ovs实现lb负载均衡

负载均衡定义

负载均衡器的实现原理是通过硬件或软件设备将客户端访问流量根据转发策略分发到多个服务器或设备上，以确保系统的负载均衡。常见的实现方式包括：

1. 二层负载均衡‌：使用虚拟MAC地址方式，根据OSI模型的二层进行负载均衡。
2. ‌四层负载均衡‌：基于IP+端口的负载均衡，主要分析IP层及TCP/UDP层，实现四层负载均衡。
3. ‌七层负载均衡‌：从应用层开始，根据虚拟的URL或IP、主机名接收请求，再转向相应的处理服务器。

二层负载均衡

• 网络设备：交换机
• 过程分析：只有当pod访问负载均衡vip且是首包的情况下匹配switch负载均衡，在group里采用select机制根据数据包五元组哈希选择一个endpoint，打上ct_mark标记，并dnat到endpoint
• ovs流表：

 table=19, priority=120,ct_state=+new+trk,tcp,metadata=0x1,nw_dst=10.96.187.144,tp_dst=10001 actions=load:0->NXM_NX_XXREG0[97],load:0xa60bb90→NXM_NX_XXREG0[64..95],load:0x2711→NXM_NX_XXREG0[32..47],group:5
 
# 在group里进行负载均衡
 group_id=5,type=select,selection_method=dp_hash,bucket=bucket_id:0,weight:100,actions=ct(commit,table=20,zone=NXM_NX_REG13[0..15],nat(dst=10.244.0.4:80),exec(load:0x1->NXM_NX_CT_MARK[1])),bucket=bucket_id:1,weight:100,actions=ct(commit,table=20,zone=NXM_NX_REG13[0..15],nat(dst=10.244.0.5:80),exec(load:0x1->NXM_NX_CT_MARK[1])),bucket=bucket_id:2,weight:100,actions=ct(commit,table=20,zone=NXM_NX_REG13[0..15],nat(dst=10.244.0.6:80),exec(load:0x1->NXM_NX_CT_MARK[1])),bucket=bucket_id:3,weight:100,actions=ct(commit,table=20,zone=NXM_NX_REG13[0..15],nat(dst=10.244.0.7:80),exec(load:0x1→NXM_NX_CT_MARK[1]))

• ovn流表：

#  ovn-trace --ct=new node1 'inport=="ovn-poc_service-a-89c68dc96-f75t2" && eth.src== 0a:58:0a:f4:00:04 && eth.dst == 0a:58:0a:f4:00:01 && ip4.src==10.244.0.4 && ip.ttl==64 && ip4.dst==10.96.187.144 && tcp.dst==10001'
# tcp,reg14=0x3,vlan_tci=0x0000,dl_src=0a:58:0a:f4:00:04,dl_dst=0a:58:0a:f4:00:01,nw_src=10.244.0.4,nw_dst=10.96.187.144,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=10001,tcp_flags=0

ingress(dp="node1", inport="ovn-poc_service-a-89c68dc96-f75t2")
---------------------------------------------------------------
 0. ls_in_check_port_sec (northd.c:7727): 1, priority 50, uuid 03dc908c
    reg0[15] = check_in_port_sec();
    next;
 4. ls_in_pre_acl (northd.c:5649): ip, priority 100, uuid df97729f
    reg0[0] = 1;
    next;
 5. ls_in_pre_lb (northd.c:5820): ip, priority 100, uuid 1990086a
    reg0[2] = 1;
    next;
 6. ls_in_pre_stateful (northd.c:5852): reg0[2] == 1 && ip4 && tcp, priority 120, uuid 454a1f78
    reg1 = ip4.dst;
    reg2[0..15] = tcp.dst;
    ct_lb_mark;

ct_lb_mark
----------
 7. ls_in_acl_hint (northd.c:5929): ct.new && !ct.est, priority 7, uuid 24ab3fd0
    reg0[7] = 1;
    reg0[9] = 1;
    next;
 8. ls_in_acl (northd.c:6545): ip && !ct.est, priority 1, uuid 8eaca776
    reg0[1] = 1;
    next;
11. ls_in_lb (northd.c:6858): ct.new && ip4.dst == 10.96.187.144 && tcp.dst == 10001, priority 120, uuid 4bf79ca8
    reg0[1] = 0;
    reg1 = 10.96.187.144;
    reg2[0..15] = 10001;
    ct_lb_mark(backends=10.244.0.4:80,10.244.0.5:80,10.244.0.6:80,10.244.0.7:80);

