src; eth.src = xreg0[0..47]; arp.op = 2; /* ARP reply */ arp.tha = arp.sha; arp.sha = xreg0[0..47]; arp.tpa <-> arp.spa; outport = inport; flags.loopback = 1; output;)


verified on version:
# rpm -qa|grep ovn
ovn-2021-21.12.0-42.el8fdp.x86_64
ovn-2021-central-21.12.0-42.el8fdp.x86_64
ovn-2021-host-21.12.0-42.el8fdp.x86_64

# ovn-nbctl lb-add lb1 192.168.200.1 192.168.0.1
[root@dell-per730-19 load_balance]# ovn-nbctl --wait=hv lr-lb-add R1 lb1
[root@dell-per730-19 load_balance]# ovn-sbctl list address_set
_uuid               : 2c31b359-86d7-456b-8780-3e978b305a60
addresses           : ["0a:ba:7a:08:56:47"]
name                : svc_monitor_mac

_uuid               : c3357576-456d-497b-9177-753f394fecf6
addresses           : ["192.168.1.100", "192.168.1.110"]            ---------------here is no 192.168.200.1
name                : _rtr_lb_1_ip4

Comment 8 errata-xmlrpc 2022-04-25 14:26:54 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (ovn-2021 bug fix and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2022:1523


Note You need to log in before you can comment on or make changes to this bug.