[ovs-dev] [PATCH ovn v5 3/6] Spin out flow generation into build_pre_acl_flows_for_nbsp

Ihar Hrachyshka ihrachys at redhat.com
Mon May 11 17:00:18 UTC 2020


Signed-off-by: Ihar Hrachyshka <ihrachys at redhat.com>
---
 northd/ovn-northd.c | 75 ++++++++++++++++++++-------------------------
 1 file changed, 33 insertions(+), 42 deletions(-)

diff --git a/northd/ovn-northd.c b/northd/ovn-northd.c
index 8db5f604b..d2366efcf 100644
--- a/northd/ovn-northd.c
+++ b/northd/ovn-northd.c
@@ -4647,6 +4647,36 @@ build_lswitch_output_port_sec(struct hmap *ports, struct hmap *datapaths,
     ds_destroy(&actions);
 }
 
+static void
+build_pre_acl_flows_for_nbsp(struct ovn_datapath *od,
+                             const struct nbrec_logical_switch_port *nbsp,
+                             const char *json_key, struct hmap *lflows)
+{
+    /* Can't use ct() for router ports. Consider the following configuration:
+     * lp1(10.0.0.2) on hostA--ls1--lr0--ls2--lp2(10.0.1.2) on hostB, For a
+     * ping from lp1 to lp2, First, the response will go through ct() with a
+     * zone for lp2 in the ls2 ingress pipeline on hostB.  That ct zone knows
+     * about this connection. Next, it goes through ct() with the zone for the
+     * router port in the egress pipeline of ls2 on hostB.  This zone does not
+     * know about the connection, as the icmp request went through the logical
+     * router on hostA, not hostB. This would only work with distributed
+     * conntrack state across all chassis. */
+    struct ds match_in = DS_EMPTY_INITIALIZER;
+    struct ds match_out = DS_EMPTY_INITIALIZER;
+
+    ds_put_format(&match_in, "ip && inport == %s", json_key);
+    ds_put_format(&match_out, "ip && outport == %s", json_key);
+    ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
+                            ds_cstr(&match_in), "next;",
+                            &nbsp->header_);
+    ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
+                            ds_cstr(&match_out), "next;",
+                            &nbsp->header_);
+
+    ds_destroy(&match_in);
+    ds_destroy(&match_out);
+}
+
 static void
 build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
 {
@@ -4673,50 +4703,11 @@ build_pre_acls(struct ovn_datapath *od, struct hmap *lflows)
     if (has_stateful) {
         for (size_t i = 0; i < od->n_router_ports; i++) {
             struct ovn_port *op = od->router_ports[i];
-            /* Can't use ct() for router ports. Consider the
-             * following configuration: lp1(10.0.0.2) on
-             * hostA--ls1--lr0--ls2--lp2(10.0.1.2) on hostB, For a
-             * ping from lp1 to lp2, First, the response will go
-             * through ct() with a zone for lp2 in the ls2 ingress
-             * pipeline on hostB.  That ct zone knows about this
-             * connection. Next, it goes through ct() with the zone
-             * for the router port in the egress pipeline of ls2 on
-             * hostB.  This zone does not know about the connection,
-             * as the icmp request went through the logical router
-             * on hostA, not hostB. This would only work with
-             * distributed conntrack state across all chassis. */
-            struct ds match_in = DS_EMPTY_INITIALIZER;
-            struct ds match_out = DS_EMPTY_INITIALIZER;
-
-            ds_put_format(&match_in, "ip && inport == %s", op->json_key);
-            ds_put_format(&match_out, "ip && outport == %s", op->json_key);
-            ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
-                                    ds_cstr(&match_in), "next;",
-                                    &op->nbsp->header_);
-            ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
-                                    ds_cstr(&match_out), "next;",
-                                    &op->nbsp->header_);
-
-            ds_destroy(&match_in);
-            ds_destroy(&match_out);
+            build_pre_acl_flows_for_nbsp(od, op->nbsp, op->json_key, lflows);
         }
         if (od->localnet_port) {
-            struct ds match_in = DS_EMPTY_INITIALIZER;
-            struct ds match_out = DS_EMPTY_INITIALIZER;
-
-            ds_put_format(&match_in, "ip && inport == %s",
-                          od->localnet_port->json_key);
-            ds_put_format(&match_out, "ip && outport == %s",
-                          od->localnet_port->json_key);
-            ovn_lflow_add_with_hint(lflows, od, S_SWITCH_IN_PRE_ACL, 110,
-                                    ds_cstr(&match_in), "next;",
-                                    &od->localnet_port->nbsp->header_);
-            ovn_lflow_add_with_hint(lflows, od, S_SWITCH_OUT_PRE_ACL, 110,
-                                    ds_cstr(&match_out), "next;",
-                                    &od->localnet_port->nbsp->header_);
-
-            ds_destroy(&match_in);
-            ds_destroy(&match_out);
+            build_pre_acl_flows_for_nbsp(od, od->localnet_port->nbsp,
+                                         od->localnet_port->json_key, lflows);
         }
 
         /* Ingress and Egress Pre-ACL Table (Priority 110).
-- 
2.26.2



More information about the dev mailing list