Re: [ovs-dev] [PATCH ovn 0/3] Support mixing stateless and stateful ACLs regardless of their priority

Tue, 07 Dec 2021 08:43:20 -0800

Talking about patches 1 and 2 - they've got totally no negative impact, it's an optimization for HW VTEP scenario - I'd like them to be included as a part of 21.12.
For patch #3 there is absolutely no affect for users who use either only stateless ACLs or only stateful. 


For users, who do mix of allow-stateless and allow-related rules it's a 
_possible_ affect, only if priority for allow-related rules is higher, 
than for allow-stateless AND these rules have overlapping meaning. It's 
worth to mention, that if somebody has such rules installed now, they 
don't work as the could be treated.


Let me know your thoughts.

regards,

Vladislav Odintsov

On 07.12.2021 19:14, Numan Siddique wrote:

On Tue, Dec 7, 2021 at 3:58 AM Vladislav Odintsov <[email protected]> wrote:

On 01.12.2021 15:56, Vladislav Odintsov wrote:

Currently if user has a stateless and statetul ACLs (allow-stateless and
allow-related) in one port group or in one logical switch simultaneously,
the stateless rules whould take precedence.
This patch series adds support for mixing all the ACLs types with the
respect to their priority.
This change requires next:

Also, as an optimisation, traffic from HW VTEP switch in ingress datapath
is passed from ls_in_l2_sec directly to ls_in_l2_lkup, as it doesn't need
any processing in ingress pipeline except determining outport in
ls_in_l2_lkup table.

Vladislav Odintsov (3):
    Revert "northd: support HW VTEP with stateful datapath"
    northd: send ingress packets from HW VTEP directly to L2_LKUP table
    northd: support mix of stateless ACL with lower priority than stateful

   northd/northd.c         | 113 ++++++++++++++++++++++------------------
   northd/ovn-northd.8.xml |  35 ++++---------
   northd/ovn_northd.dl    |  47 +++++------------
   tests/ovn-northd.at     |  50 ++++++++++--------
   4 files changed, 114 insertions(+), 131 deletions(-)


Hi Numan,

is is possible to plan this series to be included in 21.12?

Hi Vladislav,

I was thinking of considering them after branching.  Do you need these
patches for 21.12 ?
I'm trying to understand the risk factor ? Are these patches risky at
this time or will not affect other users who don't use this scenario ?

If it is risk free,  +1 from me for 21.12.

Thanks
Numan


_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev


_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev






















					Reply via email to