ct_lb_mark /* default (use --ct to customize) */
------------------------------------------------
14. ls_in_pre_hairpin (northd.c:6931): ip && ct.trk, priority 100, uuid 1328c195
    reg0[6] = chk_lb_hairpin();
    reg0[12] = chk_lb_hairpin_reply();
    *** chk_lb_hairpin_reply action not implemented
    next;
23. ls_in_l2_lkup (northd.c:8465): eth.dst == 0a:58:0a:f4:00:01, priority 50, uuid 3c5ecd19
    outport = "stor-node1";
    output;

egress(dp="node1", inport="ovn-poc_service-a-89c68dc96-f75t2", outport="stor-node1")
------------------------------------------------------------------------------------
 0. ls_out_pre_lb (northd.c:5538): ip && outport == "stor-node1", priority 110, uuid 2d693c30
    next;
 1. ls_out_pre_acl (northd.c:5538): ip && outport == "stor-node1", priority 110, uuid c384472d
    next;
 3. ls_out_acl_hint (northd.c:5992): ct.est && ct_mark.blocked == 0, priority 1, uuid f77da843
    reg0[10] = 1;
    next;
 8. ls_out_check_port_sec (northd.c:5505): 1, priority 0, uuid 4fb4d39f
    reg0[15] = check_out_port_sec();
    next;
 9. ls_out_apply_port_sec (northd.c:5510): 1, priority 0, uuid 6d6e8323
    output;
    /* output to "stor-node1", type "patch" */

ingress(dp="ovn_cluster_router", inport="rtos-node1")
-----------------------------------------------------
 0. lr_in_admission (northd.c:10835): eth.dst == 0a:58:0a:f4:00:01 && inport == "rtos-node1" && is_chassis_resident("cr-rtos-node1"), priority 50, uuid be29772f
    xreg0[0..47] = 0a:58:0a:f4:00:01;
    next;
 1. lr_in_lookup_neighbor (northd.c:10979): 1, priority 0, uuid e1a8324c
    reg9[2] = 1;
    next;
 2. lr_in_learn_neighbor (northd.c:10988): reg9[2] == 1, priority 100, uuid 64a7073b
    next;
10. lr_in_ip_routing_pre (northd.c:11214): 1, priority 0, uuid 7dd0d651
    reg7 = 0;
    next;
11. lr_in_ip_routing (northd.c:9629): ip4.dst == 10.244.0.0/24, priority 74, uuid 7546028c
    ip.ttl--;
    reg8[0..15] = 0;
    reg0 = ip4.dst;
    reg1 = 10.244.0.1;
    eth.src = 0a:58:0a:f4:00:01;
    outport = "rtos-node1";
    flags.loopback = 1;
    next;
12. lr_in_ip_routing_ecmp (northd.c:11290): reg8[0..15] == 0, priority 150, uuid 95a7470d
    next;
13. lr_in_policy (northd.c:11457): 1, priority 0, uuid 9fff15f1
    reg8[0..15] = 0;
    next;
14. lr_in_policy_ecmp (northd.c:11459): reg8[0..15] == 0, priority 150, uuid f7115b27
    next;
15. lr_in_arp_resolve (northd.c:11660): outport == "rtos-node1" && reg0 == 10.244.0.6, priority 100, uuid 5eb2a06d
    eth.dst = 0a:58:0a:f4:00:06;
    next;
18. lr_in_gw_redirect (northd.c:12060): outport == "rtos-node1", priority 50, uuid a372b2fa
    outport = "cr-rtos-node1";
    next;
19. lr_in_arp_request (northd.c:12178): 1, priority 0, uuid d469dbb2
    output;
    /* Replacing type "chassisredirect" outport "cr-rtos-node1" with distributed port "rtos-node1". */

egress(dp="ovn_cluster_router", inport="rtos-node1", outport="rtos-node1")
--------------------------------------------------------------------------
 0. lr_out_chk_dnat_local (northd.c:13442): 1, priority 0, uuid 43040472
    reg9[4] = 0;
    next;
 6. lr_out_delivery (northd.c:12225): outport == "rtos-node1", priority 100, uuid c027ddcd
    output;
    /* output to "rtos-node1", type "patch" */

