[ovs-dev] [PATCH ovn] Exclude inport and outport symbol tables from conjunction
Mark Michelson
mmichels at redhat.com
Tue Sep 17 12:21:22 UTC 2019
On 9/16/19 12:04 PM, Han Zhou wrote:
>
>
> On Mon, Sep 16, 2019 at 4:15 AM Dumitru Ceara <dceara at redhat.com
> <mailto:dceara at redhat.com>> wrote:
> >
> > On Sat, Sep 14, 2019 at 7:16 PM Han Zhou <zhouhan at gmail.com
> <mailto:zhouhan at gmail.com>> wrote:
> > >
> > >
> > >
> > > On Sat, Sep 14, 2019 at 9:09 AM Han Zhou <zhouhan at gmail.com
> <mailto:zhouhan at gmail.com>> wrote:
> > > >
> > > >
> > > >
> > > > On Sat, Sep 14, 2019 at 12:40 AM Numan Siddique
> <nusiddiq at redhat.com <mailto:nusiddiq at redhat.com>> wrote:
> > > > >
> > > > >
> > > > >
> > > > > On Sat, Sep 14, 2019 at 2:41 AM Daniel Alvarez Sanchez
> <dalvarez at redhat.com <mailto:dalvarez at redhat.com>> wrote:
> > > > >>
> > > > >> Acked-by: Daniel Alvarez <dalvarez at redhat.com
> <mailto:dalvarez at redhat.com>>
> > > > >>
> > > > >>
> > > > >> On Fri, Sep 13, 2019 at 11:02 PM Mark Michelson
> <mmichels at redhat.com <mailto:mmichels at redhat.com>> wrote:
> > > > >> >
> > > > >> > Acked-by: Mark Michelson
> > > > >> >
> > > > >> > It sucks that we lose the efficiency of the conjunctive
> match altogether
> > > > >> > on port groups because of this error, but I understand this
> is a huge
> > > > >> > bug and needs fixing.
> > > > >> If I'm not mistaken, from OpenStack standpoint conjunction was
> *only*
> > > > >> being used when using port groups and ACLs that matched on
> port ranges
> > > > >> ( e.g tcp.dst >= X && tcp.dst <=Y) which was not working.
> Therefore
> > > > >> we're not losing performance because it was already broken
> (given that
> > > > >> there was more than one ACL like that).
> > > > >>
> > > > >> >
> > > > >> > Perhaps it would be good to start up a discussion on this
> list about a
> > > > >> > more longterm solution that would allow for conjunctive
> matches with no
> > > > >> > ambiguity.
> > > > >> Agreed! We already discussed some ideas on IRC but it'd be
> awesome to
> > > > >> have a thread and brainstorm there.
> > > > >>
> > > > >
> > > > > Thanks for the reviews. I applied this to master.
> > > > > Agree we can discuss it further and come up with ideas.
> > > > >
> > > > > I know Dumitru has some idea to make use of conjunctions for
> port groups.
> > > > > CC'ing Han if he has any comments on ideas.
> > > > >
> > > >
> > > > Hi Numan,
> > > >
> > > > This is a good finding. However, I think it is not specifically a
> problem of port group. It seems to be a more general problem and this
> patch fixes only a special case.
> > > > For example, would there be similar problem for below ACLs
> without port groups:
> > > >
> > > > ip4 && tcp.src >= 1000 && tcp.src <= 1001 && tcp.dst >= 500 &&
> tcp.dst <= 501
> > > > ip4 && tcp.src >= 1000 && tcp.src <= 1001 && tcp.dst >= 600 &&
> tcp.dst <= 601
> > > >
> > > > Another example is with address set:
> > > >
> > > > ip4 && ip4.src == $as1 && tcp.dst >= 500 && tcp.dst <= 501
> > > > ip4 && ip4.src == $as1 && tcp.dst >= 600 && tcp.dst <= 601
> > > >
> > > > Or even without range:
> > > > ip4 && tcp.src == {1000, 1001} && tcp.dst == {500, 501}
> > > > ip4 && tcp.src == {1000, 1001} && tcp.dst == {600, 601}
> > > >
> > > > You may think of more examples. Whenever there are multiple
> conjunctionable ACLs with same match as part of the conjunction, it
> should result in such problem.
> > > >
> > > > A quick fix to all these problems may be just abandon
> conjunction, but I believe there are better ways to address it.
> > > >
> > > > First of all, these matches can be rewritten by combining them in
> a single ACL with "OR" operator, e.g.:
> > > >
> > > > outport == @pg1 && ip4 && tcp.dst >= 500 && tcp.dst <= 501
> > > > outport == @pg1 && ip4 && tcp.dst >= 600 && tcp.dst <= 601
> > > >
> > > > can be rewritten as ====>
> > > >
> > > > outport == @pg1 && ip4 && (tcp.dst >= 500 && tcp.dst <= 501 ||
> tcp.dst >= 600 && tcp.dst <= 601)
> > > >
> > > > Similar can be done for all above examples. So, a workaround to
> the problem is from user side (e.g. OpenStack) to make sure always
> combining ACLs with "OR" if there are common conjunctionable matches
> between different ACLs. However, a better way would be in ovn-northd
> itself to detect and combine such ACLs internally, before generating the
> final logical flows in SB. It may be more convenient to be done in
> ovn-controller, because we are not even parsing the ACLs in ovn-northd
> today, but the cost of such pre-processing would be duplicated in all
> HVs. It surely will increase CPU cost for doing such combination, but
> I'd not worry too much if we do it properly at each LS level instead of
> for all ACLs.
