- Executive Summary
- High‑Level Architecture & Design
- EVPN Implementation Components
- Data Model / Schema Options
- Northd / Logical Flow Changes
- ovn‑controller EVPN Modules
Tim Rozet trozet
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| ####### CDN - managed with SNAT=true | |
| [root@ovn-control-plane ~]# ovn-nbctl lr-route-list ovn_cluster_router | |
| IPv4 Routes | |
| Route Table <main>: | |
| 100.64.0.2 100.64.0.2 dst-ip | |
| 10.244.0.0/24 100.64.0.2 src-ip | |
| 10.244.0.0/16 100.64.0.2 src-ip | |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package ops | |
| import ( | |
| "context" | |
| "fmt" | |
| "runtime" | |
| "strings" | |
| "sync/atomic" | |
| "testing" | |
| "time" |
trozet
/ libovsdbops_duplicate_txn_ops.diff
Created
February 6, 2026 15:50
libovsdbops duplicate txns with no real update
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| diff --git a/go-controller/pkg/libovsdb/ops/switch_test.go b/go-controller/pkg/libovsdb/ops/switch_test.go | |
| index f24d0ad162..29ee4bfef7 100644 | |
| --- a/go-controller/pkg/libovsdb/ops/switch_test.go | |
| +++ b/go-controller/pkg/libovsdb/ops/switch_test.go | |
| @@ -5,10 +5,93 @@ import ( | |
| "fmt" | |
| "testing" | |
| + libovsdbclient "github.com/ovn-kubernetes/libovsdb/client" | |
| + "github.com/ovn-kubernetes/libovsdb/ovsdb" |
trozet
/ gist:49aa57e90a997443cba61578271616b1
Created
January 16, 2026 16:29
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| trozet@fedora:~/go/src/github.com/ovn-org/ovn-kubernetes/go-controller$ git diff | |
| diff --git a/go-controller/pkg/clustermanager/pod/allocator.go b/go-controller/pkg/clustermanager/pod/allocator.go | |
| index b1919afd1c..1832ebf0d7 100644 | |
| --- a/go-controller/pkg/clustermanager/pod/allocator.go | |
| +++ b/go-controller/pkg/clustermanager/pod/allocator.go | |
| @@ -217,7 +217,12 @@ func (a *PodAllocator) reconcile(old, new *corev1.Pod, releaseFromAllocator bool | |
| } | |
| } | |
| - onNetwork, networkMap, err := util.GetPodNADToNetworkMappingWithActiveNetwork(pod, a.netInfo, activeNetwork) |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [root@ovn-worker2 ~]# ovs-appctl dpctl/dump-flows | |
| recirc_id(0x95),dp_hash(0x4/0xf),in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), packets:5714, bytes:422836, used:0.044s, flags:S, actions:ct(commit,zone=34,mark=0xa/0xa,nat(dst=10.20.2.4:80)),recirc(0x96) | |
| recirc_id(0x9f),in_port(8),skb_mark(0),ct_state(-new+est-rel+rpl-inv+trk),ct_mark(0/0x4f),eth(src=0a:58:64:41:00:01,dst=0a:58:64:41:00:04),eth_type(0x0800),ipv4(dst=172.18.0.3,proto=6,ttl=63,frag=no), packets:556858, bytes:144608298, used:0.004s, flags:SFP., actions:set(eth(src=76:74:a3:6e:b2:6a,dst=be:81:2b:de:de:37)),set(ipv4(ttl=62)),ct(zone=34,nat),recirc(0xa4) | |
| recirc_id(0x95),dp_hash(0x9/0xf),in_port(2),eth(),eth_type(0x0800),ipv4(frag=no), packets:5799, bytes:429126, used:0.024s, flags:S, actions:ct(commit,zone=34,mark=0xa/0xa,nat(dst=10.20.2.4:80)),recirc(0x96) | |
| recirc_id(0),in_port(2),skb_mark(0),eth(dst=76:74:a3:6e:b2:6a),eth_type(0x0800),ipv4(dst=172.18.0.2,proto=6,frag=no),tcp(dst=32768/0x8000), packets:280, bytes:263034, used:4.598s, flags:P., a |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| use std::collections::HashSet; | |
| use std::net::IpAddr; | |
| use once_cell::sync::Lazy; | |
| use proxy_wasm::traits::*; | |
| use proxy_wasm::types::*; | |
| use serde::Deserialize; | |
| use serde_json::Value; | |
| static DEFAULT_ALLOWED_IPS: Lazy<HashSet<IpAddr>> = Lazy::new(HashSet::new); |
trozet
/ subnets_update.md
Last active
November 14, 2025 21:11
feature interaction for okep to extend UDN with multiple subnets
Whenever an IP block is provided as match criteria for Egress Firewall, we calculate if it overlaps with the current pod subnet. If so, then we add an exclusion match criteria to the ACL to ensure east/west traffic is not affected by the firewall. Today when a NAD changes, a handleNetworkEvent callback is made from the NAD Controller to the Egress Firewall controller. This callback causes any Egress Firewall in the NAD namespace to be reconciled. This should force the ACLs to be regenerated if the new subnet overlaps with the IP Block in the Egress Firewall.
trozet
/ gist:447663b8df6316db27ae8a217484ea9b
Created
October 30, 2025 19:27
host->nodeport udn same node
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| [root@ovn-worker2 ~]# ovs-appctl ofproto/trace breth0 in_port=LOCAL,dl_src=66:a6:bc:8d:62:3f,dl_dst=0a:58:a9:fe:00:04,tcp,tp_dst=80,nw_dst=10.96.134.186,nw_src=172.18.0.2,nw_ttl=25 | |
| Flow: tcp,in_port=LOCAL,vlan_tci=0x0000,dl_src=66:a6:bc:8d:62:3f,dl_dst=0a:58:a9:fe:00:04,nw_src=172.18.0.2,nw_dst=10.96.134.186,nw_tos=0,nw_ecn=0,nw_ttl=25,nw_frag=no,tp_src=0,tp_dst=80,tcp_flags=0 | |
| bridge("breth0") | |
| ---------------- | |
| 0. ip,in_port=LOCAL,nw_dst=10.96.0.0/16, priority 500, cookie 0xdeff105 | |
| ct(commit,table=2,zone=64001,nat(src=169.254.0.2)) | |
| nat(src=169.254.0.2) | |
| -> A clone of the packet is forked to recirculate. The forked pipeline will be resumed at table 2. | |
| -> Sets the packet to an untracked state, and clears all the conntrack fields. |
trozet
/ benchmark_label_test.go
Created
August 22, 2025 14:16
benchmark annotation vs label parsing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| package trustzone | |
| import ( | |
| "encoding/json" | |
| "testing" | |
| metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" | |
| "k8s.io/apimachinery/pkg/labels" | |
| ) |
NewerOlder