ingress(dp="node1", inport="stor-node1")
----------------------------------------
 0. ls_in_check_port_sec (northd.c:7727): 1, priority 50, uuid 03dc908c
    reg0[15] = check_in_port_sec();
    next;
 4. ls_in_pre_acl (northd.c:5535): ip && inport == "stor-node1", priority 110, uuid dea94017
    next;
 5. ls_in_pre_lb (northd.c:5535): ip && inport == "stor-node1", priority 110, uuid 9594bbf7
    next;
 7. ls_in_acl_hint (northd.c:5992): ct.est && ct_mark.blocked == 0, priority 1, uuid 2c071dfe
    reg0[10] = 1;
    next;
14. ls_in_pre_hairpin (northd.c:6931): ip && ct.trk, priority 100, uuid 1328c195
    reg0[6] = chk_lb_hairpin();
    reg0[12] = chk_lb_hairpin_reply();
    *** chk_lb_hairpin_reply action not implemented
    next;
23. ls_in_l2_lkup (northd.c:8394): eth.dst == 0a:58:0a:f4:00:06, priority 50, uuid d57c86c5
    outport = "ovn-poc_service-a-89c68dc96-tgkwt";
    output;

egress(dp="node1", inport="stor-node1", outport="ovn-poc_service-a-89c68dc96-tgkwt")
------------------------------------------------------------------------------------
 0. ls_out_pre_lb (northd.c:5822): ip, priority 100, uuid fe121cbf
    reg0[2] = 1;
    next;
 1. ls_out_pre_acl (northd.c:5651): ip, priority 100, uuid 105736e5
    reg0[0] = 1;
    next;
 2. ls_out_pre_stateful (northd.c:5872): reg0[2] == 1, priority 110, uuid 1c6b05ef
    ct_lb_mark;

ct_lb_mark /* default (use --ct to customize) */
------------------------------------------------
 3. ls_out_acl_hint (northd.c:5992): ct.est && ct_mark.blocked == 0, priority 1, uuid f77da843
    reg0[10] = 1;
    next;
 8. ls_out_check_port_sec (northd.c:5505): 1, priority 0, uuid 4fb4d39f
    reg0[15] = check_out_port_sec();
    next;
 9. ls_out_apply_port_sec (northd.c:5510): 1, priority 0, uuid 6d6e8323
    output;
    /* output to "ovn-poc_service-a-89c68dc96-tgkwt", type "" */

二层负载均衡

• 网络设备：路由器
• 过程分析：只host访问负载均衡vip且是首包走3层router负载均衡，在group里采用select机制根据数据包五元组哈希选择一个endpoint，dnat到endpoint，再通过dnat后的网段进行路由到ovn_cluster_router，转发到pod
• ovs流表：

table=14,  priority=120,ct_state=+new+trk,tcp,reg0=0xa60bb90,reg9=0x27110000/0xffff0000,metadata=0x7 actions=load:0x1->NXM_NX_REG10[3],group:6
 
 # 在group里进行负载均衡
 group_id=6,type=select,selection_method=dp_hash,bucket=bucket_id:0,weight:100,actions=ct(commit,table=15,zone=NXM_NX_REG11[0..15],nat(dst=10.244.0.4:80),exec(load:0x1->NXM_NX_CT_MARK[1])),bucket=bucket_id:1,weight:100,actions=ct(commit,table=15,zone=NXM_NX_REG11[0..15],nat(dst=10.244.0.5:80),exec(load:0x1->NXM_NX_CT_MARK[1])),bucket=bucket_id:2,weight:100,actions=ct(commit,table=15,zone=NXM_NX_REG11[0..15],nat(dst=10.244.0.6:80),exec(load:0x1->NXM_NX_CT_MARK[1])),bucket=bucket_id:3,weight:100,actions=ct(commit,table=15,zone=NXM_NX_REG11[0..15],nat(dst=10.244.0.7:80),exec(load:0x1->NXM_NX_CT_MARK[1]))

