Re: [ovs-dev] 答复: Re: [PATCH] ovn: Support for taas(tap-as-a-service) function

2017-08-04 Thread Russell Bryant 
On Thu, Aug 3, 2017 at 8:52 PM,  wrote:

> Miguel Ángel and Russell
>
> Thanks for your reviews.
>
> Current taas function just for port monitor, in this situation, we can
> simplify the design by just add new port type. But we have the plane to add
> flow_classifier to tap_flow to monitor special flows of given port. The
> flow_classifier definition may like as follow:
> 'flow_classifiers': {
> 'id': {'allow_post': False, 'allow_put': False,
>'validate': {'type:uuid': None}, 'is_visible': True,
>'primary_key': True},
> 'tenant_id': {'allow_post': True, 'allow_put': False,
>   'validate': {'type:string': None},
>   'required_by_policy': True, 'is_visible': True},
> 'name': {'allow_post': True, 'allow_put': True,
>  'validate': {'type:string': None},
>  'is_visible': True, 'default': ''},
> 'description': {'allow_post': True, 'allow_put': True,
> 'validate': {'type:string': None},
> 'is_visible': True, 'default': ''},
> 'protocol': {'allow_post': True, 'allow_put': True,
>  'validate': {'type:string': None},
>  'is_visible': True, 'default': ''},
> 'src_port_range_min': {'allow_post': True, 'allow_put': True,
>'convert_to': attr.convert_to_int,
>'is_visible': True, 'default': 0},
> 'src_port_range_max': {'allow_post': True, 'allow_put': True,
>'convert_to': attr.convert_to_int,
>'is_visible': True, 'default': 0},
> 'dst_port_range_min': {'allow_post': True, 'allow_put': True,
>'convert_to': attr.convert_to_int,
>'is_visible': True, 'default': 0},
> 'dst_port_range_max': {'allow_post': True, 'allow_put': True,
>'convert_to': attr.convert_to_int,
>'is_visible': True, 'default': 0},
> 'src_ip_prefix': {'allow_post': True, 'allow_put': True,
>   'validate': {'type:subnet':
> attr._validate_subnet},
>   'is_visible': True, 'default': '0.0.0.0/0'},
> 'dst_ip_prefix': {'allow_post': True, 'allow_put': True,
>   'validate': {'type:subnet':
> attr._validate_subnet},
>   'is_visible': True, 'default': '0.0.0.0/0'}
> }
>
> This may need more complex pipeline. So I think add a new table and new
> pipeline may be a easier way.
>

Thanks for sharing the info on future capabilities.

We have a very flexible syntax for traffic classification in OVN.  It's the
logical flow match syntax (see logical flows in the southbound database).
We expose this syntax in the northbound database in the "match" column of
the ACL table.

This would be another use case where we could use this syntax in the
northbound database.  Expanding on my preview proposal:

 - a new port type of 'mirror'

 - when port type=mirror, an option to identify which port is being mirrored

 - (the new part) when port type=mirror, an option that may be used to
specify traffic classification for the subset of traffic on a port to
mirror, in "match" syntax

Do you think this captures the use case?

-- 
Russell Bryant
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] 答复: Re: [PATCH] ovn: Support for taas(tap-as-a-service) function

2017-08-03 Thread wang . qianyu 
Miguel Ángel and Russell

Thanks for your reviews.

