On Sat, Nov 5, 2016 at 8:11 PM, Flavio Fernandes <[email protected]> wrote:
> Extend OVN acl to 1) have sfc action and 2) have options column > I agree that SFC classification should be based on ACL functionality along the lines of this patch. Discussion at OVN IRC meetings seems to indicate a consensus that SFC classification should be in a separate pipeline stage from existing ACLs. As described in https://mail.openvswitch.org/pipermail/ovs-dev/2016-August/241193.html, there are two possible alternatives for implementing the separate pipeline stage: 1. Multiple ACL stages, as originally proposed in http://patchwork.ozlabs.org/patch/655018/ 2. A dedicate pipeline stage for SFC classification, similar to but separate from the ACL pipeline stage. The approach would be the same as that taken for QoS marking: https://github.com/openvswitch/ovs/commit/1a03fc7da32e74aacbf638d3617a290ddffaa069 If the first approach is taken, there are several action items that must be resolved in order to progress the multiple ACL stages patch: a. Rework the patch so that there is no hard limit of 2 ACL stages, as requested by blp. While the original patch coded most of the ovn-northd.c build_acls modifications with no hard limit, the pipeline stage definitions, ovn_stage_from_acl_stage, and ovn-nbctl.c code would need some rework. b. Rework ovn-northd.c "has_stateful" boolean to be per ACL pipeline stage. Unless this is done, if any stateful ACLs are defined, the code in the current patch would not take effect for SFC classification in the reply direction, since it would be overridden by a priority UINT16_MAX rule that allows all reply traffic. c. Add automated tests for ACLs. Currently there are only a few tests for ovn-nbctl ACL commands, and a couple of tests that are primarily focused on other functionality. Automated tests for core ACL functionality are lacking. d. Extend automated tests for ACLs (c above) to cover multiple ACL stages functionality. This should include coverage for stateful ACL processing, since there was some concern expressed about stateful interactions across multiple ACL pipeline stages. Mickey > > Reported-at: http://openvswitch.org/pipermail/discuss/2016-March/ > 020628.html > Reported-at: http://openvswitch.org/pipermail/discuss/2016-May/ > thread.html#21201 > Co-authored-by: John McDowall <[email protected]> > Signed-off-by: Flavio Fernandes <[email protected]> > --- > ovn/northd/ovn-northd.8.xml | 5 +++++ > ovn/northd/ovn-northd.c | 9 +++++++++ > ovn/ovn-nb.ovsschema | 10 +++++++--- > ovn/ovn-nb.xml | 41 ++++++++++++++++++++++++++++++ > +++++++++++ > ovn/utilities/ovn-nbctl.c | 5 +++-- > 5 files changed, 65 insertions(+), 5 deletions(-) > _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