• ovn流表：

# ovn-trace --ct=new ext_node1 'inport=="brenp0s10_node1" && eth.src==fa:92:01:b6:d4:fd && eth.dst==fa:92:01:b6:d4:fd && ip4.src==169.254.169.2 && ip4.dst==10.96.187.144 && ip && ip.ttl==64 && tcp.dst==10001'
# tcp,reg14=0x1,vlan_tci=0x0000,dl_src=fa:92:01:b6:d4:fd,dl_dst=fa:92:01:b6:d4:fd,nw_src=169.254.169.2,nw_dst=10.96.187.144,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=10001,tcp_flags=0

ingress(dp="ext_node1", inport="brenp0s10_node1")
-------------------------------------------------
 0. ls_in_check_port_sec (northd.c:7727): 1, priority 50, uuid 03dc908c
    reg0[15] = check_in_port_sec();
    next;
 5. ls_in_pre_lb (northd.c:5535): ip && inport == "brenp0s10_node1", priority 110, uuid 51131891
    next;
17. ls_in_arp_rsp (northd.c:7749): inport == "brenp0s10_node1", priority 100, uuid 55db24b2
    next;
23. ls_in_l2_lkup (northd.c:8394): eth.dst == fa:92:01:b6:d4:fd, priority 50, uuid 034b6bbe
    outport = "etor-GR_node1";
    output;

egress(dp="ext_node1", inport="brenp0s10_node1", outport="etor-GR_node1")
-------------------------------------------------------------------------
 0. ls_out_pre_lb (northd.c:5538): ip && outport == "etor-GR_node1", priority 110, uuid 2762bbbb
    next;
 8. ls_out_check_port_sec (northd.c:5505): 1, priority 0, uuid 4fb4d39f
    reg0[15] = check_out_port_sec();
    next;
 9. ls_out_apply_port_sec (northd.c:5510): 1, priority 0, uuid 6d6e8323
    output;
    /* output to "etor-GR_node1", type "l3gateway" */

ingress(dp="GR_node1", inport="rtoe-GR_node1")
----------------------------------------------
 0. lr_in_admission (northd.c:10835): eth.dst == fa:92:01:b6:d4:fd && inport == "rtoe-GR_node1", priority 50, uuid 8b77bd84
    xreg0[0..47] = fa:92:01:b6:d4:fd;
    next;
 1. lr_in_lookup_neighbor (northd.c:10979): 1, priority 0, uuid e1a8324c
    reg9[2] = 1;
    next;
 2. lr_in_learn_neighbor (northd.c:10988): reg9[2] == 1 || reg9[3] == 0, priority 100, uuid 2c666711
    next;
 5. lr_in_defrag (northd.c:10148): ip && ip4.dst == 10.96.187.144 && tcp, priority 110, uuid d7c84c30
    reg0 = 10.96.187.144;
    reg9[16..31] = tcp.dst;
    ct_dnat;

ct_dnat /* assuming no un-dnat entry, so no change */
-----------------------------------------------------
 6. lr_in_dnat (northd.c:9766): ct.new && ip4 && reg0 == 10.96.187.144 && tcp && reg9[16..31] == 10001, priority 120, uuid 16accb91
    flags.force_snat_for_lb = 1;
    ct_lb_mark(backends=10.244.0.4:80,10.244.0.5:80,10.244.0.6:80,10.244.0.7:80);

ct_lb_mark /* default (use --ct to customize) */
------------------------------------------------
10. lr_in_ip_routing_pre (northd.c:11214): 1, priority 0, uuid 7dd0d651
    reg7 = 0;
    next;
11. lr_in_ip_routing (northd.c:9629): reg7 == 0 && ip4.dst == 10.244.0.0/16, priority 49, uuid b99c65d6
    ip.ttl--;
    reg8[0..15] = 0;
    reg0 = 100.64.0.1;
    reg1 = 100.64.0.3;
    eth.src = 0a:58:64:40:00:03;
    outport = "rtoj-GR_node1";
    flags.loopback = 1;
    next;
12. lr_in_ip_routing_ecmp (northd.c:11290): reg8[0..15] == 0, priority 150, uuid 95a7470d
    next;
13. lr_in_policy (northd.c:11457): 1, priority 0, uuid 9fff15f1
    reg8[0..15] = 0;
    next;
14. lr_in_policy_ecmp (northd.c:11459): reg8[0..15] == 0, priority 150, uuid f7115b27
    next;
15. lr_in_arp_resolve (northd.c:11493): ip4, priority 0, uuid 7becfca7
    get_arp(outport, reg0);
    /* MAC binding to 0a:58:64:40:00:01. */
    next;
19. lr_in_arp_request (northd.c:12178): 1, priority 0, uuid d469dbb2
    output;

