On 1/16/23 07:21, Ales Musil wrote:
>
>
> On Fri, Jan 13, 2023 at 9:58 PM Ilya Maximets <[email protected]
> <mailto:[email protected]>> wrote:
>
> On 1/12/23 18:17, Ales Musil wrote:
> > Currently, the CT can be flushed by dpctl only by specifying
> > the whole 5-tuple. This is not very convenient when there are
> > only some fields known to the user of CT flush. Add new struct
> > ofputil_ct_match which represents the generic filtering that can
> > be done for CT flush. The match is done only on fields that are
> > non-zero with exception to the icmp fields.
> >
> > This allows the filtering just within dpctl, however
> > it is a preparation for OpenFlow extension.
> >
> > Reported-at: https://bugzilla.redhat.com/2120546
> <https://bugzilla.redhat.com/2120546>
> > Signed-off-by: Ales Musil <[email protected] <mailto:[email protected]>>
> > ---
> > v6: Rebase on top of current master.
> > Address comments from Ilya.
>
> Nit: this kind of version history is not really useful. It should say
> what actually changed. I don't remember every comment I made, other
> people have no idea what I was asking for.
>
> > v5: Add ack from Paolo.
> > v4: Fix a flush all scenario.
> > v3: Rebase on top of master.
> > Address the C99 comment and missing dpif_close call.
> > v2: Rebase on top of master.
> > Address comments from Paolo.
> > ---
> > NEWS | 3 +
> > include/openvswitch/ofp-util.h | 28 +++
> > lib/automake.mk <http://automake.mk> | 2 +
> > lib/ct-dpif.c | 210 ++++++++++-------------
> > lib/ct-dpif.h | 4 +-
> > lib/dpctl.c | 43 +++--
> > lib/dpctl.man | 15 +-
> > lib/ofp-ct-util.c | 303 +++++++++++++++++++++++++++++++++
> > lib/ofp-ct-util.h | 40 +++++
> > tests/system-traffic.at <http://system-traffic.at> | 102
> ++++++++++-
> > 10 files changed, 611 insertions(+), 139 deletions(-)
> > create mode 100644 lib/ofp-ct-util.c
> > create mode 100644 lib/ofp-ct-util.h
> >
<snip>
> > +bool
> > +ofputil_ct_tuple_is_zero(const struct ofputil_ct_tuple *tuple, uint8_t
> ip_proto)
> > +{
> > + bool is_zero = ipv6_is_zero(&tuple->src) &&
> ipv6_is_zero(&tuple->dst);
> > +
> > + if (!(ip_proto == IPPROTO_ICMP || ip_proto == IPPROTO_ICMPV6)) {
> > + is_zero = is_zero && !tuple->src_port && !tuple->dst_port;
> > + }
> > +
> > + return is_zero;
>
> Do we require ICMP tuples to always have at least one address specified?
> Or should the 'if' above have an 'else { return false; }' ?
>
>
> The ICMP is very problematic, if we do the 'else { return false; }' the
> shortcut for
> the full 5-tuple stops working. Without it if user specifies reply with only
> ICMP parameters
> we won't flush anything. I'm not sure what the correct approach here would be.
> Maybe documenting the limitation? Adding note that for ICMP in reply
> direction to work
> user needs to specify at least one IP?
I think, the correct solution to construct a mask of what the user
have specified while parsing and use the mask instead of values for
is_zero(). And also use it during comparison to con compare fields
that are not specified. Will that solve the problem?
Since partial matches are not supported, it can be a bitmask of
NXT_CT_TUPLE_* values.
It should be OK to just document for now. This also should be
mentioned in the header along with the definition of the struct
nx_ct_flush.
A bitmap thing can go as a fixup after the branching, if it works.
Best regards, Ilya Maximets.
_______________________________________________
dev mailing list
[email protected]
https://mail.openvswitch.org/mailman/listinfo/ovs-dev
