Re: [ovs-dev] [PATCH] ovn-northd: Optimize acl of localnet-port

2017-07-26 Thread Russell Bryant 
On Sun, Jul 9, 2017 at 9:51 PM,   wrote:
> Localnet port is not an endpoint, and have no security requirements
> to use localnet port at present. So, for performance consideration, we
> could do not use ct for localnet port.
>
> The more specific discussion can be found from
> https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/335048.html
>
> Change-Id: Iac42ceaa3ef1d4e9b34768f802502d8326b7f507
> Signed-off-by: wangqianyu 
> ---
>  ovn/northd/ovn-northd.8.xml |  4 +++-
>  ovn/northd/ovn-northd.c | 24 +++-
>  2 files changed, 26 insertions(+), 2 deletions(-)

Thanks for the patch!  I have applied it to master with some changes
shown below.

I also had to recreate the patch manually as I was not able to apply
it from your email.  This usually happens when copying the patch into
your email client.  The best method for submitting a patch is to use
the "git send-email" command.  If you have trouble getting that to
work for some reason, you can also submit a pull request on github.

My additions to the patch:

diff --git a/AUTHORS.rst b/AUTHORS.rst
index 21a68c140..39ddcb1ef 100644
--- a/AUTHORS.rst
+++ b/AUTHORS.rst
@@ -317,6 +317,7 @@ Tonghao Zhang   xiangxia.m@gmail.com
 Valient Gough   vgo...@pobox.com
 Venkata Anil Kommaddi   vkomm...@redhat.com
 Vivien Bernet-Rollande  v...@soprive.net
+wangqianyu  wang.qia...@zte.com.cn
 Wang Sheng-Hui  shh...@gmail.com
 Wei Li  l...@dtdream.com
 Wei Yongjun yj...@cn.fujitsu.com
diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
index 1e7346566..61522f140 100644
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@@ -1007,14 +1007,7 @@

   
 Note that you can not create an ACL matching on a port with
-type=router.
-  
-
-  
-Note that when localnet port exists in a lswitch, for
-to-lport direction, the inport works only if
-the to-lport is located on the same chassis as the
-inport.
+type=router or type=localnet.
   
 
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

Re: [ovs-dev] [PATCH] ovn-northd: Optimize acl of localnet-port

2017-07-12 Thread Han Zhou 
On Sun, Jul 9, 2017 at 6:51 PM,  wrote:
>
> Localnet port is not an endpoint, and have no security requirements
> to use localnet port at present. So, for performance consideration, we
> could do not use ct for localnet port.
>
> The more specific discussion can be found from
> https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/335048.html
>
> Change-Id: Iac42ceaa3ef1d4e9b34768f802502d8326b7f507
> Signed-off-by: wangqianyu 
> ---
>  ovn/northd/ovn-northd.8.xml |  4 +++-
>  ovn/northd/ovn-northd.c | 24 +++-
>  2 files changed, 26 insertions(+), 2 deletions(-)
>
> diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
> index c0b4c5e..05f0470 100644
> --- a/ovn/northd/ovn-northd.8.xml
> +++ b/ovn/northd/ovn-northd.8.xml
> @@ -220,7 +220,9 @@
>logical datapath, a priority-100 flow is added that sets a hint
>(with reg0[0] = 1; next;) for table
>Pre-stateful to send IP packets to the connection
tracker
> -  before eventually advancing to ingress table ACLs.
> +  before eventually advancing to ingress table ACLs. If
some
> +  special ports such as route ports or localnet ports can't use
ct(),  a
> +  priority-110 flow is added to skip over stateful ACLs.
>  
>
>  Ingress Table 4: Pre-LB
> diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
> index 83db753..eea12e8 100644
> --- a/ovn/northd/ovn-northd.c
> +++ b/ovn/northd/ovn-northd.c
> @@ -1,4 +1,4 @@
> -/*
> +/*
>   * Licensed under the Apache License, Version 2.0 (the "License");
>   * you may not use this file except in compliance with the License.
>   * You may obtain a copy of the License at:
> @@ -416,6 +416,7 @@ struct ovn_datapath {
>  /* The "derived" OVN port representing the instance of l3dgw_port on
>   * the "redirect-chassis". */
>  struct ovn_port *l3redirect_port;
> +struct ovn_port *localnet_port;
>  };
>
>  struct macam_node {
> @@ -1351,6 +1352,10 @@ join_logical_ports(struct northd_context *ctx,
>  ovs_list_push_back(nb_only, >list);
>  }
>
> +if (!strcmp(nbsp->type, "localnet")) {
> +   od->localnet_port = op;
> +}
> +
>  op->lsp_addrs
>  = xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses);
>  for (size_t j = 0; j < nbsp->n_addresses; j++) {
> @@ -2629,6 +2634,23 @@ build_pre_acls(struct ovn_datapath *od, struct
hmap *lflows)
>  ds_destroy(_in);
>  ds_destroy(_out);
>  }
> +if (od->localnet_port) {
> +struct ds match_in = DS_EMPTY_INITIALIZER;
> +struct ds match_out = DS_EMPTY_INITIALIZER;
> +
> +ds_put_format(_in, "ip && inport == %s",
> +  od->localnet_port->json_key);
> +ds_put_format(_out, "ip && outport == %s",
> +  od->localnet_port->json_key);
> +ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
> +  ds_cstr(_in), "next;");
> +ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
> +  ds_cstr(_out), "next;");
> +
> +ds_destroy(_in);
> +ds_destroy(_out);
> +}
> +
>  /* Ingress and Egress Pre-ACL Table (Priority 110).
>   *
>   * Not to do conntrack on ND packets. */
> --
> 2.7.2.windows.1