egress(dp="GR_node1", inport="rtoe-GR_node1", outport="rtoj-GR_node1")
----------------------------------------------------------------------
 0. lr_out_chk_dnat_local (northd.c:13442): 1, priority 0, uuid 43040472
    reg9[4] = 0;
    next;
 1. lr_out_undnat (northd.c:13462): ip, priority 50, uuid 998e6c30
    flags.loopback = 1;
    ct_dnat;

ct_dnat /* assuming no un-dnat entry, so no change */
-----------------------------------------------------
 2. lr_out_post_undnat (northd.c:13464): ip && ct.new, priority 50, uuid 13cbb26f
    ct_commit;
    next;
 6. lr_out_delivery (northd.c:12225): outport == "rtoj-GR_node1", priority 100, uuid 215be6d1
    output;
    /* output to "rtoj-GR_node1", type "l3gateway" */

ingress(dp="join", inport="jtor-GR_node1")
------------------------------------------
 0. ls_in_check_port_sec (northd.c:7727): 1, priority 50, uuid 03dc908c
    reg0[15] = check_in_port_sec();
    next;
 5. ls_in_pre_lb (northd.c:5535): ip && inport == "jtor-GR_node1", priority 110, uuid e6087be9
    next;
23. ls_in_l2_lkup (northd.c:8465): eth.dst == 0a:58:64:40:00:01, priority 50, uuid 6a3b96d6
    outport = "jtor-ovn_cluster_router";
    output;

egress(dp="join", inport="jtor-GR_node1", outport="jtor-ovn_cluster_router")
----------------------------------------------------------------------------
 0. ls_out_pre_lb (northd.c:5538): ip && outport == "jtor-ovn_cluster_router", priority 110, uuid 843f9c76
    next;
 8. ls_out_check_port_sec (northd.c:5505): 1, priority 0, uuid 4fb4d39f
    reg0[15] = check_out_port_sec();
    next;
 9. ls_out_apply_port_sec (northd.c:5510): 1, priority 0, uuid 6d6e8323
    output;
    /* output to "jtor-ovn_cluster_router", type "patch" */

ingress(dp="ovn_cluster_router", inport="rtoj-ovn_cluster_router")
------------------------------------------------------------------
 0. lr_in_admission (northd.c:10835): eth.dst == 0a:58:64:40:00:01 && inport == "rtoj-ovn_cluster_router", priority 50, uuid 4a2c861f
    xreg0[0..47] = 0a:58:64:40:00:01;
    next;
 1. lr_in_lookup_neighbor (northd.c:10979): 1, priority 0, uuid e1a8324c
    reg9[2] = 1;
    next;
 2. lr_in_learn_neighbor (northd.c:10988): reg9[2] == 1, priority 100, uuid 64a7073b
    next;
10. lr_in_ip_routing_pre (northd.c:11214): 1, priority 0, uuid 7dd0d651
    reg7 = 0;
    next;
11. lr_in_ip_routing (northd.c:9629): ip4.dst == 10.244.0.0/24, priority 74, uuid 7546028c
    ip.ttl--;
    reg8[0..15] = 0;
    reg0 = ip4.dst;
    reg1 = 10.244.0.1;
    eth.src = 0a:58:0a:f4:00:01;
    outport = "rtos-node1";
    flags.loopback = 1;
    next;
12. lr_in_ip_routing_ecmp (northd.c:11290): reg8[0..15] == 0, priority 150, uuid 95a7470d
    next;
13. lr_in_policy (northd.c:11457): 1, priority 0, uuid 9fff15f1
    reg8[0..15] = 0;
    next;
14. lr_in_policy_ecmp (northd.c:11459): reg8[0..15] == 0, priority 150, uuid f7115b27
    next;
15. lr_in_arp_resolve (northd.c:11660): outport == "rtos-node1" && reg0 == 10.244.0.4, priority 100, uuid 98d8234d
    eth.dst = 0a:58:0a:f4:00:04;
    next;
18. lr_in_gw_redirect (northd.c:12060): outport == "rtos-node1", priority 50, uuid a372b2fa
    outport = "cr-rtos-node1";
    next;
19. lr_in_arp_request (northd.c:12178): 1, priority 0, uuid d469dbb2
    output;
    /* Replacing type "chassisredirect" outport "cr-rtos-node1" with distributed port "rtos-node1". */

