[ovs-dev] SFC summary: ACL and Flow-Classifier

Ryan Moats rmoats at us.ibm.com
Tue Jun 28 03:11:14 UTC 2016 

John McDowall <jmcdowall at paloaltonetworks.com> wrote on 06/27/2016 09:28:16
PM:

> From: John McDowall <jmcdowall at paloaltonetworks.com>
> To: Ryan Moats/Omaha/IBM at IBMUS
> Cc: "dev at openvswitch.org" <dev at openvswitch.org>
> Date: 06/27/2016 09:28 PM
> Subject: Re: [ovs-dev] SFC summary: ACL and Flow-Classifier
>
> Previous thread contents are here: http://openvswitch.org/pipermail/
> dev/2016-June/073836.html
>
> Ryan,
>
> The flow-classifier rules need to have a lower priority than the ppg
> rules as they steer the traffic into the chain. Therefore I could do
> this two ways:
> I can put the flow-classifier rules into the ACL table and insert
> them from their into the chain table,
> I can move the chain table before the ACL table.
> If either case the action would be to send the traffic to the first
> port pair input put of the first port-pair. This rule would then be
> fired in the chain table to steer traffic through the chain.
>
> Both seem a little “hacky” to me the first because it might set
> rules on flows that get modified before they hit the chain table,
> but the current ACL code sets both egress and ingress tables so
> there is precedent.
>
> The second approach is just bad as we could process a bunch of flows
> that are dropped in the ACL table.
>
> Thoughts?
>
> John

I'll admit that I must be missing something because I just don't
understand where you are coming from here. I'm working from the
following assumptions:

1. The FCs steer traffic from outside the port chain into the first
PPG of the port chain in the ACL table of the ingress pipeline.
2. Once I'm in the port chain, the current port I come in on steers
traffic to the next PPG of the port chain in the first table of
ingress pipeline (table 0) and makes sure we skip the FCs in the
ACL table (I admit I forgot this in previous emails).
3. I select the output port for the next PPG in the chain
table of the ingress pipeline.

Because I'm doing these in three different tables, I don't quite see
why I need to worry about priorities.

As an exampke, consider a two PPG chain.  A packet from vif1
come into the switch and are processed normally until the ACL table.
If they match the FCs for the port chain, metadata is set to say
the packet needs to go to PPG1. In the chain table, the output port
of the first PPG is selected and the packets gets sent to that
output port by the normal mechanism.

Now the packet comes back in from the input port of that first VNF.
Table 1 is programmed to set the metadata to show this packet needs
to go to the second PPG.  It flows through the other tables
(skipping the FCs in the ACL table) until it reaches the chain table,
at which point the output port of the second PPG is selected and
the packet gets sent to that output port by the normal mechanism.

Now the packet comes back in from the input port of the second VNF.
Table 1 is programmed to set the metadata to show this packet has
finished the port chain.  It flows through the other tables
(again skipping the FCs in the ACL table) being sent to the dIP
on the packet.

What am I missing?

Ryan



Because of the

More information about the dev mailing list