> > >
> > > I just thought a little more about combining the conjunctions. It
> seems we can do it without pre-processing by just handling duplicated
> flows in ofctrl_add_flow(). Currently we just drop duplicated flows, but
> we can check that if the action is conjuncture and the conjuncture ID is
> different, we can perform a combination by using existing flow's
> conjunction id to update all the flows related to that to-be-added
> duplicated flow. This way, the combination is performed on-the-fly,
> without introduce too much cost and without introduce parsing in
> ovn-northd either.
> >
> > Hi Han,
> >
> > Will this actually work without a change in OVS? I wonder because in
> > the ovs-fields man page [1] I see:
> >
> > "Conjunctive flows must not overlap with each other, at
> > a given priority, that is, any given packet must be
> > able to match at most one conjunctive flow at a given
> > priority. Overlapping conjunctive flows yield
> > unpredictable results."
>
> Hi Dumitru, the approach of combining ACLs should eliminate the
> overlapping conjunction problem for ACLs with common expressions,
> because a single ACL/logical-flow will be translated to a single
> conjunction. The combination is generally for ACLs with form :
> A and B
> A and C
> If A is (a1 or a2), B is (b1 or b2 ), C is (c1 or c2), the initial
> conjunction matches of current (incorrect) implementation will be:
> conj_id=1234 actions=...
> a1 conjunction(1234, 1/4)
> a2 conjunction(1234, 2/4)
> b1 conjunction(1234, 3/4)
> b2 conjunction(1234, 4/4)
>
> conj_id=1235 actions=...
> a1 conjunction(1235, 1/4)
> a2 conjunction(1235, 2/4)
> c1 conjunction(1235, 3/4)
> c2 conjunction(1235, 4/4)
>
> The a1 and a2 matches are overlapping between these two sets.
> In fact, the ACLs are equivalent to:
> A and (B or C), which is equivalent to: (a1 or a2) and (b1 or b2 or
> c1 or c2)
> So, if combined with the approach I mentioned, the conjunction matches
> will be:
> conj_id=1234 actions=...
> a1 conjunction(1234, 1/6)
> a2 conjunction(1234, 2/6)
> b1 conjunction(1234, 3/6)
> b2 conjunction(1234, 4/6)
> c1 conjunction(1234, 5/6)
> c2 conjunction(1234, 6/6)
>
> The overlapping problem is solved for this use case, and it reduces
> total number of flows, which can also be considered an *compiler
> optimization* for logical flows translation in ovn-controller. I don't
> think any change is needed from OVS.
Unfortunately, this only works for ACLs that have the same action.
Consider that you have the following:
A and B, allow
A and C, drop
You can't combine these ACLs into
A and (B or C)
since they have different ACL verdicts. You have to leave them separate.
Therefore, you end up with the same problem as before. The A part of the
conjunction for each conjunctive match overlaps.
>
> >
> > I guess another possibility is to detect flows that have overlapping
> > sets of matches in ofctrl and change their priorities (along with all
> > their other conjunction clauses) in order to differentiate the ACLs.
> > That might turn out to be quite tricky though as we need to maintain
> > the logical priority of ACLs defined by the user.
>
> Yes, changing the priority may solve the problem, too, but as you
> mentioned it may be tricky to calculate the appropriate priorities
> taking into consideration of how many different priorities are required
> for each logical flow translation and the user defined priority with the
> constraint of a single *priority space*. I would support it, too, if it
> turns out to be simple.
>
> >
> > Thanks,
> > Dumitru
> >
> > [1] http://man7.org/linux/man-pages/man7/ovs-fields.7.html
> >
> > >
> > > In addition, there are more general cases that can't be handled by
> combining ACLs, if there are overlapping sets in different ACLs. E.g.
> > > tcp.src == {1000, 1001} && tcp.dst == {500, 501}
> > > tcp.src == {1001, 1002} && tcp.dst == {600, 601}
> > >
> > > In this example, there is no way to combine these 2 ACLs because
> there is no common components in the matches, but the first set in each
> conjunctions are overlapping. So there will be flows generated something
> like:
> > > tcp.src=1001: conjunction(1, 1/2)
> > > ...
> > > tcp.src=1001: conjunction(2, 1/2)
> > > ...
> > > This causes the same duplicated flow problem and combining the two
> set of conjunctions is incorrect.
> > >
> > > However, although this is valid case in theory, it seems not a real
> problem in reality. Usually ACL will be defined with different
> priorities if there are overlapping (but not identical) set of matches.
> (At least they are not well designed ACLs - I might be wrong)
> > >
> > > cc Ben in case he had thought about these problems before.
> > >
> > > Thanks,
> > > Han
More information about the dev
mailing list