[ovs-dev] conjunctive match in ovn

Wei Li liw at dtdream.com
Fri Oct 13 02:24:16 UTC 2017 

   table=4 (ls_out_acl         ), priority=2002 , match=(((ct.new && 
!ct.est) || (!ct.new && ct.est && !ct.rpl && ct_label.blocked == 1)) && 
(outport == "372e3aa6-1041-435d-9536-8f1c9e49196b" && ip4 && ip4.src == 
$as_ip4_6a8f4283_ba60_4d1c_9dec_28d027eadef2 && tcp && tcp.dst >= 10000 
&& tcp.dst <= 20000)), action=(reg0[1] = 1; next;)

Above is openstack security group rule

+--------------------------------------+-------------+-----------+-------------+--------------------------------------+--------------------------------------+
| ID                                   | IP Protocol | IP Range  | Port 
Range  | Remote Security Group                | Security 
Group                       |
+--------------------------------------+-------------+-----------+-------------+--------------------------------------+--------------------------------------+
| 6971be68-3439-471b-8ef6-095383631879 | tcp         | None      | 
10000:20000 | 6a8f4283-ba60-4d1c-9dec-28d027eadef2 | 
a93cebfd-1b4c-45e6-a51e-284fdae461f0 |


It will create the crossproduct of ipv4.src and tcp.dst,  so a lot of 
flow like this

  cookie=0xa6879a4d, duration=451.157s, table=44, n_packets=0, 
n_bytes=0, 
priority=2002,ct_state=+new-est+trk,tcp,reg15=0x2,metadata=0x5,nw_src=10.0.0.6,tp_dst=0x2740/0xffc0 
actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
  cookie=0xa6879a4d, duration=451.156s, table=44, n_packets=0, 
n_bytes=0, 
priority=2002,ct_state=+new-est+trk,tcp,reg15=0x2,metadata=0x5,nw_src=10.0.0.3,tp_dst=0x2740/0xffc0 
actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
  cookie=0xa6879a4d, duration=451.158s, table=44, n_packets=0, 
n_bytes=0, 
priority=2002,ct_state=+new-est+trk,tcp,reg15=0x2,metadata=0x5,nw_src=10.0.0.6,tp_dst=0x4800/0xfc00 
actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
  cookie=0xa6879a4d, duration=451.157s, table=44, n_packets=0, 
n_bytes=0, 
priority=2002,ct_state=+new-est+trk,tcp,reg15=0x2,metadata=0x5,nw_src=10.0.0.9,tp_dst=0x4800/0xfc00 
actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
  cookie=0xa6879a4d, duration=451.157s, table=44, n_packets=0, 
n_bytes=0, 
priority=2002,ct_state=+new-est+trk,tcp,reg15=0x2,metadata=0x5,nw_src=10.0.0.14,tp_dst=0x4800/0xfc00 
actions=load:0x1->NXM_NX_XXREG0[97],resubmit(,45)
...................


I think use conjunction like

match tcp.dst conjunction(1111, 1/2)

match ipv4.src conjunction(1111, 2/2)

match conj_id=1111 actices=xxxx

will create less flows


在 2017/10/12 23:47, Ben Pfaff 写道:
> On Thu, Oct 12, 2017 at 05:35:13PM +0800, Wei Li wrote:
>> Hello everyone
>>
>> I have some confused about "Crossproducting" in ovn-sb
>>
>> I create acl in ovn-sb like this
>> match               : "tcp.src == {10000, 20000} && tcp.dst == {10000,
>> 20000} && ip4.src == {1.1.1.1/32, 2.2.2.2/32} && ip4.dst == {1.1.1.1/32,
>> 2.2.2.2/32}"
> [...]
>
>> Lot of flows!!!   It is not same as description in expr.h:203 which use
>> conjunction match
>>
>> so whick kind of match in ovn-sb will use conjunction match?
> Some tuning is needed.  We want to get that tuning ready for OVS 2.9.
> We have one example already of a real-world use case where the existing
> heuristics fail.  Is this another real-world example?  It looks
> contrived, but if it models a situation you expect to be common then I'd
> like to hear more.

More information about the dev mailing list