Implement flow aging triggered by TCP state machine
- Series trunk
- Bug #1362701
Affects | Status | Importance | Assigned to | Milestone | ||
---|---|---|---|---|---|---|
Juniper Openstack | Status tracked in Trunk | |||||
R2.20 |
Fix Committed
|
High
|
Anand H. Krishnan | |||
Trunk |
Fix Committed
|
High
|
Anand H. Krishnan |
Bug Description
Per discussion with Harshad and Anand.
Instead of always waiting for a TCP flow to timeout (default 300 secs), vRouter needs to examine TCP flags and age the flow out based on FIN/FIN_ACK/RST.
description: | updated |
Changed in juniperopenstack: | |
milestone: | r2.0-fcs → none |
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #1 |
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #2 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: master
commit 31eb1cea2627630
Author: Anand H. Krishnan <email address hidden>
Date: Fri Jun 5 16:12:17 2015 +0530
TCP connection state awareness for faster flow aging
If a flow has already seen a tcp session close (either through the FIN
mechanism or through the RST mechanism), that flow can be dismantled
immediately instead of waiting for the flow aging time. vRouter will
now track the connection closure (RST as well as FIN/FIN-ACK/ACK or
FIN-ACK-FIN-ACK) and when it comprehends a session close will send a
trap to agent to indicate that the flow(forward/
dismantled.
Similarly, connections to non-existent systems can result in inactive
flows that could be dismantled after proper backouts. vRouter will track
SYN, SYN-ACK, ACK sequence to mark the flow with flags indicating that
it has seen SYN and a session establishment (if the cycle goes through),
which can be used to dismantle dummy flows.
Change-Id: I343fb6d56ef16a
Partial-BUG: #1362701
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #3 |
Review in progress for https:/
Submitter: Naveen N (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : | #6 |
Review in progress for https:/
Submitter: Naveen N (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #7 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: master
commit c6906d147619615
Author: Naveen N <email address hidden>
Date: Tue Jul 28 04:14:50 2015 -0700
* Agent changes for TCP connection state awareness for faster flow aging
1> Flow eviction by vrouter
If a closed or reset TCP session flow is present in a flow bucket
then vrouter could evict the flow and use the slot for
a new flow, agent would then delete the evicted flow internally
and send a message to delete reverse flow
2> Closes or reset flow would be deleted by agent during aging
cycle.
3> If a flow is stuck in SYN state for more than 180 seconds
delete the flow.
TBD:
Update stats for deleted flow
Make SYN flow timeout configurable
Partial-BUG: #1362701
Change-Id: Iebfd584794794b
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #8 |
Review in progress for https:/
Submitter: Prabhjot Singh Sethi (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : | #9 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #10 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: master
commit e0720c761167e12
Author: Prabhjot Singh Sethi <email address hidden>
Date: Mon Aug 10 09:38:18 2015 +0530
Fix Flow Delete message send to vrouter
Issue:
------
during flow delete due to translation from Non-NAT to NAT
vrouter-agent finds that reverse flow for an entry exists
with an index -1, so we skip deleting the forward flow.
Fix:
----
logic for skipping message based on reverse flow should
not be done for DEL OP.
Closes-Bug: 1483110
Related-Bug: 1362701
Change-Id: I5408ebf6fcbcce
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #11 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.22-dev | #12 |
Review in progress for https:/
Submitter: Naveen N (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : | #14 |
Review in progress for https:/
Submitter: Naveen N (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #15 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: R2.22-dev
commit 716b126ea6a1d7b
Author: Naveen N <email address hidden>
Date: Wed Sep 2 05:59:49 2015 -0700
* Add trap code to trap packet which are marked for trapping HOLD flow
This is a partial cherry-pick from mainline review
https:/
to get agent changes review in R2.2-dev
Partial-BUG: #1362701
Change-Id: I7dd4385fd592fc
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #16 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.22-dev | #17 |
Review in progress for https:/
Submitter: Naveen N (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #19 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: R2.22-dev
commit c2b95c01ec0a5d5
Author: Naveen N <email address hidden>
Date: Tue Aug 25 02:14:08 2015 -0700
* Agent changes for TCP connection state awareness for faster flow aging
1> Flow eviction by vrouter
If a closed or reset TCP session flow is present in a flow bucket
then vrouter could evict the flow and use the slot for
a new flow, agent would then delete the evicted flow internally
and send a message to delete reverse flow
2> Closes or reset flow would be deleted by agent during aging
cycle.
3> If a flow is stuck in SYN state for more than 180 seconds
delete the flow.
TBD:
Update stats for deleted flow
Make SYN flow timeout configurable
Partial-BUG: #1362701
Change-Id: I8ba40e808bb238
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.22-dev | #20 |
Review in progress for https:/
Submitter: Naveen N (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #22 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20 | #25 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #26 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: R2.20
commit eef346699c89ee9
Author: Anand H. Krishnan <email address hidden>
Date: Fri Jun 5 16:12:17 2015 +0530
TCP connection state awareness for faster flow aging
If a flow has already seen a tcp session close (either through the FIN
mechanism or through the RST mechanism), that flow can be dismantled
immediately instead of waiting for the flow aging time. vRouter will
now track the connection closure (RST as well as FIN/FIN-ACK/ACK or
FIN-ACK-FIN-ACK) and when it comprehends a session close will send a
trap to agent to indicate that the flow(forward/
dismantled.
