Supports Connection Tracking feature using OVS
Separates routing flow rules from switching rules for simplicity
Supports complete tenant isolation
A tenant cannot create more than one subnet with same IP address range even in different virtual network. However, the same subnet can be defined across tenants.
VNI tables
- Tag the VNI of source IP address (by looking at the in-port ??)
table=0,ip,in_port=1, actions=set_field:0x402->tun_id,goto_table:1 |
ACI tables
table=2,ip,nw_src=10.10.0.10,nw_dst=10.10.0.12 actions=goto_table:4 table=3,in_port=4,ip,ct_state=+trk+new,nw_dst=10.10.0.13/32,action=ct(commit),goto_table:4 |
(3) Routing table
Check if the eth_dst = virtual gateway mac (fa:00:00:00:00:00). If not, go to switching table.
Allow packets with source VNI and src subnet and dest subnet connected via routers.
Change the VNI using the destination if packets are from different subnet, which is because all of flow rules in the switching table forward packets using VNI of destination VM.
table=5,ip,tun_id=0x402,nw_src=10.10.0.0/24,dl_src=00:00:00:00:04:02,nw_dst=10.10.0.0/24, actions=set_field:0x402->tun_id, action=goto_table:5
(4) Switching table
Sets the destination MAC address according to the destination IP address.
It is required for routing, but we do not want to create another table only for the action.
We believe that the additional action would not degrade the overall performance.
However, if it does, it needs to moved to a separate routing table.
table=5,ip,nw_dst=10.10.0.13 actions=set_field:fa:16:3e:b8:92:fe->eth_dst
,output:5
table=5,ip,nw_dst=10.10.0.10 actions=set_field:10.0.0.166->tun_dst,output:1