[ovs-dev] [PATCH v2 2/2] [RFC] ovn: Start work on design documentation.
Ben Pfaff
blp at nicira.com
Fri Feb 20 05:59:43 UTC 2015
On Thu, Feb 19, 2015 at 05:15:53PM -0800, Ben Pfaff wrote:
> On Thu, Feb 19, 2015 at 11:45:08PM +0100, Thomas Graf wrote:
> > On 02/19/15 at 11:16am, Ben Pfaff wrote:
> > > diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
> > > new file mode 100644
> > > index 0000000..4c29562
> > > --- /dev/null
> > > +++ b/ovn/ovn-nb.ovsschema
> >
> > The schema below has some whitespace / tab mixups.
>
> Oops. I've run untabify now.
>
> > > @@ -0,0 +1,63 @@
> > > +{
> > > + "name": "OVN_Northbound",
> > > + "tables": {
> > > + "Logical_Switch": {
> > > + "columns": {
> > > + "external_ids": {
> > > + "type": {"key": "string", "value": "string",
> > > + "min": 0, "max": "unlimited"}}}},
> > > + "Logical_Port": {
> > > + "columns": {
> > > + "switch": {"type": {"key": {"type": "uuid",
> > > + "refTable": "Logical_Switch",
> > > + "refType": "strong"}}},
> > > + "router_port": {"type": {"key": {"type": "uuid",
> > > + "refTable": "Logical_Router_Port",
> > > + "refType": "strong"},
> > > + "min": 0,
> > > + "max": 1}},
> >
> > What is the reason to hook the Logical_Router_Port to a Logical_Port
> > and not to the Logical_Switch directly? It seems like the port_security
> > does not apply to routers and the state should also be "up" at all
> > times.
>
> I've switched this back and forth a couple of times. Maybe I'll put
> it back again.
>
> The one feature that I want to make sure can apply to router ports is
> ACLs. That isn't contingent on a Logical_Router_Port being a
> Logical_Port, though, so it's not a deal-breaker.
I remember now why I had a bit of trouble with this: a logical router
port needs a name so that ACLs can be written across it. But since
there's only one logical router port (at most) per logical switch, we
can just give it a fixed name. So I applied this incremental:
diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
index 649a668..c75c632 100644
--- a/ovn/ovn-nb.ovsschema
+++ b/ovn/ovn-nb.ovsschema
@@ -3,6 +3,10 @@
"tables": {
"Logical_Switch": {
"columns": {
+ "router_port": {"type": {"key": {"type": "uuid",
+ "refTable": "Logical_Router_Port",
+ "refType": "strong"},
+ "min": 0, "max": 1}},
"external_ids": {
"type": {"key": "string", "value": "string",
"min": 0, "max": "unlimited"}}}},
@@ -11,11 +15,6 @@
"switch": {"type": {"key": {"type": "uuid",
"refTable": "Logical_Switch",
"refType": "strong"}}},
- "router_port": {"type": {"key": {"type": "uuid",
- "refTable": "Logical_Router_Port",
- "refType": "strong"},
- "min": 0,
- "max": 1}},
"name": {"type": "string"},
"macs": {"type": {"key": "string",
"min": 0,
diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
index 5238296..9c9a619 100644
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@@ -37,10 +37,15 @@
column="switch"/> column points to its row.
</p>
- <p>
- So far, there is no per-logical switch configuration, so this table
- only has the commmon columns.
- </p>
+ <column name="router_port">
+ <p>
+ The router port to which this logical switch is connected, or empty if
+ this logical switch is not connected to any router. A switch may be
+ connected to at most one logical router, but this is not a significant
+ restriction because logical routers may be connected into arbitrary
+ topologies.
+ </p>
+ </column>
<group title="Common Columns">
<column name="external_ids">
@@ -58,19 +63,6 @@
The logical switch to which the logical port is connected.
</column>
- <column name="router_port">
- <p>
- The router port to which this logical port is connected, or empty if
- this switch port is connected to a host instead of a router.
- </p>
-
- <p>
- At most one logical port in a given logical switch may be connected to
- a logical router. (This is not a significant restriction because
- logical routers may be connected into arbitrary toplogies.)
- </p>
- </column>
-
<column name="name">
The logical port name. The name used here must match those used in the
<ref key="iface-id" table="Interface" column="external_ids"
@@ -150,7 +142,11 @@
<column name="match">
The packets that the ACL should match, in the same expression language
used for the <ref column="match" table="Pipeline" db="OVN"/> column in
- the OVN database's <ref table="Pipeline" db="OVN"/> table.
+ the OVN database's <ref table="Pipeline" db="OVN"/> table. Match
+ <code>inport</code> and <code>outport</code> against names of logical
+ ports within <ref column="switch"/> to implement ingress and egress ACLs,
+ respectively. In logical switches connected to logical routers, the
+ special port name <code>ROUTER</code> refers to the logical router port.
</column>
<column name="action">
> > [...]
> >
> > > + <p>
> > > + Following are not well thought out:
> > > + </p>
> > > +
> > > + <dl>
> > > + <dt><code>learn</code></dt>
> > > +
> > > + <dt><code>conntrack</code></dt>
> > > +
> > > + <dt><code>with(<var>field</var>=<var>value</var>) { <var>action</var>, </code>...<code> }</code></dt>
> > > + <dd>execute <var>actions</var> with temporary changes to <var>fields</var></dd>
> > > +
> > > + <dt><code>dec_ttl { <var>action</var>, </code>...<code> } { <var>action</var>; </code>...<code>}</code></dt>
> > > + <dd>
> > > + decrement TTL; execute first set of actions if
> > > + successful, second set if TTL decrement fails
> > > + </dd>
> > > +
> > > + <dt><code>icmp_reply { <var>action</var>, </code>...<code> }</code></dt>
> > > + <dd>generate ICMP reply from packet, execute <var>action</var></dd>
> >
> > Possible useful addition could be arp_respond to implement the L2 pop
> > of OpenStack.
>
> I thought that was in there, but now I see that it isn't. I guess
> that never made it off my whiteboard. I'll add it.
This is hand-wavy but here's what I added:
diff --git a/ovn/ovn.xml b/ovn/ovn.xml
index c1d1e47..a233112 100644
--- a/ovn/ovn.xml
+++ b/ovn/ovn.xml
@@ -405,7 +405,10 @@
</dd>
<dt><code>icmp_reply { <var>action</var>, </code>...<code> }</code></dt>
- <dd>generate ICMP reply from packet, execute <var>action</var></dd>
+ <dd>generate ICMP reply from packet, execute <var>action</var>s</dd>
+
+ <dt><code>arp { <var>action</var>, </code>...<code> }</code></dt>
+ <dd>generate ARP from packet, execute <var>action</var>s</dd>
</dl>
<p>
More information about the dev
mailing list