Similarly, connections to non-existent systems can result in inactive
flows that could be dismantled after proper backouts. vRouter will track
SYN, SYN-ACK, ACK sequence to mark the flow with flags indicating that
it has seen SYN and a session establishment (if the cycle goes through),
which can be used to dismantle dummy flows.
Change-Id: I343fb6d56ef16a
Partial-BUG: #1362701
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #27 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #30 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: master
commit 507fda3d5deb22c
Author: Anand H. Krishnan <email address hidden>
Date: Thu Aug 20 14:40:13 2015 +0530
Flow eviction by datapath based on TCP states
Inactive TCP flows (flows that have already seen the closure cycle -
FIN/ACK or the RESET flags) should additionally be considered as a
free flow entry so that vRouter does not have to wait for agent to
accommodate new flows. This logic will provide better service under
severe occupancy. This modification also removes the previous logic
of trapping packets to agent when datapath detects closure of a TCP
stream.
Change-Id: I1009b10f990ea2
Partial-BUG: #1362701
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20 | #31 |
Review in progress for https:/
Submitter: Naveen N (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #32 |
Review in progress for https:/
Submitter: Praveen K V (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20 | #33 |
Review in progress for https:/
Submitter: Ashok Singh (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #34 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: master
commit 187cf8830648bcf
Author: Praveen K V <email address hidden>
Date: Wed Jul 29 16:08:06 2015 +0530
Flow optimizations - Run flow management in a work-queue
As part of flow processing we need to maintain data structures to keep
the flow action in-sync with config changes. Building these changes and
also revaluating flows when config change is notified can result in
significant latencies.
With this change we move the flow management part to a work-queue. The
flow management module is resposible to keep the flow in-sync with
config changed.
Few other slow operations operations such as logging/UVE also will be
moved to this module in subsequent commits.
Partial-Bug: #1479295
Removing the config listener
After IFmap dependency manager is introduced for all the objects in Agent,
the config listener does not play any role other than invoking node observers
and link observers, which is taken care in dependency manager itself.
As part of the same, Uuid change of node is also detected and handled.
Couple of test cases are moved out of flaky tests.
closes-bug: #1480124
Split flow_table.cc to create new file flow_entry.cc
Move FlowEntry methods to new file flow_entry.cc and flow_entry.h
No changes in functionality
Partial-Bug: #1479295
Move Flow logging to Flow Management module
Define a message to enqueue Flow Export requests in Flow Management module. Move FlowExport functionality from FlowTable to
Flow Management module. Replace FlowExport API calls in Flow Stats collector and Flow Table with a message to Flow Management
module.
Partial-Bug: #1479295
Run FlowTable processing from work-queue
This change is a step towards running Flow setup in multiple threads. Flow
creation is a two step process,
FlowHandler :
FlowEntry are created and flow action are determined in this context.
This stage can potentially run in multiple threads (future commits)
FlowHandler runs from a workqueue in "Agent:
FlowTable :
1. Manage flow_entry_map_ which contains all flows
2. Enforce the per-VM flow limits
3. Generate events to KSync and FlowMgmt modueles
FlowTable runs from a workqueue in "Agent::FlowTable" task context
Partial-Bug: #1479295
Optimize packet processing ASIO context
Method PktHandler:
processing was done in HandleRcvPkt within this context,
- Decode of the packet including decoding on tunnel headers
- In case of bare-metas identification of interface based on MAC address
This commit minimizes processing in ASIO context. Packet are enqueued to
module work-queue baesd on the agent-header. The packet decode is
subsequently done when work-queue is scheduled.
Partial-Bug: #1479295
* Track static and floating ip preference based on instance ip
1> Floating ip, static route and allowed address pair in ecmp
mode would have preference published based on instance-ip
preference
2> If allowed-address pair address is configured in active-stdby
mode, r...
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20 | #35 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : | #36 |
Review in progress for https:/
Submitter: Naveen N (<email address hidden>)
information type: | Proprietary → Public |
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #38 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: R2.20
commit d5d1f1a0b95649f
Author: Naveen N <email address hidden>
Date: Tue Oct 20 03:48:38 2015 -0700
Agent changes for TCP connection state awareness for faster flow aging
1> Flow eviction by vrouter
If a closed or reset TCP session flow is present in a flow bucket
then vrouter could evict the flow and use the slot for
a new flow, agent would then delete the evicted flow internally
and send a message to delete reverse flow
2> Closes or reset flow would be deleted by agent during aging
cycle.
3> If a flow is stuck in SYN state for more than 180 seconds
delete the flow.