Current taas function just for port monitor, in this situation, we can 
simplify the design by just add new port type. But we have the plane to 
add flow_classifier to tap_flow to monitor special flows of given port. 
The flow_classifier definition may like as follow:
'flow_classifiers': {
'id': {'allow_post': False, 'allow_put': False,
   'validate': {'type:uuid': None}, 'is_visible': True,
   'primary_key': True},
'tenant_id': {'allow_post': True, 'allow_put': False,
  'validate': {'type:string': None},
  'required_by_policy': True, 'is_visible': True},
'name': {'allow_post': True, 'allow_put': True,
 'validate': {'type:string': None},
 'is_visible': True, 'default': ''},
'description': {'allow_post': True, 'allow_put': True,
'validate': {'type:string': None},
'is_visible': True, 'default': ''},
'protocol': {'allow_post': True, 'allow_put': True,
 'validate': {'type:string': None},
 'is_visible': True, 'default': ''},
'src_port_range_min': {'allow_post': True, 'allow_put': True,
   'convert_to': attr.convert_to_int,
   'is_visible': True, 'default': 0},
'src_port_range_max': {'allow_post': True, 'allow_put': True,
   'convert_to': attr.convert_to_int,
   'is_visible': True, 'default': 0},
'dst_port_range_min': {'allow_post': True, 'allow_put': True,
   'convert_to': attr.convert_to_int,
   'is_visible': True, 'default': 0},
'dst_port_range_max': {'allow_post': True, 'allow_put': True,
   'convert_to': attr.convert_to_int,
   'is_visible': True, 'default': 0},
'src_ip_prefix': {'allow_post': True, 'allow_put': True,
  'validate': {'type:subnet': 
attr._validate_subnet},
  'is_visible': True, 'default': '0.0.0.0/0'},
'dst_ip_prefix': {'allow_post': True, 'allow_put': True,
  'validate': {'type:subnet': 
attr._validate_subnet},
  'is_visible': True, 'default': '0.0.0.0/0'}
} 

This may need more complex pipeline. So I think add a new table and new 
pipeline may be a easier way.

Thanks.





Miguel Angel Ajo Pelayo 
2017/08/03 23:21
 
收件人:Russell Bryant , 
抄送:  wang.qia...@zte.com.cn, ovs dev , 
zhou.huij...@zte.com.cn, xurong00037997 
主题:  Re: [ovs-dev] [PATCH] ovn: Support for 
taas(tap-as-a-service) function


I had the same thought about the tables.

Regards,
Miguel Ángel

On Thu, Aug 3, 2017 at 5:11 PM, Russell Bryant  wrote:
On Thu, Aug 3, 2017 at 4:44 AM,   wrote:
> Taas was designed to provide tenants and service providers a means of
> monitoring the traffic flowing in their Neutron provisioned virtual
> networks. It is useful for network trouble-shooting, security and
> analytics. The taas presentations could be found from
> 
https://github.com/openstack/tap-as-a-service/blob/master/doc/source/presentations.rst

> , and the api reference could be found from
> 
https://github.com/openstack/tap-as-a-service/blob/master/API_REFERENCE.rst

>
> To support taas function, this patch add a new logical switch
> "logica_mirror_switch" which represents a taas_service in ovn.
> This patch also add logica_mirror_switch_port with type of "mirror" and
> "taas". port with type "mirror" is used as inport for monitor flow in
> logica_mirror_switch, and port with type "taas" is used as outport for
> monitor flow in logica_mirror_switch.
>
> The ovn-controller will make the relation between the 
logical_switch_port
> and logica_mirror_switch_port.
>
> Signed-off-by: wang qianyu 
> ---
>  ovn/controller/binding.c|  11 +-
>  ovn/controller/ovn-controller.c |   4 +-
>  ovn/controller/physical.c   | 125 +++-
>  ovn/northd/ovn-northd.c | 317
> 
>  ovn/ovn-nb.ovsschema|  42 +-
>  ovn/ovn-nb.xml  | 167 +
>  ovn/ovn-sb.xml  |  85 ++-
>  ovn/utilities/ovn-nbctl.c   | 152 ++-
>  ovn/utilities/ovn-trace.c   |   5 +-
>  9 files changed, 865 insertions(+), 43 deletions(-)

Thanks for working on the new feature!

The first thing that stands out to me is the new tables in OVN
Northbound: Logical_Mirror_Switch and Logical_Mirror_Switch_Port.

I'm wondering if we can simplify the design ... what if we only added
a new Logical_Switch_Port type of "mirror"