[ovs-dev] [ovs-discuss] [ACLv2 02/19] ofproto: Add ofproto_get_flow_stats functions.

Ben Pfaff blp at nicira.com
Fri Sep 4 21:30:59 UTC 2009


Jesse Gross <jesse at nicira.com> writes:

> Ben Pfaff wrote:
>> Jesse Gross <jesse at nicira.com> writes:
>>
>>   
>>> The function allows aggregate packet and byte counts to be retrieved
>>> for flows that match the given flow and wildcards.  The set of flows
>>> to be matched against can either be the normal OpenFlow flows or the
>>> currently active exact match flows in the kernel.
>>>     
>>
>> That seems like a reasonable thing to do.  But that isn't what
>> this code does: it adds a way to get hidden or not-hidden rules.
>> That is a different proposition, because some hidden rules are
>> "currently active exact match flows in the kernel" ("caemfinks"
>> for short) but others are not.  In fact, the same is true about
>> not-hidden rules.  So there are in fact four categories:
>>
>>         * Hidden rules that are caemfinks: subrules.
>>
>>         * Hidden rules that are not caemfinks: wildcarded rules
>>           created by in-band control.
>>
>>         * Non-hidden rules that are caemfinks: OpenFlow
>>           exact-match flows that happen to be installed in the
>>           kernel.
>>
>>         * Non-hidden rules that are not caemfinks: OpenFlow
>>           wildcarded rules and OpenFlow exact-match flows that
>>           happen not to be installed in the kernel.
>>
>> At this point in the review process I don't know which of these
>> you really want to list, but it definitely needs to be carefully
>> thought out.
>>
>>   
>
> This is a good point.  I was essentially equating hidden rules with
> caemfinks.  Case #2 wasn't an issue because ACL's are only active when
> there is no controller and in-band control is only active when there
> is a controller, so there is no overlap.  However, I forgot about
> OpenFlow exact-match flows that could be installed.  I changed it to
> look at installed rules instead of hidden rules.

Thanks, that makes sense.

By the way, although this is something that I could find out for
myself, what happens when a switch that has a configured
controller goes into fail-open mode?  Do any configured ACLs go
into effect at that point?  Would it make sense for them to do
so?

> I now have a parameter called "installed_flows_only", which hopefully
> should be a little more clear.

Sounds good.




More information about the dev mailing list