TBD:
Update stats for deleted flow
Partial-BUG: #1362701
Change-Id: Iceb358c835d805
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20 | #39 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #41 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: R2.20
commit 32ff12b67f62dd9
Author: Anand H. Krishnan <email address hidden>
Date: Thu Aug 20 14:40:13 2015 +0530
Flow eviction by datapath based on TCP states
Inactive TCP flows (flows that have already seen the closure cycle -
FIN/ACK or the RESET flags) should additionally be considered as a
free flow entry so that vRouter does not have to wait for agent to
accommodate new flows. This logic will provide better service under
severe occupancy. This modification also removes the previous logic
of trapping packets to agent when datapath detects closure of a TCP
stream.
Change-Id: I1009b10f990ea2
Partial-BUG: #1362701
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20 | #42 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #44 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: R2.20
commit 8d9a87f2c34b61d
Author: Anand H. Krishnan <email address hidden>
Date: Mon Nov 30 14:14:14 2015 +0530
Logic to reset statistics of the evicted reverse flow
The point where we reset statistics for an evicted flow is when we
trap the first packet to the agent. The trap message carries the
old statistics. However, for the reverse flow, there is no trap.
Hence, the statistics of the evicted reverse flow entry is sent
back to the agent in the sandesh flow message and reset once the
agent tries to add the reverse flow entry.
Change-Id: Ic67318b9632f39
Closes-BUG: 1362701
OpenContrail Admin (ci-admin-f) wrote : [Review update] R2.20 | #45 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #47 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: R2.20
commit d752dcfc645d2c3
Author: Anand H. Krishnan <email address hidden>
Date: Wed Dec 9 14:22:43 2015 +0530
Set appropriate TCP flags in reverse flow at creation
When agent creates a reverse flow for an existing forward flow,
appropriate TCP flags should also be set based on the TCP flags
that are set in the forward flow. Otherwise, eviction
(and other features that depend on flags in both forward and
reverse entries) might not work. Case in point is the D flag.
Any fragment other than the first fragment of the packet should
not be allowed to create a new flow.
While creating a defer call back, unset the evict flags only if
the context that led to creation of the defer was because of
eviction. Otherwise, there could be some misbehavior.
Allow eviction for flows even if there is only one way link
between forward and the reverse flow
Change-Id: I7bccd256e4d33e
Closes-BUG: 1362701
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #48 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : | #50 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #52 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: master
commit a345a66a4446ea5
Author: Anand H. Krishnan <email address hidden>
Date: Mon Nov 30 14:14:14 2015 +0530
Logic to reset statistics of the evicted reverse flow
The point where we reset statistics for an evicted flow is when we
trap the first packet to the agent. The trap message carries the
old statistics. However, for the reverse flow, there is no trap.
Hence, the statistics of the evicted reverse flow entry is sent
back to the agent in the sandesh flow message and reset once the
agent tries to add the reverse flow entry.
Change-Id: Ic67318b9632f39
Closes-BUG: 1362701
OpenContrail Admin (ci-admin-f) wrote : | #53 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: master
commit 7e8bbfd8c994ef5
Author: Anand H. Krishnan <email address hidden>
Date: Wed Dec 9 14:22:43 2015 +0530
Set appropriate TCP flags in reverse flow at creation
When agent creates a reverse flow for an existing forward flow,
appropriate TCP flags should also be set based on the TCP flags
that are set in the forward flow. Otherwise, eviction
(and other features that depend on flags in both forward and
reverse entries) might not work. Case in point is the D flag.
Any fragment other than the first fragment of the packet should
not be allowed to create a new flow.
While creating a defer call back, unset the evict flags only if
the context that led to creation of the defer was because of
eviction. Otherwise, there could be some misbehavior.
Allow eviction for flows even if there is only one way link
between forward and the reverse flow
Change-Id: I7bccd256e4d33e
Closes-BUG: 1362701
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #54 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #56 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: master
commit 3844e209ac5a3d3
Author: Anand H. Krishnan <email address hidden>
Date: Tue Jan 12 15:23:54 2016 +0530
Retain EVICTED flag and flow type for evicted flows
Change-Id: I876d0c0ad883d7
Closes-BUG: #1362701
OpenContrail Admin (ci-admin-f) wrote : [Review update] master | #57 |
Review in progress for https:/
Submitter: Anand H. Krishnan (<email address hidden>)
OpenContrail Admin (ci-admin-f) wrote : A change has been merged | #59 |
Reviewed: https:/
Committed: http://
Submitter: Zuul
Branch: master
commit 81a2a0336897b7f
Author: Anand H. Krishnan <email address hidden>
Date: Fri Feb 12 14:55:20 2016 +0530
Do not zero the flow key at deletion
In case of eviction, it helps to know what key was present in the
flow entry. Hence, do not zero out the key during eviction.
Change-Id: If98c1367f37d81
Closes-BUG: #1362701
Review in progress for https:/ /review. opencontrail. org/11308
Submitter: Anand H. Krishnan (<email address hidden>)