trozet

EVPN Support in OVN — Design & Architecture

Table of Contents

1. Executive Summary
2. High‑Level Architecture & Design
3. EVPN Implementation Components
   • Data Model / Schema Options
   • Northd / Logical Flow Changes

• ovn‑controller EVPN Modules

trozet

trozet@fedora:~/go/src/github.com/ovn-org/ovn-kubernetes/go-controller$ git diff
diff --git a/go-controller/pkg/clustermanager/pod/allocator.go b/go-controller/pkg/clustermanager/pod/allocator.go
index b1919afd1c..1832ebf0d7 100644
--- a/go-controller/pkg/clustermanager/pod/allocator.go
+++ b/go-controller/pkg/clustermanager/pod/allocator.go
@@ -217,7 +217,12 @@ func (a *PodAllocator) reconcile(old, new *corev1.Pod, releaseFromAllocator bool
                }
        }
 
-       onNetwork, networkMap, err := util.GetPodNADToNetworkMappingWithActiveNetwork(pod, a.netInfo, activeNetwork)

trozet

[root@ovn-worker2 ~]# ovs-appctl dpctl/dump-flows 
recirc_id(0x95),dp_hash(0x4/0xf),in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), packets:5714, bytes:422836, used:0.044s, flags:S, actions:ct(commit,zone=34,mark=0xa/0xa,nat(dst=10.20.2.4:80)),recirc(0x96)
recirc_id(0x9f),in_port(8),skb_mark(0),ct_state(-new+est-rel+rpl-inv+trk),ct_mark(0/0x4f),eth(src=0a:58:64:41:00:01,dst=0a:58:64:41:00:04),eth_type(0x0800),ipv4(dst=172.18.0.3,proto=6,ttl=63,frag=no), packets:556858, bytes:144608298, used:0.004s, flags:SFP., actions:set(eth(src=76:74:a3:6e:b2:6a,dst=be:81:2b:de:de:37)),set(ipv4(ttl=62)),ct(zone=34,nat),recirc(0xa4)
recirc_id(0x95),dp_hash(0x9/0xf),in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), packets:5799, bytes:429126, used:0.024s, flags:S, actions:ct(commit,zone=34,mark=0xa/0xa,nat(dst=10.20.2.4:80)),recirc(0x96)
recirc_id(0),in_port(2),skb_mark(0),eth(dst=76:74:a3:6e:b2:6a),eth_type(0x0800),ipv4(dst=172.18.0.2,proto=6,frag=no),tcp(dst=32768/0x8000), packets:280, bytes:263034, used:4.598s, flags:P., a

trozet

use std::collections::HashSet;
use std::net::IpAddr;

use once_cell::sync::Lazy;
use proxy_wasm::traits::*;
use proxy_wasm::types::*;
use serde::Deserialize;
use serde_json::Value;

static DEFAULT_ALLOWED_IPS: Lazy<HashSet<IpAddr>> = Lazy::new(HashSet::new);

trozet

Features Interaction with adding extra Subnets to a UDN

Egress Firewall

Whenever an IP block is provided as match criteria for Egress Firewall, we calculate if it overlaps with the current pod subnet. If so, then we add an exclusion match criteria to the ACL to ensure east/west traffic is not affected by the firewall. Today when a NAD changes, a handleNetworkEvent callback is made from the NAD Controller to the Egress Firewall controller. This callback causes any Egress Firewall in the NAD namespace to be reconciled. This should force the ACLs to be regenerated if the new subnet overlaps with the IP Block in the Egress Firewall.

