[ovs-dev] [PATCH] [RFC Patch] ovn-controller: ignore lflow matching remote VM port

Thu Jul 7 17:12:28 UTC 2016

"dev" <dev-bounces at openvswitch.org> wrote on 07/07/2016 12:07:16 PM:

> From: Zong Kai Li <zealokii at gmail.com>
> To: ovs dev <dev at openvswitch.org>
> Date: 07/07/2016 12:07 PM
> Subject: [ovs-dev] [PATCH] [RFC Patch] ovn-controller: ignore lflow
> matching remote VM port
> Sent by: "dev" <dev-bounces at openvswitch.org>
>
> Currently, ovn-controller will install all lflows for a logical
> switch, when ovn-controller determines not to skip processing of
> that logical switch.
>
> This will install too many OVS flows. We have 11 tables for logical
> switch ingress pipeline, 8 tables for logical switch egress pipeline
> now, and more in futrue.
>
> There are two kind lflows in for logical switch. One has no
> inport/outport matching, such as lflows in table ls_in_arp_rsp and
> ls_in_l2_lkup. The other one has, and for now, lflows in the following
> tables belong to this type:
>  - ls_in_port_sec_l2
>  - ls_in_port_sec_ip
>  - ls_in_port_sec_nd
>  - ls_in_acl
>  - ls_out_pre_acl
>  - ls_out_acl
>  - ls_out_port_sec_ip
>  - ls_out_port_sec_l2
>
> Consider how packet trip through flows in network topology
> (P: port, S: switch, R: router.
>  Two VM(or VIF) ports are on different chassis):
>  - P-S-P: only flows matching remote inport, local VM port as "inport"
and
>           local VM port as "outport" will be matched. There is no chance
for
>           flows matching remote VM port as "inport" or "outport" to be
> matched.
>  - P-S-R-S-P and P-S-R...R-S-P: all these cases seem different from the
>           above one, but they have the same "last jump". No matter how
>           many routers(with or without switches) are used, before packet
>           leaves current chassis, the next jump will be:
>             destination_switch_gateway -> destination_switch_port,
>           so it will become a P-S-P case again.
>           And sinse this patch will not change ingress pipeline for
>           logical routers, so traffic between router port to router port
>           will not be impacted.
> So, as we can see, we don't need to install flow for a lflow with inport
> or outport matching in logical switch ingress pipeline, when it tries to
> match
> a VM(or VIF) port that doesn't belong to current chassis.
> This can help ovn-controller to avoid to install many unnecessary flows.
>
> Signed-off-by: Zong Kai LI <zealokii at gmail.com>
> ---

First, how much does this reduce the number of installed flows?  Some
statistics
would be useful...

Second, assuming that conditional monitoring lands, will this have any
further effect?

Ryan