[ovs-dev] [PATCH] ovn-northd: Optimize acl of localnet-port

Han Zhou zhouhan at gmail.com
Wed Jul 12 17:48:23 UTC 2017


On Sun, Jul 9, 2017 at 6:51 PM, <wang.qianyu at zte.com.cn> wrote:
>
> Localnet port is not an endpoint, and have no security requirements
> to use localnet port at present. So, for performance consideration, we
> could do not use ct for localnet port.
>
> The more specific discussion can be found from
> https://mail.openvswitch.org/pipermail/ovs-dev/2017-July/335048.html
>
> Change-Id: Iac42ceaa3ef1d4e9b34768f802502d8326b7f507
> Signed-off-by: wangqianyu <wang.qianyu at zte.com.cn>
> ---
>  ovn/northd/ovn-northd.8.xml |  4 +++-
>  ovn/northd/ovn-northd.c     | 24 +++++++++++++++++++++++-
>  2 files changed, 26 insertions(+), 2 deletions(-)
>
> diff --git a/ovn/northd/ovn-northd.8.xml b/ovn/northd/ovn-northd.8.xml
> index c0b4c5e..05f0470 100644
> --- a/ovn/northd/ovn-northd.8.xml
> +++ b/ovn/northd/ovn-northd.8.xml
> @@ -220,7 +220,9 @@
>        logical datapath, a priority-100 flow is added that sets a hint
>        (with <code>reg0[0] = 1; next;</code>) for table
>        <code>Pre-stateful</code> to send IP packets to the connection
tracker
> -      before eventually advancing to ingress table <code>ACLs</code>.
> +      before eventually advancing to ingress table <code>ACLs</code>. If
some
> +      special ports such as route ports or localnet ports can't use
ct(),  a
> +      priority-110 flow is added to skip over stateful ACLs.
>      </p>
>
>      <h3>Ingress Table 4: Pre-LB</h3>
> diff --git a/ovn/northd/ovn-northd.c b/ovn/northd/ovn-northd.c
> index 83db753..eea12e8 100644
> --- a/ovn/northd/ovn-northd.c
> +++ b/ovn/northd/ovn-northd.c
> @@ -1,4 +1,4 @@
> -/*
> +/*
>   * Licensed under the Apache License, Version 2.0 (the "License");
>   * you may not use this file except in compliance with the License.
>   * You may obtain a copy of the License at:
> @@ -416,6 +416,7 @@ struct ovn_datapath {
>      /* The "derived" OVN port representing the instance of l3dgw_port on
>       * the "redirect-chassis". */
>      struct ovn_port *l3redirect_port;
> +    struct ovn_port *localnet_port;
>  };
>
>  struct macam_node {
> @@ -1351,6 +1352,10 @@ join_logical_ports(struct northd_context *ctx,
>                      ovs_list_push_back(nb_only, &op->list);
>                  }
>
> +                if (!strcmp(nbsp->type, "localnet")) {
> +                   od->localnet_port = op;
> +                }
> +
>                  op->lsp_addrs
>                      = xmalloc(sizeof *op->lsp_addrs * nbsp->n_addresses);
>                  for (size_t j = 0; j < nbsp->n_addresses; j++) {
> @@ -2629,6 +2634,23 @@ build_pre_acls(struct ovn_datapath *od, struct
hmap *lflows)
>              ds_destroy(&match_in);
>              ds_destroy(&match_out);
>          }
> +        if (od->localnet_port) {
> +            struct ds match_in = DS_EMPTY_INITIALIZER;
> +            struct ds match_out = DS_EMPTY_INITIALIZER;
> +
> +            ds_put_format(&match_in, "ip && inport == %s",
> +                          od->localnet_port->json_key);
> +            ds_put_format(&match_out, "ip && outport == %s",
> +                          od->localnet_port->json_key);
> +            ovn_lflow_add(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
> +                          ds_cstr(&match_in), "next;");
> +            ovn_lflow_add(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
> +                          ds_cstr(&match_out), "next;");
> +
> +            ds_destroy(&match_in);
> +            ds_destroy(&match_out);
> +        }
> +
>          /* Ingress and Egress Pre-ACL Table (Priority 110).
>           *
>           * Not to do conntrack on ND packets. */
> --
> 2.7.2.windows.1

Acked-by: Han Zhou <zhouhan at gmail.com>


More information about the dev mailing list