On 11/1/22 12:40, Abhiram Sangana wrote: > > >> On 21 Oct 2022, at 10:58, Dumitru Ceara <[email protected]> wrote: >> >> On 10/20/22 17:34, Abhiram Sangana wrote: >>> Hi Dumitru, >>> >>> Can you please check if the implementation for the proposal looks ok? >>> Will send out v1 with the review comments and tests. >>> Also, any ideas how we can selectively create new drop zones for ports. >>> Currently, I am assigning a new zone for dropped connections to every >>> port even if its parent LS doesn’t have drop ACLs with labels. >>> >> >> Within a logical switch do we really need a drop zone per port? Isn't >> it actually enough if we add a "from-lport-drop" and "to-lport-drop" >> zone for the whole logical switch? That should simplify zone allocation. >> > Given that we are committing dropped connections to CT table, a DDOS > attack can potentially fill up the CT table. We are planning to send > another patch that limits the number of entries for a given CT zone. > It is easier to manage the size of CT zones when there is a CT zone > per port rather than per Logical_Switch. >
Ok. To answer your previous question, we could mark the SB.Port_Binding with an option if there are ACLs applied to the switch containing it and at least one of those needs drop zones. Even better would be to mark the the SB.Datapath_Binding but we don't have options there, we'd have to update the schema. I'm not sure if that works for you, what do you think? Thanks, Dumitru _______________________________________________ dev mailing list [email protected] https://mail.openvswitch.org/mailman/listinfo/ovs-dev
