Re: [ovs-dev] [PATCH] ovn-northd: Optimize acl of localnet-port
On Sun, Jul 9, 2017 at 9:51 PM,wrote: > Localnet port is not an endpoint, and have no security requirements > to use localnet port at present. So, for performance consideration, we > could do not use ct for localnet port. > > The more specific discussion can be found from > https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/335048.html > > Change-Id: Iac42ceaa3ef1d4e9b34768f802502d8326b7f507 > Signed-off-by: wangqianyu > --- > ovn/northd/ovn-northd.8.xml | 4 +++- > ovn/northd/ovn-northd.c | 24 +++- > 2 files changed, 26 insertions(+), 2 deletions(-) Thanks for the patch! I have applied it to master with some changes shown below. I also had to recreate the patch manually as I was not able to apply it from your email. This usually happens when copying the patch into your email client. The best method for submitting a patch is to use the "git send-email" command. If you have trouble getting that to work for some reason, you can also submit a pull request on github. My additions to the patch: diff --git a/AUTHORS.rst b/AUTHORS.rst index 21a68c140..39ddcb1ef 100644 --- a/AUTHORS.rst +++ b/AUTHORS.rst @@ -317,6 +317,7 @@ Tonghao Zhang xiangxia.m@gmail.com Valient Gough vgo...@pobox.com Venkata Anil Kommaddi vkomm...@redhat.com Vivien Bernet-Rollande v...@soprive.net +wangqianyu wang.qia...@zte.com.cn Wang Sheng-Hui shh...@gmail.com Wei Li l...@dtdream.com Wei Yongjun yj...@cn.fujitsu.com diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml index 1e7346566..61522f140 100644 --- a/ovn/ovn-nb.xml +++ b/ovn/ovn-nb.xml @@ -1007,14 +1007,7 @@ Note that you can not create an ACL matching on a port with -type=router. - - - -Note that when localnet port exists in a lswitch, for -to-lport direction, the inport works only if -the to-lport is located on the same chassis as the -inport. +type=router or type=localnet. ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
Re: [ovs-dev] [PATCH] ovn-northd: Optimize acl of localnet-port
On Sun, Jul 9, 2017 at 6:51 PM,wrote: > > Localnet port is not an endpoint, and have no security requirements > to use localnet port at present. So, for performance consideration, we > could do not use ct for localnet port. > > The more specific discussion can be found from > https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/335048.html > > Change-Id: Iac42ceaa3ef1d4e9b34768f802502d8326b7f507 > Signed-off-by: wangqianyu > --- > ovn/northd/ovn-northd.8.xml | 4 +++- > ovn/northd/ovn-northd.c | 24 +++- > 2 files changed, 26 insertions(+), 2 deletions(-) > > diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml > index c0b4c5e..05f0470 100644 > --- a/ovn/northd/ovn-northd.8.xml > +++ b/ovn/northd/ovn-northd.8.xml > @@ -220,7 +220,9 @@ >logical datapath, a priority-100 flow is added that sets a hint >(with reg0[0] = 1; next;) for table >Pre-stateful to send IP packets to the connection tracker > - before eventually advancing to ingress table ACLs. > + before eventually advancing to ingress table ACLs. If some > + special ports such as route ports or localnet ports can't use ct(), a > + priority-110 flow is added to skip over stateful ACLs. > > > Ingress Table 4: Pre-LB > diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c > index 83db753..eea12e8 100644 > --- a/ovn/northd/ovn-northd.c > +++ b/ovn/northd/ovn-northd.c > @@ -1,4 +1,4 @@ > -/* > +/* > * Licensed under the Apache License, Version 2.0 (the "License"); > * you may not use this file except in compliance with the License. > * You may obtain a copy of the License at: > @@ -416,6 +416,7 @@ struct ovn_datapath { > /* The "derived" OVN port representing the instance of l3dgw_port on > * the "redirect-chassis". */ > struct ovn_port *l3redirect_port; > +struct ovn_port *localnet_port; > }; > > struct macam_node { > @@ -1351,6 +1352,10 @@ join_logical_ports(struct northd_context *ctx, > ovs_list_push_back(nb_only, >list); > } > > +if (!strcmp(nbsp->type, "localnet")) { > + od->localnet_port = op; > +} > + > op->lsp_addrs > = xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses); > for (size_t j = 0; j < nbsp->n_addresses; j++) { > @@ -2629,6 +2634,23 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows) > ds_destroy(_in); > ds_destroy(_out); > } > +if (od->localnet_port) { > +struct ds match_in = DS_EMPTY_INITIALIZER; > +struct ds match_out = DS_EMPTY_INITIALIZER; > + > +ds_put_format(_in, "ip && inport == %s", > + od->localnet_port->json_key); > +ds_put_format(_out, "ip && outport == %s", > + od->localnet_port->json_key); > +ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, > + ds_cstr(_in), "next;"); > +ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, > + ds_cstr(_out), "next;"); > + > +ds_destroy(_in); > +ds_destroy(_out); > +} > + > /* Ingress and Egress Pre-ACL Table (Priority 110). > * > * Not to do conntrack on ND packets. */ > -- > 2.7.2.windows.1 Acked-by: Han Zhou ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev
[ovs-dev] [PATCH] ovn-northd: Optimize acl of localnet-port
Localnet port is not an endpoint, and have no security requirements to use localnet port at present. So, for performance consideration, we could do not use ct for localnet port. The more specific discussion can be found from https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/335048.html Change-Id: Iac42ceaa3ef1d4e9b34768f802502d8326b7f507 Signed-off-by: wangqianyu--- ovn/northd/ovn-northd.8.xml | 4 +++- ovn/northd/ovn-northd.c | 24 +++- 2 files changed, 26 insertions(+), 2 deletions(-) diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml index c0b4c5e..05f0470 100644 --- a/ovn/northd/ovn-northd.8.xml +++ b/ovn/northd/ovn-northd.8.xml @@ -220,7 +220,9 @@ logical datapath, a priority-100 flow is added that sets a hint (with reg0[0] = 1; next;) for table Pre-stateful to send IP packets to the connection tracker - before eventually advancing to ingress table ACLs. + before eventually advancing to ingress table ACLs. If some + special ports such as route ports or localnet ports can't use ct(), a + priority-110 flow is added to skip over stateful ACLs. Ingress Table 4: Pre-LB diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c index 83db753..eea12e8 100644 --- a/ovn/northd/ovn-northd.c +++ b/ovn/northd/ovn-northd.c @@ -1,4 +1,4 @@ -/* +/* * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at: @@ -416,6 +416,7 @@ struct ovn_datapath { /* The "derived" OVN port representing the instance of l3dgw_port on * the "redirect-chassis". */ struct ovn_port *l3redirect_port; +struct ovn_port *localnet_port; }; struct macam_node { @@ -1351,6 +1352,10 @@ join_logical_ports(struct northd_context *ctx, ovs_list_push_back(nb_only, >list); } +if (!strcmp(nbsp->type, "localnet")) { + od->localnet_port = op; +} + op->lsp_addrs = xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses); for (size_t j = 0; j < nbsp->n_addresses; j++) { @@ -2629,6 +2634,23 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows) ds_destroy(_in); ds_destroy(_out); } +if (od->localnet_port) { +struct ds match_in = DS_EMPTY_INITIALIZER; +struct ds match_out = DS_EMPTY_INITIALIZER; + +ds_put_format(_in, "ip && inport == %s", + od->localnet_port->json_key); +ds_put_format(_out, "ip && outport == %s", + od->localnet_port->json_key); +ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110, + ds_cstr(_in), "next;"); +ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110, + ds_cstr(_out), "next;"); + +ds_destroy(_in); +ds_destroy(_out); +} + /* Ingress and Egress Pre-ACL Table (Priority 110). * * Not to do conntrack on ND packets. */ -- 2.7.2.windows.1 ___ dev mailing list d...@openvswitch.org https://mail.openvswitch.org/mailman/listinfo/ovs-dev