Skip to content

Use underlay prefix and two harcoded bytes for traffic isolation #709

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
guvenc merged 8 commits into from
Aug 28, 2025
Merged

Use underlay prefix and two harcoded bytes for traffic isolation #709

guvenc merged 8 commits into from
Aug 28, 2025

Conversation

@guvenc
Copy link
Collaborator

@guvenc guvenc commented Aug 13, 2025

Do not isolate only the ip in ipv6 encapsulated packets but also the specific subnet used by dpservice on a given node.

@guvenc guvenc requested a review from a team as a code owner August 13, 2025 14:40
@github-actions github-actions bot added size/S bug Something isn't working enhancement New feature or request labels Aug 13, 2025
@guvenc guvenc marked this pull request as draft August 13, 2025 14:41
@guvenc guvenc force-pushed the feature/isolated_mode_change branch from a79536f to f482881 Compare August 13, 2025 14:42
@github-actions github-actions bot added size/M and removed size/S labels Aug 13, 2025
@guvenc guvenc force-pushed the feature/isolated_mode_change branch from 47267ce to 256c6b4 Compare August 13, 2025 17:51
@byteocean
Copy link
Contributor

byteocean commented Aug 14, 2025

The changes passed the benchmark tests on our lab machines, both the offloading and non-offloading mode.

@guvenc guvenc changed the title Use underlay prefix and two harcoded bytes for traffic isolation - WIP Use underlay prefix and two harcoded bytes for traffic isolation Aug 20, 2025
@guvenc guvenc marked this pull request as ready for review August 20, 2025 10:35
@guvenc guvenc self-assigned this Aug 20, 2025
@guvenc guvenc requested review from PlagueCZ and byteocean August 20, 2025 10:35
PlagueCZ
PlagueCZ requested changes Aug 20, 2025
View reviewed changes
Copy link
Contributor

@PlagueCZ PlagueCZ left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Small details found.

Also I would like to discuss the prefix idea

@guvenc guvenc linked an issue Aug 20, 2025 that may be closed by this pull request
Adjust isolation rules to eliminate ipv6 encapsulation dependency #711
Closed
@byteocean byteocean mentioned this pull request Aug 20, 2025
Merged
@github-actions github-actions bot added size/L and removed size/M labels Aug 23, 2025
@PlagueCZ PlagueCZ force-pushed the feature/isolated_mode_change branch from a63bb86 to 315d2ea Compare August 23, 2025 23:30
@github-actions github-actions bot added the documentation Improvements or additions to documentation label Aug 23, 2025
@PlagueCZ PlagueCZ marked this pull request as draft August 23, 2025 23:31
@github-actions github-actions bot added size/XL and removed size/L labels Aug 24, 2025
@PlagueCZ PlagueCZ force-pushed the feature/isolated_mode_change branch 3 times, most recently from 5bfded9 to c30b16d Compare August 24, 2025 22:24
@PlagueCZ
Copy link
Contributor

PlagueCZ commented Aug 24, 2025

I finished the needed changes, moved to range d000..dfff, ported changes to async flow rules and then removed all rules for virtual services as they are no longer necessary.

Code is much simpler everywhere now.

I documented my prefix schema in docs/deployment/ and added support for vnf_type to be encoded in the address (optional in meson). I reordered vnf_type because I implemented this change in metalnet already and ordered it to be easily remembered, only later finding that the same enum already exists in dpservice. This is also why the one test needed to change (wcmp hash changed).

I tested on pytest with HW (mellanox) tests, and also deployed in OSC, both normal and multiport setup, i.e. both sync and async rules are fully tested and working fine. I believe Florin will be testing the running of a separate IPIP tunnel in parallel to dpservice on Monday.

I also moved dp_rte_flow_init module to dp_rte_flow_isolation to be consistent with the async version.

@PlagueCZ PlagueCZ marked this pull request as ready for review August 24, 2025 22:45
@PlagueCZ
Copy link
Contributor

PlagueCZ commented Aug 25, 2025

Florin confirmed that independent IPIP traffic is now able to work alongside dpservice. This is on async multiport eswitch setup.

@PlagueCZ PlagueCZ force-pushed the feature/isolated_mode_change branch from c30b16d to f219b2f Compare August 27, 2025 15:10
@guvenc
Copy link
Collaborator Author

guvenc commented Aug 27, 2025

LGTM

@guvenc guvenc merged commit f219b2f into main Aug 28, 2025
6 checks passed
@guvenc guvenc deleted the feature/isolated_mode_change branch August 28, 2025 07:30
@github-project-automation github-project-automation bot moved this to Done in Roadmap Aug 28, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@PlagueCZ PlagueCZ PlagueCZ approved these changes

@byteocean byteocean Awaiting requested review from byteocean

Assignees

@guvenc guvenc

@PlagueCZ PlagueCZ

Labels

area/networking bug Something isn't working documentation Improvements or additions to documentation enhancement New feature or request size/XL

Projects

Roadmap
Status: Done

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Adjust isolation rules to eliminate ipv6 encapsulation dependency

5 participants

@guvenc @byteocean @PlagueCZ @hardikdr