> > > > Completely agree that you need to go through a common point in both > directions > in the same chassis. >
> Why does this require a separate gateway router? > The primary reason to choose a separate gateway router was to support multiple physical gateways for k8s to which you can loadbalance your traffic from external world. i.e you will have a router in each physical gateway with its own floating IP per service. From external world, you can loadbalance traffic to your gateways. The floating IP is further loadbalanced to an internal workload. > Why can't it just be a centralized gateway router port on an otherwise > distributed > router? > It is indeed one of the solutions for my problem statement (provided you can support multiple physical gateway chassis.). I haven't spent too much time thinking on how to do this for multiple physical gateways. > > Looking at the logic for ports on remote chassis in physical.c, I see no > reason why > that logic cannot work for logical router datapaths just like it works for > logical > switch datapaths. On logical switches, some ports are distributed and run > everywhere, e.g. localnet, and other ports run on a specific chassis, e.g. > vif and > your proposed "gateway" port. > Am I missing something that prevents a mix of centralized and distributed > ports > on a logical router datapath? > You will have to give me some more details (I am currently unable to visualize your solution). May be start with a simple topology of one DR connected to two LS. Simple packet walkthrough (in english) for north-south (external to internal via floating IPs) and its return traffic (going through conntrack), south-north traffic (and its return traffic) and east-west (via central gateway). My thinking is this: If we want to do NAT in a router, then we need to have a ingress pipeline as well as an egress pipeline. A router has multiple ports. When a packet comes in any router port, I want to be able to do DNAT (and reverse its effect) and when packet exits any port, I want to be able to do SNAT. I also should be able to do both DNAT and SNAT on a single packet (to handle north-south loadbalancing). So the entire router should be there at a single location. > > We have not tried it yet, but it seems like this would simplify things a > lot: > 1. Only one router needs to be provisioned rather than a distributed > router and a > centralized gateway router > 2. No need for static routes between the distributed and centralized > gateway routers > 3. No need for transit logical switches, transit subnets, or transit flows > 4. Less passes through datapaths, improving performance > The above is ideal. > > You can then pin DNAT and SNAT logic to the centralized gateway port, for > traffic to > physical networks. East/west traffic to floating IPs still requires > additional logic on > other ports, as proposed in Chandra's floating IP patch. > > We want to get to a point where SNAT traffic goes through a centralized > gateway > port, but DNAT traffic goes through a distributed patch port. Please tell me what does DNAT mean and what does SNAT mean for you. I may be talking the opposite thing than you. dev@openvswitch.org > http://openvswitch.org/mailman/listinfo/dev > _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
