[ovs-dev] [ovs-discuss] [ACLv2 02/19] ofproto: Add ofproto_get_flow_stats functions.
Ben Pfaff
blp at nicira.com
Fri Sep 4 21:30:59 UTC 2009
Jesse Gross <jesse at nicira.com> writes:
> Ben Pfaff wrote:
>> Jesse Gross <jesse at nicira.com> writes:
>>
>>
>>> The function allows aggregate packet and byte counts to be retrieved
>>> for flows that match the given flow and wildcards. The set of flows
>>> to be matched against can either be the normal OpenFlow flows or the
>>> currently active exact match flows in the kernel.
>>>
>>
>> That seems like a reasonable thing to do. But that isn't what
>> this code does: it adds a way to get hidden or not-hidden rules.
>> That is a different proposition, because some hidden rules are
>> "currently active exact match flows in the kernel" ("caemfinks"
>> for short) but others are not. In fact, the same is true about
>> not-hidden rules. So there are in fact four categories:
>>
>> * Hidden rules that are caemfinks: subrules.
>>
>> * Hidden rules that are not caemfinks: wildcarded rules
>> created by in-band control.
>>
>> * Non-hidden rules that are caemfinks: OpenFlow
>> exact-match flows that happen to be installed in the
>> kernel.
>>
>> * Non-hidden rules that are not caemfinks: OpenFlow
>> wildcarded rules and OpenFlow exact-match flows that
>> happen not to be installed in the kernel.
>>
>> At this point in the review process I don't know which of these
>> you really want to list, but it definitely needs to be carefully
>> thought out.
>>
>>
>
> This is a good point. I was essentially equating hidden rules with
> caemfinks. Case #2 wasn't an issue because ACL's are only active when
> there is no controller and in-band control is only active when there
> is a controller, so there is no overlap. However, I forgot about
> OpenFlow exact-match flows that could be installed. I changed it to
> look at installed rules instead of hidden rules.
Thanks, that makes sense.
By the way, although this is something that I could find out for
myself, what happens when a switch that has a configured
controller goes into fail-open mode? Do any configured ACLs go
into effect at that point? Would it make sense for them to do
so?
> I now have a parameter called "installed_flows_only", which hopefully
> should be a little more clear.
Sounds good.
More information about the dev
mailing list