[ovs-dev] [PATCH v0 1/5] ovn: initial acl changes to support sfc action

Flavio Fernandes flavio at flaviof.com
Sun Nov 6 03:11:27 UTC 2016


Extend OVN acl to 1) have sfc action and 2) have options column

Reported-at: http://openvswitch.org/pipermail/discuss/2016-March/020628.html
Reported-at:  http://openvswitch.org/pipermail/discuss/2016-May/thread.html#21201
Co-authored-by: John McDowall <jmcdowall at paloaltonetworks.com>
Signed-off-by: Flavio Fernandes <flavio at flaviof.com>
---
 ovn/northd/ovn-northd.8.xml |  5 +++++
 ovn/northd/ovn-northd.c     |  9 +++++++++
 ovn/ovn-nb.ovsschema        | 10 +++++++---
 ovn/ovn-nb.xml              | 41 +++++++++++++++++++++++++++++++++++++++++
 ovn/utilities/ovn-nbctl.c   |  5 +++--
 5 files changed, 65 insertions(+), 5 deletions(-)

diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
index df53d4c..1ad2be1 100644
--- a/ovn/northd/ovn-northd.8.xml
+++ b/ovn/northd/ovn-northd.8.xml
@@ -304,6 +304,11 @@
         connections.
       </li>
       <li>
+        <code>sfc</code> ACLs work as entry points for service function
+        chaining, also known as SFC classifiers. Further attributes such
+        as what chain to be used are provided via the options column.
+      </li>
+      <li>
         Other ACLs translate to <code>drop;</code> for new or untracked
         connections and <code>ct_commit(ct_label=1/1);</code> for known
         connections.  Setting <code>ct_label</code> marks a connection
diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
index 07c7b2d..0ab850e 100644
--- a/ovn/northd/ovn-northd.c
+++ b/ovn/northd/ovn-northd.c
@@ -2522,6 +2522,15 @@ build_acls(struct ovn_datapath *od, struct hmap *lflows)
 
                 ds_destroy(&match);
             }
+        } else if (!strcmp(acl->action, "sfc")) {
+            struct ds match = DS_EMPTY_INITIALIZER;
+
+            // XXX FIXME (FF): Do something amazing here
+            ovn_lflow_add(lflows, od, stage,
+                          acl->priority + OVN_ACL_PRI_OFFSET,
+                          acl->match, "drop;");
+
+            ds_destroy(&match);
         } else if (!strcmp(acl->action, "drop")
                    || !strcmp(acl->action, "reject")) {
             struct ds match = DS_EMPTY_INITIALIZER;
diff --git a/ovn/ovn-nb.ovsschema b/ovn/ovn-nb.ovsschema
index 65f2d7c..ded6316 100644
--- a/ovn/ovn-nb.ovsschema
+++ b/ovn/ovn-nb.ovsschema
@@ -1,7 +1,7 @@
 {
     "name": "OVN_Northbound",
-    "version": "5.4.1",
-    "cksum": "3773248894 11490",
+    "version": "5.4.2",
+    "cksum": "2998303999 11681",
     "tables": {
         "NB_Global": {
             "columns": {
@@ -123,8 +123,12 @@
                                             "enum": ["set", ["from-lport", "to-lport"]]}}},
                 "match": {"type": "string"},
                 "action": {"type": {"key": {"type": "string",
-                                            "enum": ["set", ["allow", "allow-related", "drop", "reject"]]}}},
+                                            "enum": ["set", ["allow", "allow-related", "drop", "reject", "sfc"]]}}},
                 "log": {"type": "boolean"},
+                "options": {
+                    "type": {"key": "string",
+                             "value": "string",
+                             "min": 0, "max": "unlimited"}},
                 "external_ids": {
                     "type": {"key": "string", "value": "string",
                              "min": 0, "max": "unlimited"}}},
diff --git a/ovn/ovn-nb.xml b/ovn/ovn-nb.xml
index 7626551..f2f6f74 100644
--- a/ovn/ovn-nb.xml
+++ b/ovn/ovn-nb.xml
@@ -841,6 +841,13 @@
           ICMP unreachable message for other IP-based protocols.
           <code>Not implemented--currently treated as drop</code>
         </li>
+
+        <li>
+          <code>sfc</code>: Forward the packet into a logical port chain.
+          The chain to be used -- as well as any other attributes that determine
+          the behavior of the packet while in the chain -- are provided
+          via <ref column="options"/>.
+        </li>
       </ul>
     </column>
 
@@ -856,6 +863,40 @@
       </p>
     </column>
 
+    <group title="Options">
+      <column name = "options">
+        This column provides key/value settings specific to the ACL
+        <ref column="action"/>. The type-specific options are described
+        individually below.
+      </column>
+
+      <group title="Options for action sfc">
+        <p>
+          These options apply when <ref column="action"/> is <code>sfc</code>.
+        </p>
+
+        <column name="options" key="sfc-port-chain">
+          Required when <ref column="action"/> is <code>sfc</code>.
+          The uuid (or name) of the <ref table="Logical_Port_Chain"/> to be used.
+        </column>
+
+        <column name="options" key="sfc-bidirectional">
+          Optional and only applicable when <ref column="action"/> is <code>sfc</code>.
+          When set with value <code>true</code>, the implementation will also add rules to make packets
+          go through the chain in reverse direction. A restriction on making bidirectional chains is
+          that the inport parameter must be present in <ref column="match"/>, as it will be used as the
+          <ref table="Logical_Port_Chain" column="last_hop_port"/>. As expected, all <code>src*</code>
+          fields in <ref column="match"/> will be converted to <code>dst*</code> in order to derive the
+          reverse ACL.
+
+          <p>
+            sfc-bidirectional option is not yet implemented.
+          </p>
+        </column>
+      </group>
+
+    </group>
+
     <group title="Common Columns">
       <column name="external_ids">
         See <em>External IDs</em> at the beginning of this document.
diff --git a/ovn/utilities/ovn-nbctl.c b/ovn/utilities/ovn-nbctl.c
index 4df6af8..b45bc08 100644
--- a/ovn/utilities/ovn-nbctl.c
+++ b/ovn/utilities/ovn-nbctl.c
@@ -1279,9 +1279,10 @@ nbctl_acl_add(struct ctl_context *ctx)
 
     /* Validate action. */
     if (strcmp(action, "allow") && strcmp(action, "allow-related")
-        && strcmp(action, "drop") && strcmp(action, "reject")) {
+        && strcmp(action, "drop") && strcmp(action, "reject")
+        && strcmp(action, "sfc")) {
         ctl_fatal("%s: action must be one of \"allow\", \"allow-related\", "
-                  "\"drop\", and \"reject\"", action);
+                  "\"drop\", \"reject\" and \"sfc\"", action);
         return;
     }
 
-- 
2.7.4




More information about the dev mailing list