egress(dp="ovn_cluster_router", inport="rtoj-ovn_cluster_router", outport="rtos-node1")
---------------------------------------------------------------------------------------
 0. lr_out_chk_dnat_local (northd.c:13442): 1, priority 0, uuid 43040472
    reg9[4] = 0;
    next;
 6. lr_out_delivery (northd.c:12225): outport == "rtos-node1", priority 100, uuid c027ddcd
    output;
    /* output to "rtos-node1", type "patch" */

ingress(dp="node1", inport="stor-node1")
----------------------------------------
 0. ls_in_check_port_sec (northd.c:7727): 1, priority 50, uuid 03dc908c
    reg0[15] = check_in_port_sec();
    next;
 4. ls_in_pre_acl (northd.c:5535): ip && inport == "stor-node1", priority 110, uuid dea94017
    next;
 5. ls_in_pre_lb (northd.c:5535): ip && inport == "stor-node1", priority 110, uuid 9594bbf7
    next;
 7. ls_in_acl_hint (northd.c:5992): ct.est && ct_mark.blocked == 0, priority 1, uuid 2c071dfe
    reg0[10] = 1;
    next;
14. ls_in_pre_hairpin (northd.c:6931): ip && ct.trk, priority 100, uuid 1328c195
    reg0[6] = chk_lb_hairpin();
    reg0[12] = chk_lb_hairpin_reply();
    *** chk_lb_hairpin_reply action not implemented
    next;
23. ls_in_l2_lkup (northd.c:8394): eth.dst == 0a:58:0a:f4:00:04, priority 50, uuid 50aab262
    outport = "ovn-poc_service-a-89c68dc96-f75t2";
    output;

egress(dp="node1", inport="stor-node1", outport="ovn-poc_service-a-89c68dc96-f75t2")
------------------------------------------------------------------------------------
 0. ls_out_pre_lb (northd.c:5822): ip, priority 100, uuid fe121cbf
    reg0[2] = 1;
    next;
 1. ls_out_pre_acl (northd.c:5651): ip, priority 100, uuid 105736e5
    reg0[0] = 1;
    next;
 2. ls_out_pre_stateful (northd.c:5872): reg0[2] == 1, priority 110, uuid 1c6b05ef
    ct_lb_mark;

ct_lb_mark /* default (use --ct to customize) */
------------------------------------------------
 3. ls_out_acl_hint (northd.c:5992): ct.est && ct_mark.blocked == 0, priority 1, uuid f77da843
    reg0[10] = 1;
    next;
 8. ls_out_check_port_sec (northd.c:5505): 1, priority 0, uuid 4fb4d39f
    reg0[15] = check_out_port_sec();
    next;
 9. ls_out_apply_port_sec (northd.c:5510): 1, priority 0, uuid 6d6e8323
    output;
    /* output to "ovn-poc_service-a-89c68dc96-f75t2", type "" */

hairpin（特殊场景lb）

• 网络设备：交换机
• 过程分析：当pod访问serviceIP，经过负载均衡后的endpoint是自己时，snat将源ip改为vip，源目mac互换，跳过2层转发回到源pod，此过程在switch即可完成，不需要再经过router
• ovs流表：

table=22, priority=100,ct_state=+trk,ip,metadata=0x1 actions=load:0->NXM_NX_REG10[7],resubmit(,68),move:NXM_NX_REG10[7]→NXM_NX_XXREG0[102],load:0→NXM_NX_REG10[7],resubmit(,69),move:NXM_NX_REG10[7]→NXM_NX_XXREG0[108],resubmit(,23)
table=68, priority=100,ct_mark=0x2/0x2,tcp,reg1=0xa60b85f,reg2=0x2711/0xffff,nw_src=10.244.0.4,nw_dst=10.244.0.4,tp_dst=80 actions=load:0x1->NXM_NX_REG10[7],learn(table=69,delete_learned,cookie=0x8a0b4179,OXM_OF_METADATA[],eth_type=0x800,NXM_OF_IP_SRC[],ip_dst=10.96.184.95,nw_proto=6,NXM_OF_TCP_SRC[]=NXM_OF_TCP_DST[],load:0x1→NXM_NX_REG10[7])