Acked-by: Han Zhou 
___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev

[ovs-dev] [PATCH] ovn-northd: Optimize acl of localnet-port

2017-07-09 Thread wang . qianyu 
Localnet port is not an endpoint, and have no security requirements
to use localnet port at present. So, for performance consideration, we
could do not use ct for localnet port.

The more specific discussion can be found from
https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/335048.html

Change-Id: Iac42ceaa3ef1d4e9b34768f802502d8326b7f507
Signed-off-by: wangqianyu 
---
 ovn/northd/ovn-northd.8.xml |  4 +++-
 ovn/northd/ovn-northd.c | 24 +++-
 2 files changed, 26 insertions(+), 2 deletions(-)

diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index c0b4c5e..05f0470 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -220,7 +220,9 @@
   logical datapath, a priority-100 flow is added that sets a hint
   (with reg0[0] = 1; next;) for table
   Pre-stateful to send IP packets to the connection 
tracker
-  before eventually advancing to ingress table ACLs.
+  before eventually advancing to ingress table ACLs. If 
some
+  special ports such as route ports or localnet ports can't use ct(), 
 a
+  priority-110 flow is added to skip over stateful ACLs.
 
 
 Ingress Table 4: Pre-LB
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 83db753..eea12e8 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -1,4 +1,4 @@
-/*
+/*
  * Licensed under the Apache License, Version 2.0 (the "License");
  * you may not use this file except in compliance with the License.
  * You may obtain a copy of the License at:
@@ -416,6 +416,7 @@ struct ovn_datapath {
 /* The "derived" OVN port representing the instance of l3dgw_port on
  * the "redirect-chassis". */
 struct ovn_port *l3redirect_port;
+struct ovn_port *localnet_port;
 };
 
 struct macam_node {
@@ -1351,6 +1352,10 @@ join_logical_ports(struct northd_context *ctx,
 ovs_list_push_back(nb_only, >list);
 }
 
+if (!strcmp(nbsp->type, "localnet")) {
+   od->localnet_port = op;
+}
+
 op->lsp_addrs
 = xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses);
 for (size_t j = 0; j < nbsp->n_addresses; j++) {
@@ -2629,6 +2634,23 @@ build_pre_acls(struct ovn_datapath *od, struct hmap 
*lflows)
 ds_destroy(_in);
 ds_destroy(_out);
 }
+if (od->localnet_port) {
+struct ds match_in = DS_EMPTY_INITIALIZER;
+struct ds match_out = DS_EMPTY_INITIALIZER;
+
+ds_put_format(_in, "ip && inport == %s",
+  od->localnet_port->json_key);
+ds_put_format(_out, "ip && outport == %s",
+  od->localnet_port->json_key);
+ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
+  ds_cstr(_in), "next;");
+ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
+  ds_cstr(_out), "next;");
+
+ds_destroy(_in);
+ds_destroy(_out);
+}
+
 /* Ingress and Egress Pre-ACL Table (Priority 110).
  *
  * Not to do conntrack on ND packets. */
-- 
2.7.2.windows.1

___
dev mailing list
d...@openvswitch.org
https://mail.openvswitch.org/mailman/listinfo/ovs-dev