trozet

[root@ovn-worker2 ~]# ovs-appctl ofproto/trace breth0 in_port=LOCAL,dl_src=66:a6:bc:8d:62:3f,dl_dst=0a:58:a9:fe:00:04,tcp,tp_dst=80,nw_dst=10.96.134.186,nw_src=172.18.0.2,nw_ttl=25
Flow: tcp,in_port=LOCAL,vlan_tci=0x0000,dl_src=66:a6:bc:8d:62:3f,dl_dst=0a:58:a9:fe:00:04,nw_src=172.18.0.2,nw_dst=10.96.134.186,nw_tos=0,nw_ecn=0,nw_ttl=25,nw_frag=no,tp_src=0,tp_dst=80,tcp_flags=0

bridge("breth0")
----------------
 0. ip,in_port=LOCAL,nw_dst=10.96.0.0/16, priority 500, cookie 0xdeff105
    ct(commit,table=2,zone=64001,nat(src=169.254.0.2))
    nat(src=169.254.0.2)
     -> A clone of the packet is forked to recirculate. The forked pipeline will be resumed at table 2.
     -> Sets the packet to an untracked state, and clears all the conntrack fields.

trozet

package trustzone

import (
	"encoding/json"
	"testing"

	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
	"k8s.io/apimachinery/pkg/labels"
)

trozet

<?xml version="1.0" encoding="utf-8"?>
<ItemFilter xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
  <name>Combined Warlock and Warpath Filter</name>
  <filterIcon>0</filterIcon>
  <filterIconColor>0</filterIconColor>
  <description>Combined filter for Chthonic Fissure Warlock and Warpath Void Knight</description>
  <lastModifiedInVersion>1.0.0.4</lastModifiedInVersion>
  <lootFilterVersion>0</lootFilterVersion>
  <rules>
    <!-- Base rule to hide all items -->

trozet

root@ovn-worker2 ~]# tcpdump -i any 'port 80 or port 30973' -nneev
tcpdump: WARNING: any: That device doesn't support promiscuous mode
(Promiscuous mode not supported on the "any" device)
dropped privs to tcpdump
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
18:51:34.072883 genev_sys_6081 P   ifindex 8 0a:58:64:58:00:03 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 63, id 17095, offset 0, flags [DF], proto TCP (6), length 60)
    10.244.0.3.45952 > 172.18.0.2.30973: Flags [S], cksum 0x3355 (correct), seq 800905722, win 65280, options [mss 1360,sackOK,TS val 1346754696 ecr 0,nop,wscale 7], length 0
18:51:34.073256 ovn-k8s-mp0 In  ifindex 6 0a:58:0a:f4:01:01 ethertype IPv4 (0x0800), length 80: (tos 0x0, ttl 62, id 17095, offset 0, flags [DF], proto TCP (6), length 60)
    10.244.0.3.45952 > 172.18.0.2.30973: Flags [S], cksum 0x3355 (correct), seq 800905722, win 65280, options [mss 1360,sackOK,TS val 1346754696 ecr 0,nop,wscale 7], length 0
18:51:34.073271 ov

trozet

[root@ovn-worker ~]# ovn-trace --ct new ovn-worker 'inport == "k8s-ovn-worker" && eth.src == 0a:58:0a:f4:02:02 && eth.dst == 0a:58:0a:f4:02:01 && tcp && ip4.src==172.18.0.2 && ip4.dst==172.18.0.4 && ip.ttl==64 && tcp.dst==31470'
# tcp,reg14=0x2,vlan_tci=0x0000,dl_src=0a:58:0a:f4:02:02,dl_dst=0a:58:0a:f4:02:01,nw_src=172.18.0.2,nw_dst=172.18.0.4,nw_tos=0,nw_ecn=0,nw_ttl=64,nw_frag=no,tp_src=0,tp_dst=31470,tcp_flags=0

ingress(dp="ovn-worker", inport="k8s-ovn-worker")
-------------------------------------------------
 0. ls_in_check_port_sec (northd.c:9433): 1, priority 50, uuid 9c2358e2
    reg0[15] = check_in_port_sec();
    next;
 4. ls_in_pre_acl (northd.c:6168): ip, priority 100, uuid 5c6ff985
    reg0[0] = 1;