On 30 August 2016 at 13:03, Ben Pfaff <b...@ovn.org> wrote: > On Tue, Aug 23, 2016 at 02:46:17AM -0700, Gurucharan Shetty wrote: > > Currently ct_lb() logical action is only added for a logical switch and > > we use the conntrack zone allocated for the logical port. A future > commit > > will use ct_lb() for a logical router too. In that case, use the > allocated > > DNAT zone. > > > > Signed-off-by: Gurucharan Shetty <g...@ovn.org> > > Can you help me to understand why the desired behavior is different in > each of these cases? >
Currently we do the following conntrack zone allocations. 1. A conntrack zone for each logical port. This has to be unique only per hypervisor. We use this zone to do both firewall and east-west load-balancing. For firewall, we send the packet to conntrack to defragment it and track it and figure out whether it is invalid, new, established etc. Invalid packets are dropped. new connections are committed. For load-balancing, defragmented packets are DNATed into one of the possible endpoints. We do the load-balancing at the endpoint (instead of say in a router) because of the asymmetric nature of OVN router pipeline handling for east-west. So when we see ct_lb() action on a switch, we can just use the conntrack zone allocated for that logical port. 2. Two conntrack zones per gateway router. A gateway router only resides in a particular chassis. We have one conntrack zone for DNAT and another for SNAT. Now when I want to add ct_lb() action for the gateway router, I want to use it as part of the gateway router pipeline. Since load-balancing is nothing but a DNAT using one of the chosen endpoint, the conntrack zone has to be a DNAT zone allocated to that gateway router. Did I give the answer to your question? Or was it something else that you were looking an explanation for? PS: The second patch of the series did not make it to patchwork. It is here: http://openvswitch.org/pipermail/dev/2016-August/078478.html _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
