On Sun, Jul 9, 2017 at 6:51 PM, <wang.qia...@zte.com.cn> wrote: > > Localnet port is not an endpoint, and have no security requirements > to use localnet port at present. So, for performance consideration, we > could do not use ct for localnet port. > > The more specific discussion can be found from > https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/335048.html > > Change-Id: Iac42ceaa3ef1d4e9b34768f802502d8326b7f507 > Signed-off-by: wangqianyu <wang.qia...@zte.com.cn> > --- > ovn/northd/ovn-northd.8.xml | 4 +++- > ovn/northd/ovn-northd.c | 24 +++++++++++++++++++++++- > 2 files changed, 26 insertions(+), 2 deletions(-) > > diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml > index c0b4c5e..05f0470 100644 > --- a/ovn/northd/ovn-northd.8.xml > +++ b/ovn/northd/ovn-northd.8.xml > @@ -220,7 +220,9 @@ > logical datapath, a priority-100 flow is added that sets a hint > (with <code>reg0[0] = 1; next;</code>) for table > <code>Pre-stateful</code> to send IP packets to the connection tracker > - before eventually advancing to ingress table <code>ACLs</code>. > + before eventually advancing to ingress table <code>ACLs</code>. If some > + special ports such as route ports or localnet ports can't use ct(), a > + priority-110 flow is added to skip over stateful ACLs. > </p> > > <h3>Ingress Table 4: Pre-LB</h3> > diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c > index 83db753..eea12e8 100644 > --- a/ovn/northd/ovn-northd.c > +++ b/ovn/northd/ovn-northd.c > @@ -1,4 +1,4 @@ > -/* > +/* > * Licensed under the Apache License, Version 2.0 (the "License"); > * you may not use this file except in compliance with the License. > * You may obtain a copy of the License at: > @@ -416,6 +416,7 @@ struct ovn_datapath { > /* The "derived" OVN port representing the instance of l3dgw_port on > * the "redirect-chassis". */ > struct ovn_port *l3redirect_port; > + struct ovn_port *localnet_port; > }; > > struct macam_node { > @@ -1351,6 +1352,10 @@ join_logical_ports(struct northd_context *ctx, > ovs_list_push_back(nb_only, &op->list); > } > > + if (!strcmp(nbsp->type, "localnet")) { > + od->localnet_port = op; > + } > + > op->lsp_addrs > = xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses); > for (size_t j = 0; j < nbsp->n_addresses; j++) { > @@ -2629,6 +2634,23 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows) > ds_destroy(&match_in); > ds_destroy(&match_out); > } > + if (od->localnet_port) { > + struct ds match_in = DS_EMPTY_INITIALIZER; > + struct ds match_out = DS_EMPTY_INITIALIZER; > + > + ds_put_format(&match_in, "ip && inport == %s", > + od->localnet_port->json_key); > + ds_put_format(&match_out, "ip && outport == %s", > + od->localnet_port->json_key); > + ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, > + ds_cstr(&match_in), "next;"); > + ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, > + ds_cstr(&match_out), "next;"); > + > + ds_destroy(&match_in); > + ds_destroy(&match_out); > + } > + > /* Ingress and Egress Pre-ACL Table (Priority 110). > * > * Not to do conntrack on ND packets. */ > -- > 2.7.2.windows.1
Acked-by: Han Zhou <zhou...@gmail.com> _______________________________________________ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev