[ovs-dev] [PATCH v0 1/5] ovn: initial acl changes to support sfc action
Flavio Fernandes
flavio at flaviof.com
Sun Nov 6 03:11:27 UTC 2016
Extend OVN acl to 1) have sfc action and 2) have options column
Reported-at: http://openvswitch.org/pipermail/discuss/2016-March/020628.html
Reported-at: http://openvswitch.org/pipermail/discuss/2016-May/thread.html#21201
Co-authored-by: John McDowall <jmcdowall at paloaltonetworks.com>
Signed-off-by: Flavio Fernandes <flavio at flaviof.com>
---
ovn/northd/ovn-northd.8.xml | 5 +++++
ovn/northd/ovn-northd.c | 9 +++++++++
ovn/ovn-nb.ovsschema | 10 +++++++---
ovn/ovn-nb.xml | 41 +++++++++++++++++++++++++++++++++++++++++
ovn/utilities/ovn-nbctl.c | 5 +++--
5 files changed, 65 insertions(+), 5 deletions(-)
diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index df53d4c..1ad2be1 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -304,6 +304,11 @@
connections.
</li>
<li>
+ <code>sfc</code> ACLs work as entry points for service function
+ chaining, also known as SFC classifiers. Further attributes such
+ as what chain to be used are provided via the options column.
+ </li>
+ <li>
Other ACLs translate to <code>drop;</code> for new or untracked
connections and <code>ct_commit(ct_label=1/1);</code> for known
connections. Setting <code>ct_label</code> marks a connection
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 07c7b2d..0ab850e 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -2522,6 +2522,15 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows)
ds_destroy(&match);
}
+ } else if (!strcmp(acl->action, "sfc")) {
+ struct ds match = DS_EMPTY_INITIALIZER;
+
+ // XXX FIXME (FF): Do something amazing here
+ ovn_lflow_add(lflows, od, stage,
+ acl->priority + OVN_ACL_PRI_OFFSET,
+ acl->match, "drop;");
+
+ ds_destroy(&match);
} else if (!strcmp(acl->action, "drop")
|| !strcmp(acl->action, "reject")) {
struct ds match = DS_EMPTY_INITIALIZER;
diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
index 65f2d7c..ded6316 100644
--- a/ovn/ovn-nb.ovsschema
+++ b/ovn/ovn-nb.ovsschema
@@ -1,7 +1,7 @@
{
"name": "OVN_Northbound",
- "version": "5.4.1",
- "cksum": "3773248894 11490",
+ "version": "5.4.2",
+ "cksum": "2998303999 11681",
"tables": {
"NB_Global": {
"columns": {
@@ -123,8 +123,12 @@
"enum": ["set", ["from-lport", "to-lport"]]}}},
"match": {"type": "string"},
"action": {"type": {"key": {"type": "string",
- "enum": ["set", ["allow", "allow-related", "drop", "reject"]]}}},
+ "enum": ["set", ["allow", "allow-related", "drop", "reject", "sfc"]]}}},
"log": {"type": "boolean"},
+ "options": {
+ "type": {"key": "string",
+ "value": "string",
+ "min": 0, "max": "unlimited"}},
"external_ids": {
"type": {"key": "string", "value": "string",
"min": 0, "max": "unlimited"}}},
diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
index 7626551..f2f6f74 100644
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@@ -841,6 +841,13 @@
ICMP unreachable message for other IP-based protocols.
<code>Not implemented--currently treated as drop</code>
</li>
+
+ <li>
+ <code>sfc</code>: Forward the packet into a logical port chain.
+ The chain to be used -- as well as any other attributes that determine
+ the behavior of the packet while in the chain -- are provided
+ via <ref column="options"/>.
+ </li>
</ul>
</column>
@@ -856,6 +863,40 @@
</p>
</column>
+ <group title="Options">
+ <column name = "options">
+ This column provides key/value settings specific to the ACL
+ <ref column="action"/>. The type-specific options are described
+ individually below.
+ </column>
+
+ <group title="Options for action sfc">
+ <p>
+ These options apply when <ref column="action"/> is <code>sfc</code>.
+ </p>
+
+ <column name="options" key="sfc-port-chain">
+ Required when <ref column="action"/> is <code>sfc</code>.
+ The uuid (or name) of the <ref table="Logical_Port_Chain"/> to be used.
+ </column>
+
+ <column name="options" key="sfc-bidirectional">
+ Optional and only applicable when <ref column="action"/> is <code>sfc</code>.
+ When set with value <code>true</code>, the implementation will also add rules to make packets
+ go through the chain in reverse direction. A restriction on making bidirectional chains is
+ that the inport parameter must be present in <ref column="match"/>, as it will be used as the
+ <ref table="Logical_Port_Chain" column="last_hop_port"/>. As expected, all <code>src*</code>
+ fields in <ref column="match"/> will be converted to <code>dst*</code> in order to derive the
+ reverse ACL.
+
+ <p>
+ sfc-bidirectional option is not yet implemented.
+ </p>
+ </column>
+ </group>
+
+ </group>
+
<group title="Common Columns">
<column name="external_ids">
See <em>External IDs</em> at the beginning of this document.
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 4df6af8..b45bc08 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -1279,9 +1279,10 @@ nbctl_acl_add(struct ctl_context *ctx)
/* Validate action. */
if (strcmp(action, "allow") && strcmp(action, "allow-related")
- && strcmp(action, "drop") && strcmp(action, "reject")) {
+ && strcmp(action, "drop") && strcmp(action, "reject")
+ && strcmp(action, "sfc")) {
ctl_fatal("%s: action must be one of \"allow\", \"allow-related\", "
- "\"drop\", and \"reject\"", action);
+ "\"drop\", \"reject\" and \"sfc\"", action);
return;
}
--
2.7.4
More information about the dev
mailing list