[ovs-dev] [RFC 3/3] ofproto: Drop flows between protected ports

Simon Horman simon.horman at netronome.com
Fri Nov 11 13:25:38 UTC 2016 

On Fri, Nov 11, 2016 at 08:33:04AM +1100, Ben Kelly wrote:
> Signed-off-by: Ben Kelly <ben at benjii.net>
> ---
>  ofproto/ofproto-dpif-xlate.c | 19 +++++++++++++++++++
>  1 file changed, 19 insertions(+)
> 
> diff --git a/ofproto/ofproto-dpif-xlate.c b/ofproto/ofproto-dpif-xlate.c
> index 98b536a..b9cc561 100644
> --- a/ofproto/ofproto-dpif-xlate.c
> +++ b/ofproto/ofproto-dpif-xlate.c
> @@ -2847,6 +2847,22 @@ clear_conntrack(struct flow *flow)
>      memset(&flow->ct_label, 0, sizeof flow->ct_label);
>  }
>  
> +static bool
> +xlate_flow_is_protected(const struct xlate_ctx *ctx, ofp_port_t ofp_port)
> +{
> +    const struct xport *xport_out = get_ofp_port(ctx->xbridge, ofp_port);
> +    struct flow *flow = &ctx->xin->flow;
> +    ofp_port_t in_ofp_port = flow->in_port.ofp_port;
> +    const struct xport *xport_in = get_ofp_port(ctx->xbridge, in_ofp_port);

I expect that get_ofp_port() is a somewhat expensive operation and the way
that things are arranged it looks like it will be called twice for every
packet that would be output regardless of protected port considerations.

I wonder if it would make sense to reduce this cost by:
1. Passing the xport_out function as it is already
   available in the caller (as xport) and;
2. Only calling get_ofp_port() for get_ofp_port() if the checks for
   xport_out succeed.

> +
> +    if (!xport_out || !xport_in) {
> +        return false;
> +    }
> +    return (xport_out->xbundle && xport_out->xbundle->protected &&
> +            xport_in->xbundle  && xport_in->xbundle->protected);
> +}
> +
> +
>  static void
>  compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port,
>                          const struct xlate_bond_recirc *xr, bool check_stp)
> @@ -2876,6 +2892,9 @@ compose_output_action__(struct xlate_ctx *ctx, ofp_port_t ofp_port,
>      } else if (ctx->mirror_snaplen != 0 && xport->odp_port == ODPP_NONE) {
>          xlate_report(ctx, "Mirror truncate to ODPP_NONE, skipping output");
>          return;
> +    } else if (xlate_flow_is_protected(ctx, ofp_port)) {
> +        xlate_report(ctx, "Flow between protected ports, skipping output.");
> +        return;
>      } else if (check_stp) {
>          if (is_stp(&ctx->base_flow)) {
>              if (!xport_stp_should_forward_bpdu(xport) &&
> -- 
> 2.7.4
> 
> _______________________________________________
> dev mailing list
> dev at openvswitch.org
> https://mail.openvswitch.org/mailman/listinfo/ovs-dev
>

More information about the dev mailing list