[ovs-dev] [PATCH] ovn: Add second ACL stage

Mickey Spiegel emspiege at us.ibm.com
Fri Jul 29 17:28:26 UTC 2016



-----"dev" <dev-bounces at openvswitch.org> wrote: -----
To: Mickey Spiegel <mickeys.dev at gmail.com>
From: Russell Bryant 
Sent by: "dev" 
Date: 07/29/2016 10:02AM
Cc: ovs dev <dev at openvswitch.org>
Subject: Re: [ovs-dev] [PATCH] ovn: Add second ACL stage

On Fri, Jul 29, 2016 at 12:47 AM, Mickey Spiegel <mickeys.dev at gmail.com>
wrote:

>
> This patch adds a second logical switch ingress ACL stage, and
> correspondingly a second logical switch egress ACL stage.  This
> allows for more than one ACL-based feature to be applied in the
> ingress and egress logical switch pipelines.  The features
> driving the different ACL stages may be configured by different
> users, for example an application deployer managing security
> groups and a network or security admin configuring network ACLs
> or firewall rules.
>
> Each ACL stage is self contained.  The "action" for the
> highest-"priority" matching row in an ACL stage determines a
> packet's treatment.  A separate "action" will be determined in
> each ACL stage, according to the ACL rules configured for that
> ACL stage.  The "priority" values are only relevant within the
> context of an ACL stage.
>
> ACL rules that do not specify an ACL stage are applied to the
> default "acl" stage.
>
> Signed-off-by: Mickey Spiegel <mickeys.dev at gmail.com>


Could you expand on why priorities in a single stage aren't enough to
satisfy the use case?

<Mickey>
If two features are configured independently with a mix of
prioritized allow and drop rules, then with a single stage, a
new set of ACL rules must be produced that achieves the same
behavior.  This is sometimes referred to as an "ACL merge"
algorithm, for example:
http://www.cisco.com/en/US/products/hw/switches/ps708/products_white_paper09186a00800c9470.shtml#wp39514

In the worst case, for example when the features act on different
packet fields (e.g. one on IP address and another on L4 port),
the number of rules required can approach
(# of ACL1 rules) * (# of ACL2 rules).

While it is possible to code up such an algorithm, it adds
significant complexity and complicates whichever layer
implements the merge algorithm, either OVN or the CMS above.

By using multiple independent pipeline stages, all of this
software complexity is avoided, achieving the proper result
in a simple and straightforward manner.

Recent network hardware ASICs tend to have around 8 or 10 ACL
stages, though they tend to evaluate these in parallel given
all the emphasis on low latency these days.

Mickey


-- 
Russell Bryant
_______________________________________________
dev mailing list
dev at openvswitch.org
http://openvswitch.org/mailman/listinfo/dev





More information about the dev mailing list