[ovs-dev] conjunctive match in ovn
Wei Li
liw at dtdream.com
Fri Oct 13 02:24:16 UTC 2017
table=4 (ls_out_acl ), priority=2002 , match=(((ct.new &&
!ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) &&
(outport == "372e3aa6-1041-435d-9536-8f1c9e49196b" && ip4 && ip4.src ==
$as_ip4_6a8f4283_ba60_4d1c_9dec_28d027eadef2 && tcp && tcp.dst >= 10000
&& tcp.dst <= 20000)), action=(reg0[1] = 1; next;)
Above is openstack security group rule
+--------------------------------------+-------------+-----------+-------------+--------------------------------------+--------------------------------------+
| ID | IP Protocol | IP Range | Port
Range | Remote Security Group | Security
Group |
+--------------------------------------+-------------+-----------+-------------+--------------------------------------+--------------------------------------+
| 6971be68-3439-471b-8ef6-095383631879 | tcp | None |
10000:20000 | 6a8f4283-ba60-4d1c-9dec-28d027eadef2 |
a93cebfd-1b4c-45e6-a51e-284fdae461f0 |
It will create the crossproduct of ipv4.src and tcp.dst, so a lot of
flow like this
cookie=0xa6879a4d, duration=451.157s, table=44, n_packets=0,
n_bytes=0,
priority=2002,ct_state=+new-est+trk,tcp,reg15=0x2,metadata=0x5,nw_src=10.0.0.6,tp_dst=0x2740/0xffc0
actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
cookie=0xa6879a4d, duration=451.156s, table=44, n_packets=0,
n_bytes=0,
priority=2002,ct_state=+new-est+trk,tcp,reg15=0x2,metadata=0x5,nw_src=10.0.0.3,tp_dst=0x2740/0xffc0
actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
cookie=0xa6879a4d, duration=451.158s, table=44, n_packets=0,
n_bytes=0,
priority=2002,ct_state=+new-est+trk,tcp,reg15=0x2,metadata=0x5,nw_src=10.0.0.6,tp_dst=0x4800/0xfc00
actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
cookie=0xa6879a4d, duration=451.157s, table=44, n_packets=0,
n_bytes=0,
priority=2002,ct_state=+new-est+trk,tcp,reg15=0x2,metadata=0x5,nw_src=10.0.0.9,tp_dst=0x4800/0xfc00
actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
cookie=0xa6879a4d, duration=451.157s, table=44, n_packets=0,
n_bytes=0,
priority=2002,ct_state=+new-est+trk,tcp,reg15=0x2,metadata=0x5,nw_src=10.0.0.14,tp_dst=0x4800/0xfc00
actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
...................
I think use conjunction like
match tcp.dst conjunction(1111, 1/2)
match ipv4.src conjunction(1111, 2/2)
match conj_id=1111 actices=xxxx
will create less flows
在 2017/10/12 23:47, Ben Pfaff 写道:
> On Thu, Oct 12, 2017 at 05:35:13PM +0800, Wei Li wrote:
>> Hello everyone
>>
>> I have some confused about "Crossproducting" in ovn-sb
>>
>> I create acl in ovn-sb like this
>> match : "tcp.src == {10000, 20000} && tcp.dst == {10000,
>> 20000} && ip4.src == {1.1.1.1/32, 2.2.2.2/32} && ip4.dst == {1.1.1.1/32,
>> 2.2.2.2/32}"
> [...]
>
>> Lot of flows!!! It is not same as description in expr.h:203 which use
>> conjunction match
>>
>> so whick kind of match in ovn-sb will use conjunction match?
> Some tuning is needed. We want to get that tuning ready for OVS 2.9.
> We have one example already of a real-world use case where the existing
> heuristics fail. Is this another real-world example? It looks
> contrived, but if it models a situation you expect to be common then I'd
> like to hear more.
More information about the dev
mailing list