• ovn流表：

# ovn-trace --ct=new node1 'inport=="ovn-poc_service-a-89c68dc96-fm272" && eth.src== 0a:58:0a:f4:00:04 && eth.dst == 0a:58:0a:f4:00:01 && ip4.src==10.244.0.4 && ip.ttl==64 && ip4.dst==10.96.184.95 && tcp.dst==10001'
2023-11-16T02:15:46Z|00001|ovntrace|WARN|ovn-poc_service-a-89c68dc96-f75t2: unknown logical port
2023-11-16T02:15:46Z|00002|ovntrace|WARN|ovn-poc_service-a-89c68dc96-f75t2: unknown logical port
# tcp,reg14=0x3,vlan_tci=0x0000,dl_src=0a:58:0a:f4:00:04,dl_dst=0a:58:0a:f4:00:01,nw_src=10.244.0.4,nw_dst=10.96.184.95,nw_tos=0,nw_ecn=0,nw_ttl=64,tp_src=0,tp_dst=10001,tcp_flags=0

ingress(dp="node1", inport="ovn-poc_service-a-89c68dc96-fm272")
---------------------------------------------------------------
 0. ls_in_check_port_sec (northd.c:7727): 1, priority 50, uuid 03dc908c
    reg0[15] = check_in_port_sec();
    next;
 4. ls_in_pre_acl (northd.c:5649): ip, priority 100, uuid df97729f
    reg0[0] = 1;
    next;
 5. ls_in_pre_lb (northd.c:5820): ip, priority 100, uuid 1990086a
    reg0[2] = 1;
    next;
 6. ls_in_pre_stateful (northd.c:5852): reg0[2] == 1 && ip4 && tcp, priority 120, uuid 454a1f78
    reg1 = ip4.dst;
    reg2[0..15] = tcp.dst;
    ct_lb_mark;

ct_lb_mark
----------
 7. ls_in_acl_hint (northd.c:5929): ct.new && !ct.est, priority 7, uuid 24ab3fd0
    reg0[7] = 1;
    reg0[9] = 1;
    next;
 8. ls_in_acl (northd.c:6545): ip && !ct.est, priority 1, uuid 8eaca776
    reg0[1] = 1;
    next;
11. ls_in_lb (northd.c:6858): ct.new && ip4.dst == 10.96.184.95 && tcp.dst == 10001, priority 120, uuid 6b816103
    reg0[1] = 0;
    reg1 = 10.96.184.95;
    reg2[0..15] = 10001;
    ct_lb_mark(backends=10.244.0.4:80);

ct_lb_mark /* default (use --ct to customize) */
------------------------------------------------
14. ls_in_pre_hairpin (northd.c:6931): ip && ct.trk, priority 100, uuid 1328c195
    reg0[6] = chk_lb_hairpin();
    reg0[12] = chk_lb_hairpin_reply();
    *** chk_lb_hairpin_reply action not implemented
    next;
15. ls_in_nat_hairpin (northd.c:6940): ip && ct.new && ct.trk && reg0[6] == 1, priority 100, uuid 89e48276
    ct_snat_to_vip;
    *** ct_snat_to_vip action not implemented
    next;
16. ls_in_hairpin (northd.c:6965): (reg0[6] == 1 || reg0[12] == 1), priority 1, uuid 4680c239
    eth.dst <-> eth.src;
    outport = inport;
    flags.loopback = 1;
    output;

egress(dp="node1", inport="ovn-poc_service-a-89c68dc96-fm272", outport="ovn-poc_service-a-89c68dc96-fm272")
-----------------------------------------------------------------------------------------------------------
 0. ls_out_pre_lb (northd.c:5822): ip, priority 100, uuid fe121cbf
    reg0[2] = 1;
    next;
 1. ls_out_pre_acl (northd.c:5651): ip, priority 100, uuid 105736e5
    reg0[0] = 1;
    next;
 2. ls_out_pre_stateful (northd.c:5872): reg0[2] == 1, priority 110, uuid 1c6b05ef
    ct_lb_mark;

ct_lb_mark /* default (use --ct to customize) */
------------------------------------------------
 3. ls_out_acl_hint (northd.c:5992): ct.est && ct_mark.blocked == 0, priority 1, uuid f77da843
    reg0[10] = 1;
    next;
 8. ls_out_check_port_sec (northd.c:5505): 1, priority 0, uuid 4fb4d39f
    reg0[15] = check_out_port_sec();
    next;
 9. ls_out_apply_port_sec (northd.c:5510): 1, priority 0, uuid 6d6e8323
    output;
    /* output to "ovn-poc_service-a-89c68dc96-fm272", type "" */